디렉토리 구조 및 각 서비스 추가

README.md

@@ -1 +1,13 @@
 # dsk-devops-toolchains
+
+## Helm
+| Service | Official Docs | READMD.md |
+|:---|:---|:---|
+| actions-runner-controller |[docs.github.com](https://docs.github.com/en/actions){: target="_blank"}|[README.md](./helm/actions-runner-controller/README.md)
+
+
+## Docker
+
+## Yaml
+
+## Scripts

docker/README.md

@@ -0,0 +1 @@
+# Docker

helm/README.md

@@ -0,0 +1,2 @@
+# Helm
+

helm/actions-runner-controller/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Docs
+docs/

helm/actions-runner-controller/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+appVersion: 0.27.4
+description: A Kubernetes controller that operates self-hosted runners for GitHub
+  Actions on your Kubernetes cluster.
+home: https://github.com/actions/actions-runner-controller
+maintainers:
+- name: actions-runner-controller
+  url: https://github.com/actions-runner-controller
+name: actions-runner-controller
+sources:
+- https://github.com/actions/actions-runner-controller
+type: application
+version: 0.23.3

helm/actions-runner-controller/README.md

@@ -0,0 +1,157 @@
+## Docs
+
+All additional docs are kept in the `docs/` folder, this README is solely for documenting the values.yaml keys and values
+
+## Values
+
+**_The values are documented as of HEAD, to review the configuration options for your chart version ensure you view this file at the relevant [tag](https://github.com/actions/actions-runner-controller/tags)_**
+
+> _Default values are the defaults set in the charts `values.yaml`, some properties have default configurations in the code for when the property is omitted or invalid_
+
+| Key                                                      | Description                                                                                                                               | Default                                                                                         |
+|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|
+| `labels`                                                 | Set labels to apply to all resources in the chart                                                                                         |                                                                                                 |
+| `replicaCount`                                           | Set the number of controller pods                                                                                                         | 1                                                                                               |
+| `webhookPort`                                            | Set the containerPort for the webhook Pod                                                                                                 | 9443                                                                                            |
+| `syncPeriod`                                             | Set the period in which the controller reconciles the desired runners count                                                               | 1m                                                                                              |
+| `enableLeaderElection`                                   | Enable election configuration                                                                                                             | true                                                                                            |
+| `leaderElectionId`                                       | Set the election ID for the controller group                                                                                              |                                                                                                 |
+| `githubEnterpriseServerURL`                              | Set the URL for a self-hosted GitHub Enterprise Server                                                                                    |                                                                                                 |
+| `githubURL`                                              | Override GitHub URL to be used for GitHub API calls                                                                                       |                                                                                                 |
+| `githubUploadURL`                                        | Override GitHub Upload URL to be used for GitHub API calls                                                                                |                                                                                                 |
+| `runnerGithubURL`                                        | Override GitHub URL to be used by runners during registration                                                                             |                                                                                                 |
+| `logLevel`                                               | Set the log level of the controller container                                                                                             |                                                                                                 |
+| `logFormat`                                              | Set the log format of the controller. Valid options are "text" and "json"                                                                 | text                                                                                            |
+| `additionalVolumes`                                      | Set additional volumes to add to the manager container                                                                                    |                                                                                                 |
+| `additionalVolumeMounts`                                 | Set additional volume mounts to add to the manager container                                                                              |                                                                                                 |
+| `authSecret.create`                                      | Deploy the controller auth secret                                                                                                         | false                                                                                           |
+| `authSecret.name`                                        | Set the name of the auth secret                                                                                                           | controller-manager                                                                              |
+| `authSecret.annotations`                                 | Set annotations for the auth Secret                                                                                                       |                                                                                                 |
+| `authSecret.github_app_id`                               | The ID of your GitHub App. **This can't be set at the same time as `authSecret.github_token`**                                            |                                                                                                 |
+| `authSecret.github_app_installation_id`                  | The ID of your GitHub App installation. **This can't be set at the same time as `authSecret.github_token`**                               |                                                                                                 |
+| `authSecret.github_app_private_key`                      | The multiline string of your GitHub App's private key. **This can't be set at the same time as `authSecret.github_token`**                |                                                                                                 |
+| `authSecret.github_token`                                | Your chosen GitHub PAT token. **This can't be set at the same time as the `authSecret.github_app_*`**                                     |                                                                                                 |
+| `authSecret.github_basicauth_username`                   | Username for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
+| `authSecret.github_basicauth_password`                   | Password for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
+| `dockerRegistryMirror`                                   | The default Docker Registry Mirror used by runners.                                                                                       |                                                                                                 |
+| `hostNetwork`                                            | The "hostNetwork" of the controller container                                                                                             | false                                                                                           |
+| `image.repository`                                       | The "repository/image" of the controller container                                                                                        | summerwind/actions-runner-controller                                                            |
+| `image.tag`                                              | The tag of the controller container                                                                                                       |                                                                                                 |
+| `image.actionsRunnerRepositoryAndTag`                    | The "repository/image" of the actions runner container                                                                                    | summerwind/actions-runner:latest                                                                |
