{"id":46258301,"url":"https://github.com/giantswarm/cluster","last_synced_at":"2026-05-20T10:01:24.491Z","repository":{"id":176619632,"uuid":"659177598","full_name":"giantswarm/cluster","owner":"giantswarm","description":"Giant Swarm cluster chart with provider-independent cluster resources","archived":false,"fork":false,"pushed_at":"2026-05-13T15:54:53.000Z","size":1646,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-05-13T17:34:41.017Z","etag":null,"topics":["cluster","cluster-api","giantswarm","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/giantswarm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":"DCO","cla":null}},"created_at":"2023-06-27T09:37:27.000Z","updated_at":"2026-05-11T07:47:25.000Z","dependencies_parsed_at":"2023-12-26T14:23:56.661Z","dependency_job_id":"63313dfc-69e8-4e82-aad7-a01b3aa8f93f","html_url":"https://github.com/giantswarm/cluster","commit_stats":null,"previous_names":["giantswarm/cluster"],"tags_count":114,"template":false,"template_full_name":null,"purl":"pkg:github/giantswarm/cluster","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fcluster","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fcluster/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fcluster/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fcluster/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/giantswarm","download_url":"https://codeload.github.com/giantswarm/cluster/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giantswarm%2Fcluster/sbom","scorecard":{"id":651289,"data":{"date":"2025-08-21T11:45:16Z","repo":{"name":"github.com/giantswarm/cluster","commit":"25dc78fd6d3bee23fafe1741ffc84b8965161dff"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.2,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json5:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/cluster-provider-test-pull-request.yaml:1","Warn: no topLevel permission defined: .github/workflows/test-manifests.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.add-team-labels.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.add-to-project-board.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.check_values_schema.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.create_release.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.create_release_pr.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.diff_helm_render_templates.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.documentation_validation.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.gitleaks.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.json_schema_validation.yaml:1","Warn: no topLevel permission defined: .github/workflows/zz_generated.run_ossf_scorecard.yaml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/zz_generated.validate_changelog.yaml:16","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cluster-provider-test-pull-request.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/giantswarm/cluster/cluster-provider-test-pull-request.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/cluster-provider-test-pull-request.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/giantswarm/cluster/cluster-provider-test-pull-request.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-manifests.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/giantswarm/cluster/test-manifests.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-manifests.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/giantswarm/cluster/test-manifests.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-manifests.yaml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/giantswarm/cluster/test-manifests.yaml/main?enable=pin","Info:  18 out of  22 GitHub-owned GitHubAction dependencies pinned","Info:  15 out of  16 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 6 contributing companies or organizations","details":["Info: found contributions from: acmfi, cncf, giantswarm, k8spin, kubernetes, kubernetes-sigs"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-21T13:34:17.440Z","repository_id":176619632,"created_at":"2025-08-21T13:34:17.441Z","updated_at":"2025-08-21T13:34:17.441Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33254765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-20T04:48:54.280Z","status":"ssl_error","status_checked_at":"2026-05-20T04:48:10.851Z","response_time":356,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cluster","cluster-api","giantswarm","kubernetes"],"created_at":"2026-03-04T00:33:50.302Z","updated_at":"2026-05-20T10:01:24.483Z","avatar_url":"https://github.com/giantswarm.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cluster chart\n\nCluster chart is a provider-independent Helm chart that renders Cluster API resources and HelmReleases of provider-independent apps.\n\nCluster chart contains these resources:\n- Cluster,\n- KubeadmControlPlane for the control plane,\n- MachinePool and KubeadmConfig for the node pools,\n- (deprecated) MachineDeployment and KubeadmConfigTemplate for bastions,\n- HelmRepository resources for the following catalogs:\n  - default-catalog,\n  - default-test-catalog,\n  - cluster-catalog,\n- HelmRelease resources for the following provider-independent apps:\n  - vertical-pod-autoscaler-crd,\n  - coredns,\n  - cilium, and\n  - network-policies.