loft-sh
diff --git a/‎chart/Chart.yaml‎
Lines changed: 1 addition & 1 deletion b/‎chart/Chart.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎chart/templates/_helpers.tpl‎
Lines changed: 94 additions & 5 deletions b/‎chart/templates/_helpers.tpl‎
Lines changed: 94 additions & 5 deletions
diff --git a/‎chart/templates/apiservice.yaml‎
Lines changed: 4 additions & 0 deletions b/‎chart/templates/apiservice.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎chart/templates/application.yaml‎
Lines changed: 51 additions & 0 deletions b/‎chart/templates/application.yaml‎
Lines changed: 51 additions & 0 deletions
@@ -32,4 +32,4 @@ maintainers:
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-version: 
+version: v4.8.0-rc.5
@@ -27,20 +27,83 @@ Default image name for a given product
 {{- printf "ghcr.io/loft-sh/loft:%s" .Chart.Version -}}
 {{- end -}}
 
+{{/*
+Populate image ref for a given product
+*/}}
+{{- define "loft.imageRef" -}}
+{{- $registry := default "ghcr.io" .Values.imageRef.registry -}}
+{{- $repository := coalesce .Values.imageRef.repository .repo "loft-sh/vcluster-platform" -}}
+{{- $tag := default .Chart.Version .Values.imageRef.tag -}}
+{{- printf "%s/%s:%s" $registry $repository $tag -}}
+{{- end -}}
+
 {{- define "loft.image" -}}
   {{- if .Values.product -}}
     {{- if eq .Values.product "vcluster-pro" -}}
-      {{- printf "ghcr.io/loft-sh/vcluster-platform:%s" .Chart.Version -}}
-    {{- else if eq .Values.product "devpod-pro" -}}
-      {{- printf "ghcr.io/loft-sh/devpod-pro:%s" .Chart.Version -}}
+	  {{- if .Values.imageRef -}}
+	    {{ include "loft.imageRef" $ }}
+	  {{- else -}}
+		{{- printf "ghcr.io/loft-sh/vcluster-platform:%s" .Chart.Version -}}
+	  {{- end -}}
     {{- else -}}
-      {{ include "loft.defaultImage" . }}
+	  {{- if .Values.imageRef -}}
+	    {{ include "loft.imageRef" (merge (dict "repo" "loft-sh/loft") $) }}
+	  {{- else -}}
+        {{ coalesce .Values.image (include "loft.defaultImage" .) }}
+	  {{- end -}}
     {{- end -}}
   {{- else -}}
-    {{ include "loft.defaultImage" . }}
+	{{- if .Values.imageRef -}}
+	  {{ include "loft.imageRef" (merge (dict "repo" "loft-sh/loft") $) }}
+	{{- else -}}
+      {{ coalesce .Values.image (include "loft.defaultImage" .) }}
+	{{- end -}}
   {{- end -}}
 {{- end -}}
 