+| `image.actionsRunnerImagePullSecrets`                    | Optional image pull secrets to be included in the runner pod's ImagePullSecrets                                                           |                                                                                                 |
+| `image.dindSidecarRepositoryAndTag`                      | The "repository/image" of the dind sidecar container                                                                                      | docker:dind                                                                                     |
+| `image.pullPolicy`                                       | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
+| `metrics.serviceMonitor`                                 | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
+| `metrics.serviceAnnotations`                             | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
+| `metrics.port`                                           | Set port of metrics service                                                                                                               | 8443                                                                                            |
+| `metrics.proxy.enabled`                                  | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
+| `metrics.proxy.image.repository`                         | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
+| `metrics.proxy.image.tag`                                | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
+| `metrics.serviceMonitorLabels`                           | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
+| `imagePullSecrets`                                       | Specifies the secret to be used when pulling the controller pod containers                                                                |                                                                                                 |
+| `fullnameOverride`                                       | Override the full resource names	                                                                                                       |                                                                                                 |
+| `nameOverride`                                           | Override the resource name prefix	                                                                                                       |                                                                                                 |
+| `serviceAccount.annotations`                             | Set annotations to the service account                                                                                                    |                                                                                                 |
+| `serviceAccount.create`                                  | Deploy the controller pod under a service account                                                                                         | true                                                                                            |
+| `podAnnotations`                                         | Set annotations for the controller pod                                                                                                    |                                                                                                 |
+| `podLabels`                                              | Set labels for the controller pod                                                                                                         |                                                                                                 |
+| `serviceAccount.name`                                    | Set the name of the service account                                                                                                       |                                                                                                 |
+| `securityContext`                                        | Set the security context for each container in the controller pod                                                                         |                                                                                                 |
+| `podSecurityContext`                                     | Set the security context to controller pod                                                                                                |                                                                                                 |
+| `service.annotations`                                    | Set annotations for the provisioned webhook service resource                                                                              |                                                                                                 |
+| `service.port`                                           | Set controller service ports                                                                                                              |                                                                                                 |
+| `service.type`                                           | Set controller service type                                                                                                               |                                                                                                 |
+| `topologySpreadConstraints`                              | Set the controller pod topologySpreadConstraints                                                                                          |                                                                                                 |
+| `nodeSelector`                                           | Set the controller pod nodeSelector                                                                                                       |                                                                                                 |
+| `resources`                                              | Set the controller pod resources                                                                                                          |                                                                                                 |
+| `affinity`                                               | Set the controller pod affinity rules                                                                                                     |                                                                                                 |
+| `podDisruptionBudget.enabled`                            | Enables a PDB to ensure HA of controller pods                                                                                             |      false                                                                                      |
+| `podDisruptionBudget.minAvailable`                       | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
+| `podDisruptionBudget.maxUnavailable`                     | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
+| `tolerations`                                            | Set the controller pod tolerations                                                                                                        |                                                                                                 |
+| `env`                                                    | Set environment variables for the controller container                                                                                    |                                                                                                 |
+| `priorityClassName`                                      | Set the controller pod priorityClassName                                                                                                  |                                                                                                 |
+| `scope.watchNamespace`                                   | Tells the controller and the github webhook server which namespace to watch if `scope.singleNamespace` is true                            | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `scope.singleNamespace`                                  | Limit the controller to watch a single namespace                                                                                          | false                                                                                           |
+| `certManagerEnabled`                                     | Enable cert-manager. If disabled you must set admissionWebHooks.caBundle and create TLS secrets manually                                  | true                                                                                            |
+| `runner.statusUpdateHook.enabled`                        | Use custom RBAC for runners (role, role binding and service account), this will enable reporting runner statuses                          | false                                                                                           |
+| `admissionWebHooks.caBundle`                             | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate                                                 |                                                                                                 |
+| `githubWebhookServer.logLevel`                           | Set the log level of the githubWebhookServer container                                                                                    |                                                                                                 |