\n\n## Provider integration\n\nThis section describes how cluster chart can be used in a cluster-\\\u003cprovider\\\u003e app.\n\n### Few notes before we dig into it\n\nThe top level cluster chart Helm value that is used for configuring provider integration is `.Values.providerIntegration`.\nWhen the cluster-\\\u003cprovider\\\u003e app is setting this value, it is setting `.Values.cluster.providerIntegration` value in its\nHelm values, because all Helm values that cluster-\\\u003cprovider\\\u003e app (parent chart) is passing to cluster chart (subchart)\nare set under  `.Values.cluster` object (which is just a regular Helm feature). This document is describing how a cluster-\\\u003cprovider\\\u003e\napp can integrate the cluster chart, so it will be using cluster-\\\u003cprovider\\\u003e app’s `.Values.cluster.providerIntegration`\nHelm value in explanations and examples.\n\nOne important detail to mention is that `.Values.cluster.providerIntegration` is supposed to be an immutable Helm value,\nas it is an entry point that cluster-\\\u003cprovider\\\u003e apps use to adapt cluster chart functionality to a specific-provider.\n\nTherefore, when creating a cluster, values under `.Values.cluster.providerIntegration` should not be overridden in cluster-\\\u003cprovider\\\u003e\napp Helm values (this is currently not enforced in any technical way, but we will try to find a way to enforce it). Custom\ncluster-specific values can be set under `.Values.global` and `.Values.internal.advancedConfiguration` (docs TBA for these\nvalues).\n\n### Configuring if and how the resources are rendered\n\nWhile some resources rendered by cluster chart are fairly simple and not very much configurable, some are quite complex\nand have an abundance of configuration options, so integrating cluster chart into a cluster-\\\u003cprovider\\\u003e app can should\nbe done in stages, by starting to use cluster chart resources one by one  (more or less). The integration of cluster chart\nshould be done incrementally also because cluster chart is rendering CAPI resources slightly differently compared to the\nexisting cluster-\\\u003cprovider\\\u003e apps (simply because the existing cluster-\\\u003cprovider\\\u003e apps are doing it slightly differently,\nwhen compared to each other), so you will want to make sure that the resources rendered by the cluster chart are working\ncorrectly for your cluster-\\\u003cprovider\\\u003e app.\n\nHelm values which are controlling if the cluster chart will render some resource or not are all under `.Values.cluster.providerIntegration.resourcesApi`.\nSome resources, when enabled, will also require you to set some other `.Values.cluster.providerIntegration` values for them\nto be correctly rendered. The following sections will describe how to configure cluster chart resources with required and\noptional Helm values.\n\n\u003e Note: for the sake of bevity the following text will use the term “resource flag” for referring to a Helm value under\n\u003e `.Values.cluster.providerIntegration.resourcesApi` that controls if some resource is rendered or not.\n\n#### Cluster resource\n\nIntegrating Cluster resource is like warming up before the training, it should be easy (and it's not really telling you\nhow the whole training will look like 😜).\n\nYou can enable Cluster resource rendering by setting the `clusterResourceEnabled` resource flag.\n\nAdditionally, you also have to specify the group, version and kind of provider-specific cluster resource (e.g. AWSCluster,\nAzureCluster, etc.) by specifying `.Values.cluster.providerIntegration.resourcesApi.infrastructureCluster` value.\n\nWhen we put all of this in YAML, we get this:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    resourcesApi:\n      clusterResourceEnabled: true\n      infrastructureCluster:\n        group: infrastructure.cluster.x-k8s.io\n        kind: AWSCluster\n        version: v1beta1\n```\n\n#### Control plane resources\n\nThere are control plane resources for different providers (KubeadmControlPlane for kubeadm, KamajiControlPlane for Kamaji) and MachineHealthCheck.\nThe control plane provider is configured via `controlPlaneResource.provider` (either `kubeadm` or `kamaji`, with `kubeadm` as the default),\nand `machineHealthCheckResourceEnabled` controls the MachineHealthCheck resource.\n\nBesides the above two resource flags, there are few other values that have to be specified:\n- Group, version and kind of the provider-specific machine template resources (e.g. AWSMachineTemplate, AzureMachineTemplate,\n  etc.) which is done by setting `.Values.cluster.providerIntegration.controlPlane.resources.infrastructureMachineTemplate`,\n- Name of the Helm template that renders the spec of the provider-specific machine template, which is done by setting\n  `.Values.cluster.providerIntegration.controlPlane.resources.infrastructureMachineTemplateSpecTemplateName`. E.g. in case\n  of AWS, this template renders `AWSMachineTemplate.spec.template.spec` value.