+
+{{/*
+Populate audit image ref
+*/}}
+{{- define "loft.auditImageRef" -}}
+{{- $registry := default "docker.io" .Values.audit.imageRef.registry -}}
+{{- $repository := default "library/alpine" .Values.audit.imageRef.repository -}}
+{{- $tag := default "3.13.1" .Values.audit.imageRef.tag -}}
+{{- printf "%s/%s:%s" $registry $repository $tag -}}
+{{- end -}}
+
+{{- define "loft.auditImage" -}}
+  {{- if .Values.audit.imageRef -}}
+    {{ include "loft.auditImageRef" . }}
+  {{- else -}}
+    {{ default "library/alpine:3.13.1" .Values.audit.image }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+True when multiRegion is set and enabled (safe when .Values.multiRegion is nil).
+Output is truthy when enabled, empty otherwise; use in {{ if include "loft.multiRegionEnabled" . }}.
+*/}}
+{{- define "loft.multiRegionEnabled" -}}
+{{- if and .Values.multiRegion .Values.multiRegion.enabled }}{{ true }}{{ end -}}
+{{- end -}}
+
+{{/*
+True when config.database is set and enabled (safe when .Values.config or .Values.config.database is nil).
+Output is truthy when enabled, empty otherwise; use in {{ if include "loft.configDatabaseEnabled" . }}.
+*/}}
+{{- define "loft.configDatabaseEnabled" -}}
+{{- if and .Values.config .Values.config.database .Values.config.database.enabled }}{{ true }}{{ end -}}
+{{- end -}}
+
+{{/*
+True when env.LOFT_EMBEDDED_K8S is set to "true" (safe when .Values.env is nil).
+Output is truthy when enabled, empty otherwise; use in {{ if include "loft.envEmbeddedK8sEnabled" . }}.
+*/}}
+{{- define "loft.envEmbeddedK8sEnabled" -}}
+{{- if eq (.Values.env.LOFT_EMBEDDED_K8S | toString) "true" }}{{ true }}{{ end -}}
+{{- end -}}
+
 {{- define "loft.strategyType" -}}
   {{- if and .Values.strategy .Values.strategy.type -}}
     {{- .Values.strategy.type -}}
@@ -66,3 +129,29 @@ rollingUpdate:
   {{- end }}
 {{- end -}}
 {{- end -}}
+
+{{- define "loft.leastPrivilegeModeValues" -}}
+{{- $defaultValues := dict
+		"enabled" false
+		"clusterAccess" (dict "enabled" true)
+		"projectQuotas" (dict "enabled" true)
+		"secrets" (dict "enabled" true)
+		"sleepMode" (dict "enabled" true)
+		"role" (dict "enabled" true "extraRules" (list) "overwriteRules" (list))
+		"clusterRole" (dict "enabled" true "extraRules" (list) "overwriteRules" (list))
+		"namespaceAdminRole" (dict "enabled" true "extraRules" (list) "overwriteRules" (list)) -}}
+{{- if .Values.leastPrivilegeMode -}}
+{{ mergeOverwrite $defaultValues .Values.leastPrivilegeMode | toJson }}
+{{- else -}}
+{{ $defaultValues | toJson }}
+{{- end -}}
+{{- end -}}
+
+{{- define "loft.isLeastPrivilegeModeEnabled" -}}
+{{- if .Values.leastPrivilegeMode -}}
+{{- if eq true .Values.leastPrivilegeMode.enabled -}}
+{{ true }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
@@ -1,6 +1,9 @@
+{{- $isEmbedded := or (include "loft.envEmbeddedK8sEnabled" .) (include "loft.configDatabaseEnabled" .) -}}
+
 {{- if .Values.apiservice }}
 {{- if .Values.apiservice.create }}
 {{- if not .Values.agentOnly }}
+{{- if not $isEmbedded }}
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
@@ -33,6 +36,7 @@ spec:
   selector:
     app: {{ template "loft.fullname" . }}
     release: {{ .Release.Name }}
+{{- end }}
 ---
 {{- end }}
 apiVersion: v1
 
@@ -0,0 +1,51 @@
+{{- if (dig "gcpMarketplace" "enabled" false (.Values|merge (dict) )) }}
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}"
+  annotations:
+    marketplace.cloud.google.com/deploy-info: '{"partner_id": "bji0uLnnv1", "product_id": "vcluster", "partner_name": "vCluster Labs"}'
+spec:
+  descriptor:
+    type: vClusterPlatform
+    version: {{ .Chart.Version }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: "{{ .Release.Name }}"
+  addOwnerRef: true
+  componentKinds:
+    # Core
+    - group: ""
+      kind: Service
+    - group: ""
+      kind: ServiceAccount
+    - group: ""
+      kind: ConfigMap
+    - group: ""
+      kind: Secret
+    - group: policy
+      kind: PodDisruptionBudget
+    # Workloads
+    - group: apps
+      kind: Deployment
+    # Networking
+    - group: networking.k8s.io
+      kind: Ingress
+    # RBAC
+    - group: rbac.authorization.k8s.io
+      kind: Role
+    - group: rbac.authorization.k8s.io
+      kind: RoleBinding
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRole
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRoleBinding
+    # Admission webhooks used by the chart
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+{{- end }}