+| `githubWebhookServer.logFormat`                          | Set the log format of the githubWebhookServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
+| `githubWebhookServer.replicaCount`                       | Set the number of webhook server pods                                                                                                     | 1                                                                                               |
+| `githubWebhookServer.useRunnerGroupsVisibility`          | Enable supporting runner groups with custom visibility, you also need to set `githubWebhookServer.secret.enabled` to enable this feature. | false                                                                                           |
+| `githubWebhookServer.enabled`                            | Deploy the webhook server pod                                                                                                             | false                                                                                           |
+| `githubWebhookServer.queueLimit`                         | Set the queue size limit in the githubWebhookServer                                                                                       |                                                                                                 |
+| `githubWebhookServer.secret.enabled`                     | Passes the webhook hook secret to the github-webhook-server                                                                               | false                                                                                           |
+| `githubWebhookServer.secret.create`                      | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
+| `githubWebhookServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | github-webhook-server                                                                           |
+| `githubWebhookServer.secret.github_webhook_secret_token` | Set the webhook secret token value                                                                                                        |                                                                                                 |
+| `githubWebhookServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the githubWebhookServer pod containers                                                       |                                                                                                 |
+| `githubWebhookServer.nameOverride`                       | Override the resource name prefix	                                                                                                       |                                                                                                 |
+| `githubWebhookServer.fullnameOverride`                   | Override the full resource names	                                                                                                       |                                                                                                 |
+| `githubWebhookServer.serviceAccount.create`              | Deploy the githubWebhookServer under a service account                                                                                    | true                                                                                            |
+| `githubWebhookServer.serviceAccount.annotations`         | Set annotations for the service account                                                                                                   |                                                                                                 |
+| `githubWebhookServer.serviceAccount.name`                | Set the service account name                                                                                                              |                                                                                                 |
+| `githubWebhookServer.podAnnotations`                     | Set annotations for the githubWebhookServer pod                                                                                           |                                                                                                 |
+| `githubWebhookServer.podLabels`                          | Set labels for the githubWebhookServer pod                                                                                                |                                                                                                 |
+| `githubWebhookServer.podSecurityContext`                 | Set the security context to githubWebhookServer pod                                                                                       |                                                                                                 |
+| `githubWebhookServer.securityContext`                    | Set the security context for each container in the githubWebhookServer pod                                                                |                                                                                                 |
+| `githubWebhookServer.resources`                          | Set the githubWebhookServer pod resources                                                                                                 |                                                                                                 |
+| `githubWebhookServer.topologySpreadConstraints`          | Set the githubWebhookServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
+| `githubWebhookServer.nodeSelector`                       | Set the githubWebhookServer pod nodeSelector                                                                                              |                                                                                                 |
+| `githubWebhookServer.tolerations`                        | Set the githubWebhookServer pod tolerations                                                                                               |                                                                                                 |
+| `githubWebhookServer.affinity`                           | Set the githubWebhookServer pod affinity rules                                                                                            |                                                                                                 |
+| `githubWebhookServer.priorityClassName`                  | Set the githubWebhookServer pod priorityClassName                                                                                         |                                                                                                 |
+| `githubWebhookServer.terminationGracePeriodSeconds`      | Set the githubWebhookServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                            | `10`                                                                                            |
+| `githubWebhookServer.lifecycle`                          | Set the githubWebhookServer pod lifecycle hooks                                                                                           | `{}`                                                                                            |
+| `githubWebhookServer.service.type`                       | Set githubWebhookServer service type                                                                                                      |                                                                                                 |
+| `githubWebhookServer.service.ports`                      | Set githubWebhookServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
+| `githubWebhookServer.service.loadBalancerSourceRanges`   | Set githubWebhookServer loadBalancerSourceRanges for restricting loadBalancer type services                                               | `[]`                                                                                            |
+| `githubWebhookServer.ingress.enabled`                    | Deploy an ingress kind for the githubWebhookServer                                                                                        | false                                                                                           |
+| `githubWebhookServer.ingress.annotations`                | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
+| `githubWebhookServer.ingress.hosts`                      | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
+| `githubWebhookServer.ingress.tls`                        | Set tls configuration for ingress                                                                                                         |                                                                                                 |
+| `githubWebhookServer.ingress.ingressClassName`           | Set ingress class name                                                                                                                    |                                                                                                 |
+| `githubWebhookServer.podDisruptionBudget.enabled`        | Enables a PDB to ensure HA of githubwebhook pods                                                                                          | false                                                                                           |
+| `githubWebhookServer.podDisruptionBudget.minAvailable`   | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
+| `githubWebhookServer.podDisruptionBudget.maxUnavailable` | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