\n\nHere is the YAML:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    controlPlane:\n      resources:\n        infrastructureMachineTemplate:\n          group: infrastructure.cluster.x-k8s.io\n          kind: AWSMachineTemplate\n          version: v1beta1\n        infrastructureMachineTemplateSpecTemplateName: controlplane-awsmachinetemplate-spec\n    resourcesApi:\n      controlPlaneResource:\n        enabled: true\n        provider: kubeadm  # or kamaji\n      machineHealthCheckResourceEnabled: true\n```\n\nThere are more than few optional Helm values that you can set (optional from the point of view of cluster chart, but those\ncan be required for some cluster-\\\u003cprovider\\\u003e app in order to correctly configure KubeadmControlPlane from the cluster\nchart and successfully deploy a workload cluster).\n\nYou can customize some of the API server extra args that are set in `KubeadmControlPlane.spec.kubeadmConfigSpec.clusterConfiguration.apiServer`\nby setting some of the following Helm values:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    controlPlane:\n      kubeadmConfig:\n        clusterConfiguration:\n          apiServer:\n            additionalAdmissionPlugins:\n            - AlwaysPullImages\n            apiAudiences:\n              templateName: awsApiServerApiAudiences # name of the Helm template that renders api-audiences value\n            featureGates:\n            - name: StatefulSetAutoDeletePVC\n              enabled: true\n            serviceAccountIssuer:\n              clusterDomainPrefix: irsa # which sets service-account-issuer to irsa.\u003ccluster name\u003e.\u003cbase domain\u003e\n```\n\nYou can specify provider-specific Ignition configuration (systemd units and storage). Here is an example from cluster-aws\nwhich specifies filesystems and mount units for etcd, kubelet and containerd disks:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    controlPlane:\n      kubeadmConfig:\n        ignition:\n          containerLinuxConfig:\n            additionalConfig:\n              storage:\n                filesystems:\n                  - mount:\n                      device: /dev/xvdc\n                      format: xfs\n                      label: etcd\n                      wipeFilesystem: true\n                    name: etcd\n                  - mount:\n                      device: /dev/xvdd\n                      format: xfs\n                      label: containerd\n                      wipeFilesystem: true\n                    name: containerd\n                  - mount:\n                      device: /dev/xvde\n                      format: xfs\n                      label: kubelet\n                      wipeFilesystem: true\n                    name: kubelet\n              systemd:\n                units:\n                  - contents:\n                      install:\n                        wantedBy:\n                          - local-fs-pre.target\n                      mount:\n                        type: xfs\n                        what: /dev/disk/by-label/etcd\n                        where: /var/lib/etcd\n                      unit:\n                        defaultDependencies: false\n                        description: etcd volume\n                    enabled: true\n                    name: var-lib-etcd.mount\n                  - contents:\n                      install:\n                        wantedBy:\n                          - local-fs-pre.target\n                      mount:\n                        type: xfs\n                        what: /dev/disk/by-label/kubelet\n                        where: /var/lib/kubelet\n                      unit:\n                        defaultDependencies: false\n                        description: kubelet volume\n                    enabled: true\n                    name: var-lib-kubelet.mount\n                  - contents:\n                      install:\n                        wantedBy:\n                          - local-fs-pre.target\n                      mount:\n                        type: xfs\n                        what: /dev/disk/by-label/containerd\n                        where: /var/lib/containerd\n                      unit:\n                        defaultDependencies: false\n                        description: containerd volume\n                    enabled: true\n                    name: var-lib-containerd.mount\n```\n\n#### Node pool resources\n\nThere are two node pool resources, MachinePool and KubeadmConfig, and both are rendered unders a single resource flag which\nis `machinePoolResourcesEnabled` (which should have been called `nodePoolPoolResourcesEnabled` 🙈).\n\nBesides the above two resource flags, there are few other values that have to be specified:\n- Type of node pools that the cluster-\\\u003cprovider\\\u003e app is using, which is set under `.Values.cluster.providerIntegration.resourcesApi.nodePoolKind `.\n  Currently only `MachinePool` is supported, and `MachineDeployment` will be added later.\n- Group, version and kind of the provider-specific machine pool resource (e.g. AWSMachinePool, AzureMachinePool, etc.) which\n  is done by setting `.Values.cluster.providerIntegration.resourcesApi.infrastructureMachinePool`,\n- Default node pools Helm values, which is used if no node pools are specified when creating a cluster. This is set by specifying\n  `.Values.cluster.providerIntegration.workers.defaultNodePools`.