+| `actionsMetricsServer.logLevel`                           | Set the log level of the actionsMetricsServer container                                                                                    |                                                                                                 |
+| `actionsMetricsServer.logFormat`                          | Set the log format of the actionsMetricsServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
+| `actionsMetricsServer.enabled`                            | Deploy the actions metrics server pod                                                                                                             | false                                                                                           |
+| `actionsMetricsServer.secret.enabled`                     | Passes the webhook hook secret to the actions-metrics-server                                                                              | false                                                                                           |
+| `actionsMetricsServer.secret.create`                      | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
+| `actionsMetricsServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | actions-metrics-server                                                                           |
+| `actionsMetricsServer.secret.github_webhook_secret_token` | Set the webhook secret token value                                                                                                        |                                                                                                 |
+| `actionsMetricsServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the actionsMetricsServer pod containers                                                       |                                                                                                 |
+| `actionsMetricsServer.nameOverride`                       | Override the resource name prefix	                                                                                                       |                                                                                                 |
+| `actionsMetricsServer.fullnameOverride`                   | Override the full resource names	                                                                                                       |                                                                                                 |
+| `actionsMetricsServer.serviceAccount.create`              | Deploy the actionsMetricsServer under a service account                                                                                    | true                                                                                            |
+| `actionsMetricsServer.serviceAccount.annotations`         | Set annotations for the service account                                                                                                   |                                                                                                 |
+| `actionsMetricsServer.serviceAccount.name`                | Set the service account name                                                                                                              |                                                                                                 |
+| `actionsMetricsServer.podAnnotations`                     | Set annotations for the actionsMetricsServer pod                                                                                           |                                                                                                 |
+| `actionsMetricsServer.podLabels`                          | Set labels for the actionsMetricsServer pod                                                                                                |                                                                                                 |
+| `actionsMetricsServer.podSecurityContext`                 | Set the security context to actionsMetricsServer pod                                                                                       |                                                                                                 |
+| `actionsMetricsServer.securityContext`                    | Set the security context for each container in the actionsMetricsServer pod                                                                |                                                                                                 |
+| `actionsMetricsServer.resources`                          | Set the actionsMetricsServer pod resources                                                                                                 |                                                                                                 |
+| `actionsMetricsServer.topologySpreadConstraints`          | Set the actionsMetricsServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
+| `actionsMetricsServer.nodeSelector`                       | Set the actionsMetricsServer pod nodeSelector                                                                                              |                                                                                                 |
+| `actionsMetricsServer.tolerations`                        | Set the actionsMetricsServer pod tolerations                                                                                               |                                                                                                 |
+| `actionsMetricsServer.affinity`                           | Set the actionsMetricsServer pod affinity rules                                                                                            |                                                                                                 |
+| `actionsMetricsServer.priorityClassName`                  | Set the actionsMetricsServer pod priorityClassName                                                                                         |                                                                                                 |
+| `actionsMetricsServer.terminationGracePeriodSeconds`      | Set the actionsMetricsServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                           | `10`                                                                                            |
+| `actionsMetricsServer.lifecycle`                          | Set the actionsMetricsServer pod lifecycle hooks                                                                                          | `{}`                                                                                            |
+| `actionsMetricsServer.service.type`                       | Set actionsMetricsServer service type                                                                                                      |                                                                                                 |
+| `actionsMetricsServer.service.ports`                      | Set actionsMetricsServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
+| `actionsMetricsServer.service.loadBalancerSourceRanges`   | Set actionsMetricsServer loadBalancerSourceRanges for restricting loadBalancer type services                                              | `[]`                                                                                            |
+| `actionsMetricsServer.ingress.enabled`                    | Deploy an ingress kind for the actionsMetricsServer                                                                                        | false                                                                                           |
+| `actionsMetricsServer.ingress.annotations`                | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
+| `actionsMetricsServer.ingress.hosts`                      | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
+| `actionsMetricsServer.ingress.tls`                        | Set tls configuration for ingress                                                                                                         |                                                                                                 |
+| `actionsMetricsServer.ingress.ingressClassName`           | Set ingress class name                                                                                                                    |                                                                                                 |
+| `actionsMetrics.serviceMonitor`                           | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
+| `actionsMetrics.serviceAnnotations`                       | Set annotations for the provisioned actions metrics service resource                                                                              |                                                                                                 |
+| `actionsMetrics.port`                                     | Set port of actions metrics service                                                                                                               | 8443                                                                                            |
+| `actionsMetrics.proxy.enabled`                            | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
+| `actionsMetrics.proxy.image.repository`                   | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
+| `actionsMetrics.proxy.image.tag`                          | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
+| `actionsMetrics.serviceMonitorLabels`                     | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |

helm/actions-runner-controller/ci/ci-values.yaml

@@ -0,0 +1,30 @@
+# This file sets some opinionated values for kube-score to use
+# when parsing the chart
+image:
+  pullPolicy: Always
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext: 
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+
+resources: 
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi  
+
+authSecret:
+  create: false
+
+# Set the following to true to create a dummy secret, allowing the manager pod to start
+# This is only useful in CI
+createDummySecret: true

helm/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml

@@ -0,0 +1,259 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: horizontalrunnerautoscalers.actions.summerwind.dev
+spec:
+  group: actions.summerwind.dev
+  names:
+    kind: HorizontalRunnerAutoscaler
+    listKind: HorizontalRunnerAutoscalerList
+    plural: horizontalrunnerautoscalers
+    shortNames:
+      - hra
+    singular: horizontalrunnerautoscaler
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.minReplicas
+          name: Min
+          type: number
+        - jsonPath: .spec.maxReplicas
+          name: Max
+          type: number
+        - jsonPath: .status.desiredReplicas
+          name: Desired
+          type: number
+        - jsonPath: .status.scheduledOverridesSummary
+          name: Schedule
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler API
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: HorizontalRunnerAutoscalerSpec defines the desired state of HorizontalRunnerAutoscaler
+              properties:
+                capacityReservations:
+                  items:
+                    description: CapacityReservation specifies the number of replicas temporarily added to the scale target until ExpirationTime.
+                    properties:
+                      effectiveTime:
+                        format: date-time
+                        type: string
+                      expirationTime:
+                        format: date-time
+                        type: string
+                      name:
+                        type: string
+                      replicas:
+                        type: integer
+                    type: object
+                  type: array
+                githubAPICredentialsFrom:
+                  properties:
+                    secretRef:
+                      properties:
+                        name:
+                          type: string
+                      required:
+                        - name
+                      type: object
+                  type: object
+                maxReplicas:
+                  description: MaxReplicas is the maximum number of replicas the deployment is allowed to scale
+                  type: integer
+                metrics:
+                  description: Metrics is the collection of various metric targets to calculate desired number of runners
+                  items:
+                    properties:
+                      repositoryNames:
+                        description: RepositoryNames is the list of repository names to be used for calculating the metric. For example, a repository name is the REPO part of `github.com/USER/REPO`.
+                        items:
+                          type: string
+                        type: array
+                      scaleDownAdjustment:
+                        description: ScaleDownAdjustment is the number of runners removed on scale-down. You can only specify either ScaleDownFactor or ScaleDownAdjustment.
+                        type: integer
+                      scaleDownFactor:
+                        description: ScaleDownFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be removed.
+                        type: string
+                      scaleDownThreshold:
+                        description: ScaleDownThreshold is the percentage of busy runners less than which will trigger the hpa to scale the runners down.
+                        type: string
+                      scaleUpAdjustment:
+                        description: ScaleUpAdjustment is the number of runners added on scale-up. You can only specify either ScaleUpFactor or ScaleUpAdjustment.
+                        type: integer
+                      scaleUpFactor:
+                        description: ScaleUpFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be added.
+                        type: string
+                      scaleUpThreshold:
+                        description: ScaleUpThreshold is the percentage of busy runners greater than which will trigger the hpa to scale runners up.
+                        type: string
+                      type:
+                        description: Type is the type of metric to be used for autoscaling. It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
+                        type: string
+                    type: object
+                  type: array
+                minReplicas:
+                  description: MinReplicas is the minimum number of replicas the deployment is allowed to scale
+                  type: integer
+                scaleDownDelaySecondsAfterScaleOut:
+                  description: ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up Used to prevent flapping (down->up->down->... loop)
+                  type: integer
+                scaleTargetRef:
+                  description: ScaleTargetRef sis the reference to scaled resource like RunnerDeployment
+                  properties:
+                    kind:
+                      description: Kind is the type of resource being referenced
+                      enum:
+                        - RunnerDeployment
+                        - RunnerSet
+                      type: string
+                    name:
+                      description: Name is the name of resource being referenced
+                      type: string
+                  type: object
+                scaleUpTriggers:
+                  description: "ScaleUpTriggers is an experimental feature to increase the desired replicas by 1 on each webhook requested received by the webhookBasedAutoscaler. \n This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster. \n Note that the added runners remain until the next sync period at least, and they may or may not be used by GitHub Actions depending on the timing. They are intended to be used to gain \"resource slack\" immediately after you receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available."
+                  items:
+                    properties:
+                      amount:
+                        type: integer
+                      duration:
+                        type: string
+                      githubEvent:
+                        properties:
+                          checkRun:
+                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
+                            properties:
+                              names:
+                                description: Names is a list of GitHub Actions glob patterns. Any check_run event whose name matches one of patterns in the list can trigger autoscaling. Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file. So it is very likely that you can utilize this to trigger depending on the job.
+                                items:
+                                  type: string
+                                type: array
+                              repositories:
+                                description: Repositories is a list of GitHub repositories. Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
+                                items:
+                                  type: string
+                                type: array
+                              status:
+                                type: string
+                              types:
+                                description: 'One of: created, rerequested, or completed'
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          pullRequest:
+                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
+                            properties:
+                              branches:
+                                items:
+                                  type: string
+                                type: array
+                              types:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          push:
+                            description: PushSpec is the condition for triggering scale-up on push event Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
+                            type: object
+                          workflowJob:
+                            description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
+                            type: object
+                        type: object
+                    type: object
+                  type: array
+                scheduledOverrides:
+                  description: ScheduledOverrides is the list of ScheduledOverride. It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. The earlier a scheduled override is, the higher it is prioritized.
+                  items:
+                    description: ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
+                    properties:
+                      endTime:
+                        description: EndTime is the time at which the first override ends.
+                        format: date-time
+                        type: string
+                      minReplicas:
+                        description: MinReplicas is the number of runners while overriding. If omitted, it doesn't override minReplicas.
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      recurrenceRule:
+                        properties:
+                          frequency:
+                            description: Frequency is the name of a predefined interval of each recurrence. The valid values are "Daily", "Weekly", "Monthly", and "Yearly". If empty, the corresponding override happens only once.
+                            enum:
+                              - Daily
+                              - Weekly
+                              - Monthly
+                              - Yearly
+                            type: string
+                          untilTime:
+                            description: UntilTime is the time of the final recurrence. If empty, the schedule recurs forever.
+                            format: date-time
+                            type: string
+                        type: object
+                      startTime:
+                        description: StartTime is the time at which the first override starts.
+                        format: date-time
+                        type: string
+                    required:
+                      - endTime
+                      - startTime
+                    type: object
+                  type: array
+              type: object
+            status:
+              properties:
+                cacheEntries:
+                  items:
+                    properties:
+                      expirationTime:
+                        format: date-time
+                        type: string
+                      key:
+                        type: string
+                      value:
+                        type: integer
+                    type: object
+                  type: array
+                desiredReplicas:
+                  description: DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
+                  type: integer
+                lastSuccessfulScaleOutTime:
+                  format: date-time
+                  nullable: true
+                  type: string
+                observedGeneration:
+                  description: ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g. RunnerDeployment's generation, which is updated on mutation by the API Server.
+                  format: int64
+                  type: integer
+                scheduledOverridesSummary:
+                  description: ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output for observability.
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+  preserveUnknownFields: false
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