\n\nHere is the YAML that shows all of the above Helm values:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    resourcesApi:\n      machinePoolResourcesEnabled: true\n      nodePoolKind: MachinePool\n      infrastructureMachinePool:\n        group: infrastructure.cluster.x-k8s.io\n        kind: AWSMachinePool\n        version: v1beta1\n    workers:\n      defaultNodePools:\n        def00:\n          customNodeLabels:\n            - label=default\n          instanceType: r6i.xlarge\n          maxSize: 3\n          minSize: 3\n```\n\n#### HelmRelease and HelmRepository resources\n\nResource flags used for HelmRelease and HelmRepository resources are:\n- `helmRepositoryResourcesEnabled` for default-catalog and default-test-catalog HelmRepositories.\n- `ciliumHelmReleaseResourceEnabled` for cilium HelmRelease,\n- `cleanupHelmReleaseResourcesEnabled` for cleanup HelmRelease,\n- `coreDnsHelmReleaseResourceEnabled` for coredns HelmRelease,\n- `verticalPodAutoscalerCrdHelmReleaseResourceEnabled` for vertical-pod-autoscaler-crd HelmRelease, and\n- `networkPoliciesHelmReleaseResourceEnabled` for network-policies HelmRelease and cluster-catalog HelmRepository.\n\nWritten in YAML we get the following:\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    resourcesApi:\n      helmRepositoryResourcesEnabled: true\n      ciliumHelmReleaseResourceEnabled: true\n      cleanupHelmReleaseResourcesEnabled: true\n      coreDnsHelmReleaseResourceEnabled: true\n      verticalPodAutoscalerCrdHelmReleaseResourceEnabled: true\n      networkPoliciesHelmReleaseResourceEnabled: true\n```\n\nOptionally, you can also specify the name of the Helm template that renders default provider-specific cilium Helm values\n(these values will overwrite cilium’s provider-independent default Helm values that are in the cluster chart):\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    apps:\n      cilium:\n        configTemplateName: awsCiliumHelmValues\n```\n\nAt the moment only provider-specific default Helm values can be specified only for cilium (it can be easily added for other\napps as well if and when that is needed).\n\n### Other kubeadm Helm values\n\nYou can configure multiple kubeadm-related Helm values:\n- files that get deployed to nodes,\n- ignition configuration (systemd units and storage config)\n- preKubeadmCommands, and\n- postKubeadmCommands.\n\nThese can be set for all nodes, or specifically for control plane or for workers.\n\nConfig for all nodes is set in `.Values.cluster.providerIntegration.kubeadmConfig`.\n\nConfig for control plane nodes only is set in `.Values.cluster.providerIntegration.controlPlane.kubeadmConfig`.\n\nConfig for worker nodes only is set in `.Values.cluster.providerIntegration.workers.kubeadmConfig`.\n\nHere is an example for specifying files:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    kubeadmConfig:\n      # files for both control plane and worker nodes\n      files:\n      - path: /etc/all/nodes/file.yaml\n        permissions: \"0644\"\n        contentFrom:\n          secret:\n            name: cluster-super-secret\n            key: node-stuff\n    controlPlane:\n      kubeadmConfig:\n        # files for control plane nodes\n        files:\n        - path: /etc/control-plane/node/file.yaml\n          permissions: \"0644\"\n          contentFrom:\n            secret:\n              name: cluster-super-secret-control-plane\n              key: node-stuff\n    workers:\n      kubeadmConfig:\n        # files for worker nodes\n        files:\n        - path: /etc/control-plane/node/file.yaml\n          permissions: \"0644\"\n          contentFrom:\n            secret:\n              name: cluster-super-secret-control-plane\n              key: node-stuff\n```\n\nHere is an example for ignition config:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    kubeadmConfig:\n      # ignition for both control plane and worker nodes\n      ignition:\n        containerLinuxConfig:\n          additionalConfig:\n            systemd:\n              units:\n              - name: var-lib-kubelet.mount\n                enabled: true\n                mask: false\n                contents:\n                  unit:\n                    description: kubelet volume\n                    defaultDependencies: false\n                  install:\n                    wantedBy:\n                    - local-fs-pre.target\n                  mount:\n                    what: /dev/disk/by-label/kubelet\n                    where: /var/lib/kubelet\n                    type: xfs\n            storage:\n              directories:\n              - path: /var/lib/stuff\n                overwrite: true\n                filesystem: stuff\n                mode: 750\n                user:\n                  id: 12345\n                  name: giantswarm\n                group:\n                  id: 23456\n                  name: giantswarm\n    controlPlane:\n      kubeadmConfig:\n        # ignition for control plane nodes\n        ignition:\n          containerLinuxConfig:\n            additionalConfig:\n              systemd:\n                units:\n                # same type of object as in the example above\n              storage:\n                # same type of object as in the example above\n    workers:\n      kubeadmConfig:\n        # ignition for worker nodes\n        ignition:\n          containerLinuxConfig:\n            additionalConfig:\n              systemd:\n                units:\n                # same type of object as in the example above\n              storage:\n                # same type of object