helm/actions-runner-controller/runner-deployment/dsk-agent-group.yaml

@@ -0,0 +1,13 @@
+apiVersion: actions.summerwind.dev/v1alpha1
+kind: RunnerDeployment
+metadata:
+  name: dsk-agent-group
+  namespace: actions-runner-system
+spec:
+  replicas: 1
+  template:
+    spec:
+      organization: cloudmoa
+      group: dsk-agent-group
+      labels:
+        - dsk-agent-group

helm/actions-runner-controller/runner-deployment/dsk-devops-group.yaml

@@ -0,0 +1,13 @@
+apiVersion: actions.summerwind.dev/v1alpha1
+kind: RunnerDeployment
+metadata:
+  name: dsk-devops-group
+  namespace: actions-runner-system
+spec:
+  replicas: 1
+  template:
+    spec:
+      organization: cloudmoa
+      group: dsk-devops-group
+      labels:
+        - dsk-devops-group

helm/actions-runner-controller/runner-deployment/dsk-front-group.yaml

@@ -0,0 +1,13 @@
+apiVersion: actions.summerwind.dev/v1alpha1
+kind: RunnerDeployment
+metadata:
+  name: dsk-front-group
+  namespace: actions-runner-system
+spec:
+  replicas: 4
+  template:
+    spec:
+      organization: cloudmoa
+      group: dsk-front-group
+      labels:
+        - dsk-front-group

helm/actions-runner-controller/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.githubWebhookServer.ingress.enabled }}
+{{- range $host := .Values.githubWebhookServer.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.githubWebhookServer.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "actions-runner-controller.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

helm/actions-runner-controller/templates/_actions_metrics_server_helpers.tpl

@@ -0,0 +1,60 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "actions-runner-controller-actions-metrics-server.name" -}}
+{{- default .Chart.Name .Values.actionsMetricsServer.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "actions-runner-controller-actions-metrics-server.instance" -}}
+{{- printf "%s-%s" .Release.Name "actions-metrics-server" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "actions-runner-controller-actions-metrics-server.fullname" -}}
+{{- if .Values.actionsMetricsServer.fullnameOverride }}
+{{- .Values.actionsMetricsServer.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.actionsMetricsServer.nameOverride }}
+{{- $instance := include "actions-runner-controller-actions-metrics-server.instance" . }}
+{{- if contains $name $instance }}
+{{- $instance | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s-%s" .Release.Name $name "actions-metrics-server" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "actions-runner-controller-actions-metrics-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "actions-runner-controller-actions-metrics-server.name" . }}
+app.kubernetes.io/instance: {{ include "actions-runner-controller-actions-metrics-server.instance" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "actions-runner-controller-actions-metrics-server.serviceAccountName" -}}
+{{- if .Values.actionsMetricsServer.serviceAccount.create }}
+{{- default (include "actions-runner-controller-actions-metrics-server.fullname" .) .Values.actionsMetricsServer.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.actionsMetricsServer.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "actions-runner-controller-actions-metrics-server.secretName" -}}
+{{- default (include "actions-runner-controller-actions-metrics-server.fullname" .) .Values.actionsMetricsServer.secret.name }}
+{{- end }}
+
+{{- define "actions-runner-controller-actions-metrics-server.roleName" -}}
+{{- include "actions-runner-controller-actions-metrics-server.fullname" . }}
+{{- end }}
+
+{{- define "actions-runner-controller-actions-metrics-server.serviceMonitorName" -}}
+{{- include "actions-runner-controller-actions-metrics-server.fullname" . | trunc 47 }}-service-monitor
+{{- end }}

helm/actions-runner-controller/templates/_github_webhook_server_helpers.tpl

@@ -0,0 +1,64 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "actions-runner-controller-github-webhook-server.name" -}}
+{{- default .Chart.Name .Values.githubWebhookServer.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "actions-runner-controller-github-webhook-server.instance" -}}
+{{- printf "%s-%s" .Release.Name "github-webhook-server" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "actions-runner-controller-github-webhook-server.fullname" -}}
+{{- if .Values.githubWebhookServer.fullnameOverride }}
+{{- .Values.githubWebhookServer.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.githubWebhookServer.nameOverride }}
+{{- $instance := include "actions-runner-controller-github-webhook-server.instance" . }}
+{{- if contains $name $instance }}
+{{- $instance | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s-%s" .Release.Name $name "github-webhook-server" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "actions-runner-controller-github-webhook-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "actions-runner-controller-github-webhook-server.name" . }}
+app.kubernetes.io/instance: {{ include "actions-runner-controller-github-webhook-server.instance" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "actions-runner-controller-github-webhook-server.serviceAccountName" -}}
+{{- if .Values.githubWebhookServer.serviceAccount.create }}
+{{- default (include "actions-runner-controller-github-webhook-server.fullname" .) .Values.githubWebhookServer.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.githubWebhookServer.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "actions-runner-controller-github-webhook-server.secretName" -}}
+{{- default (include "actions-runner-controller-github-webhook-server.fullname" .) .Values.githubWebhookServer.secret.name }}
+{{- end }}
+
+{{- define "actions-runner-controller-github-webhook-server.roleName" -}}
+{{- include "actions-runner-controller-github-webhook-server.fullname" . }}
+{{- end }}
+
+{{- define "actions-runner-controller-github-webhook-server.serviceMonitorName" -}}
+{{- include "actions-runner-controller-github-webhook-server.fullname" . | trunc 47 }}-service-monitor
+{{- end }}
+
+{{- define "actions-runner-controller-github-webhook-server.pdbName" -}}
+{{- include "actions-runner-controller-github-webhook-server.fullname" . | trunc 59 }}-pdb
+{{- end }}