as in the example above\n```\n\nHere is an example of preKubeadmCommands and postKubeadmCommands:\n\n```yaml\n# cluster-\u003cprovider\u003e values.yaml\ncluster:\n  providerIntegration:\n    kubeadmConfig:\n      # commands for both control plane and worker nodes\n      preKubeadmCommands:\n      - echo \"command before kubeadm\"\n      postKubeadmCommands:\n      - echo \"command after kubeadm\"\n    controlPlane:\n      kubeadmConfig:\n        # commands for control plane nodes\n        preKubeadmCommands:\n        - echo \"control plane command before kubeadm\"\n        postKubeadmCommands:\n        - echo \"control plane command after kubeadm\"\n    workers:\n      kubeadmConfig:\n        # commands for worker nodes\n        preKubeadmCommands:\n        - echo \"workers command before kubeadm\"\n        postKubeadmCommands:\n        - echo \"workers command after kubeadm\"\n```\n\n### Systemd unit templating\n\nYou can pass Helm templating syntax through from cluster-\\\u003cprovider\\\u003e charts which will be rendered by the cluster chart. This is\nwritten as plain text within the cluster-\\\u003cprovider\\\u003e chart values under the `additionalFields` key. Consider the following:\n\n```\nglobal:\n  connectivity:\n    network:\n      staticRoutes:\n        - destination: 10.2.3.0/24\n          via: 10.9.8.7\n        - destination: 10.20.30.0/24\n          via: 10.9.8.7\ncluster:\n  providerIntegration:\n    kubeadmConfig:\n      # ignition for both control plane and worker nodes\n      ignition:\n        containerLinuxConfig:\n          additionalConfig:\n            systemd:\n              units:\n                - contents:\n                    install:\n                      wantedBy:\n                        - multi-user.target\n                    service:\n                      additionalFields: |-\n                        {{- if $.global.connectivity.network.staticRoutes }}\n                        {{- range $.global.connectivity.network.staticRoutes }}\n                        ExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}'\n                        {{- end }}\n                        {{- end }}\n                    unit:\n                      requires:\n                        - coreos-metadata.service\n```\n\nThis results in the following unit:\n\n```\n[Unit]\nRequires=coreos-metadata.service\n[Service]\nExecStart=/usr/bin/bash -cv 'ip route add 10.2.3.0/24 via 10.9.8.7'\nExecStart=/usr/bin/bash -cv 'ip route add 10.20.30.0/24 via 10.9.8.7'\n[Install]\nWantedBy=multi-user.target\n```\n\nThe Helm templating syntax is treated as plain text by the provider chart. The cluster chart's templating function has\naccess to the values under the provider chart's `.global` key so any values referenced in the template must exist\nunder `.global`.\n\nNote that variable scoping is important here - the templating function does not have access to the root `$.Values` object,\nso any variables under `.global` must be referenced as `$.global.some.var` (not `$.Values.global.some.var`).\n\n## Workload cluster configuration\n\nWorkload clusters can be configured by setting Helm values in two top-level objects:\n- `.Values.global`, which represents a public API for customizing workload clusters, and\n- `.Values.cluster.internal.advancedConfiguration`, which should be used only by Giant Swarm staff for advanced cluster configuration.\n\nP.S. `.Values.cluster.internal.advancedConfiguration` is the Helm value from the point of view of cluster-\\\u003cprovider\\\u003e app,\nwhile that value inside of cluster chart is `.Values.internal.advancedConfiguration`.\n\nMore details about customizing workload cluster Helm values TBA.\n\n\n## Maintaining `values.schema.json` and `values.yaml`\n\n**tldr**:\nWe only maintain `values.schema.json` and automatically generate `values.yaml` from it.\n```\nmake normalize-schema\nmake validate-schema\nmake generate-values\nmake generate-docs\n```\n\n**Details**:\n\nIn order to provide a better UX we validate user values against `values.schema.json`.\nIn addition we also use the JSON schema in our frontend to dynamically generate a UI for cluster creation from it.\nTo succesfully do this, we have some requirements on the `values.schema.json`, which are defined in [this RFC](https://github.com/giantswarm/rfc/pull/55).\nThese requirements can be checked with [schemalint](https://github.com/giantswarm/schemalint).\n`schemalint` does a couple of things:\n\n- Normalize JSON schema (indentation, white space, sorting)\n- Validate whether your schema is valid JSON schema\n- Validate whether the requirements for cluster app schemas are met\n- Check whether schema is normalized\n\nThe first point can be achieved with:\n```\nmake normalize-schema\n```\nThe second to fourth point can be achieved with:\n```\nmake validate-schema\n```\n\nThe JSON schema in `values.schema.json` should contain defaults defined with the `default` keyword.\nThese defaults should be same as those defined in `values.yaml`.\nThis allows us to generate `values.yaml` from `values.schema.json` with:\n\n```\nmake generate-values\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiantswarm%2Fcluster","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiantswarm%2Fcluster","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiantswarm%2Fcluster/lists"}