helm/actions-runner-controller/templates/_helpers.tpl

@@ -0,0 +1,117 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "actions-runner-controller.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "actions-runner-controller.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "actions-runner-controller.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "actions-runner-controller.labels" -}}
+helm.sh/chart: {{ include "actions-runner-controller.chart" . }}
+{{ include "actions-runner-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- range $k, $v := .Values.labels }}
+{{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "actions-runner-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "actions-runner-controller.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "actions-runner-controller.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "actions-runner-controller.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "actions-runner-controller.secretName" -}}
+{{- default (include "actions-runner-controller.fullname" .) .Values.authSecret.name -}}
+{{- end }}
+
+{{- define "actions-runner-controller.githubWebhookServerSecretName" -}}
+{{- default (include "actions-runner-controller.fullname" .) .Values.githubWebhookServer.secret.name -}}
+{{- end }}
+
+{{- define "actions-runner-controller.leaderElectionRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-leader-election
+{{- end }}
+
+{{- define "actions-runner-controller.authProxyRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-proxy
+{{- end }}
+
+{{- define "actions-runner-controller.managerRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-manager
+{{- end }}
+
+{{- define "actions-runner-controller.runnerEditorRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-runner-editor
+{{- end }}
+
+{{- define "actions-runner-controller.runnerViewerRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-runner-viewer
+{{- end }}
+
+{{- define "actions-runner-controller.webhookServiceName" -}}
+{{- include "actions-runner-controller.fullname" . | trunc 55 }}-webhook
+{{- end }}
+
+{{- define "actions-runner-controller.metricsServiceName" -}}
+{{- include "actions-runner-controller.fullname" . | trunc 47 }}-metrics-service
+{{- end }}
+
+{{- define "actions-runner-controller.serviceMonitorName" -}}
+{{- include "actions-runner-controller.fullname" . | trunc 47 }}-service-monitor
+{{- end }}
+
+{{- define "actions-runner-controller.selfsignedIssuerName" -}}
+{{- include "actions-runner-controller.fullname" . }}-selfsigned-issuer
+{{- end }}
+
+{{- define "actions-runner-controller.servingCertName" -}}
+{{- include "actions-runner-controller.fullname" . }}-serving-cert
+{{- end }}
+
+{{- define "actions-runner-controller.pdbName" -}}
+{{- include "actions-runner-controller.fullname" . | trunc 59 }}-pdb
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.deployment.yaml

@@ -0,0 +1,168 @@
+{{- if .Values.actionsMetricsServer.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.actionsMetricsServer.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.actionsMetricsServer.podAnnotations }}
+      annotations:
+        kubectl.kubernetes.io/default-container: "actions-metrics-server"
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 8 }}
+      {{- with .Values.actionsMetricsServer.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.actionsMetricsServer.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.actionsMetricsServer.podSecurityContext | nindent 8 }}
+      {{- with .Values.actionsMetricsServer.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
+      containers:
+      - args:
+        {{- $metricsHost := .Values.metrics.proxy.enabled | ternary "127.0.0.1" "0.0.0.0" }}
+        {{- $metricsPort := .Values.metrics.proxy.enabled | ternary "8080" .Values.metrics.port }}
+        - "--metrics-addr={{ $metricsHost }}:{{ $metricsPort }}"
+        {{- if .Values.actionsMetricsServer.logLevel }}
+        - "--log-level={{ .Values.actionsMetricsServer.logLevel }}"
+        {{- end }}
+        {{- if .Values.runnerGithubURL  }}
+        - "--runner-github-url={{ .Values.runnerGithubURL }}"
+        {{- end }}
+        {{- if .Values.actionsMetricsServer.logFormat  }}
+        - "--log-format={{ .Values.actionsMetricsServer.logFormat }}"
+        {{- end }}
+        command:
+        - "/actions-metrics-server"
+        {{- if .Values.actionsMetricsServer.lifecycle }}
+        {{- with .Values.actionsMetricsServer.lifecycle }}
+        lifecycle:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        env:
+        - name: GITHUB_WEBHOOK_SECRET_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: github_webhook_secret_token
+              name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
+              optional: true
+        {{- if .Values.githubEnterpriseServerURL  }}
+        - name: GITHUB_ENTERPRISE_URL
+          value: {{ .Values.githubEnterpriseServerURL }}
+        {{- end }}
+        {{- if .Values.githubURL  }}
+        - name: GITHUB_URL
+          value: {{ .Values.githubURL }}
+        {{- end }}
+        {{- if .Values.githubUploadURL  }}
+        - name: GITHUB_UPLOAD_URL
+          value: {{ .Values.githubUploadURL }}
+        {{- end }}
+        {{- if .Values.actionsMetricsServer.secret.enabled }}
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: github_token
+              name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
+              optional: true
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_id
+              name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
+              optional: true
+        - name: GITHUB_APP_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_installation_id
+              name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
+              optional: true
+        - name: GITHUB_APP_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              key: github_app_private_key
+              name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
+              optional: true
+        {{- if .Values.authSecret.github_basicauth_username }}
+        - name: GITHUB_BASICAUTH_USERNAME
+          value: {{ .Values.authSecret.github_basicauth_username }}
+        {{- end }}
+        - name: GITHUB_BASICAUTH_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: github_basicauth_password
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        {{- end }}
+        {{- range $key, $val := .Values.actionsMetricsServer.env }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag  | default (cat "v" .Chart.AppVersion | replace " " "") }}"
+        name: actions-metrics-server
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: 8000
+          name: http
+          protocol: TCP
+        {{- if not .Values.metrics.proxy.enabled }}
+        - containerPort: {{ .Values.metrics.port }}
+          name: metrics-port
+          protocol: TCP
+        {{- end }}
+        resources:
+          {{- toYaml .Values.actionsMetricsServer.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.actionsMetricsServer.securityContext | nindent 12 }}
+      {{- if .Values.metrics.proxy.enabled }}
+      - args:
+        - "--secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        image: "{{ .Values.metrics.proxy.image.repository }}:{{ .Values.metrics.proxy.image.tag }}"
+        name: kube-rbac-proxy
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: {{ .Values.metrics.port }}
+          name: metrics-port
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ .Values.actionsMetricsServer.terminationGracePeriodSeconds }}
+      {{- with .Values.actionsMetricsServer.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actionsMetricsServer.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actionsMetricsServer.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actionsMetricsServer.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml

@@ -0,0 +1,47 @@
+{{- if .Values.actionsMetricsServer.ingress.enabled -}}
+{{- $fullName := include "actions-runner-controller-actions-metrics-server.fullname" . -}}
+{{- $svcPort := (index .Values.actionsMetricsServer.service.ports 0).port -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.actionsMetricsServer.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.actionsMetricsServer.ingress.tls }}
+  tls:
+    {{- range .Values.actionsMetricsServer.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  {{- with .Values.actionsMetricsServer.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  rules:
+    {{- range .Values.actionsMetricsServer.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- if .extraPaths }}
+          {{- toYaml .extraPaths | nindent 10 }}
+          {{- end }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+               name: {{ $fullName }}
+               port:
+                 number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}

helm/actions-runner-controller/templates/actionsmetrics.role.yaml

@@ -0,0 +1,90 @@
+{{- if .Values.actionsMetricsServer.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller-actions-metrics-server.roleName" . }}
+rules:
+- apiGroups: 
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnersets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.role_binding.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.actionsMetricsServer.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "actions-runner-controller-actions-metrics-server.roleName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "actions-runner-controller-actions-metrics-server.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.secrets.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.actionsMetricsServer.enabled }}
+{{- if .Values.actionsMetricsServer.secret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+type: Opaque
+data:
+{{- if .Values.actionsMetricsServer.secret.github_webhook_secret_token }}
+  github_webhook_secret_token: {{ .Values.actionsMetricsServer.secret.github_webhook_secret_token | toString | b64enc }}
+{{- end }}
+{{- if .Values.actionsMetricsServer.secret.github_app_id }}
+  github_app_id: {{ .Values.actionsMetricsServer.secret.github_app_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.actionsMetricsServer.secret.github_app_installation_id }}
+  github_app_installation_id: {{ .Values.actionsMetricsServer.secret.github_app_installation_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.actionsMetricsServer.secret.github_app_private_key }}
+  github_app_private_key: {{ .Values.actionsMetricsServer.secret.github_app_private_key | toString | b64enc }}
+{{- end }}
+{{- if .Values.actionsMetricsServer.secret.github_token }}
+  github_token: {{ .Values.actionsMetricsServer.secret.github_token | toString | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.service.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.actionsMetricsServer.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
+{{- if .Values.actionsMetricsServer.service.annotations }}
+  annotations:
+    {{ toYaml .Values.actionsMetricsServer.service.annotations | nindent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.actionsMetricsServer.service.type }}
+  ports:
+    {{ range $_, $port := .Values.actionsMetricsServer.service.ports -}}
+    - {{ $port | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.metrics.serviceMonitor }}
+    - name: metrics-port
+      port: {{ .Values.metrics.port }}
+      targetPort: metrics-port
+    {{- end }}
+  selector:
+    {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
+  {{- if .Values.actionsMetricsServer.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+    {{- range $ip := .Values.actionsMetricsServer.service.loadBalancerSourceRanges }}
+    - {{ $ip -}}
+    {{- end }}
+  {{- end }}
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml

@@ -0,0 +1,15 @@
+{{- if .Values.actionsMetricsServer.enabled -}}
+{{- if .Values.actionsMetricsServer.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.actionsMetricsServer.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml

@@ -0,0 +1,25 @@
+{{- if and .Values.actionsMetricsServer.enabled .Values.actionsMetrics.serviceMonitor }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.actionsMetricsServer.serviceMonitorLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "actions-runner-controller-actions-metrics-server.serviceMonitorName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: metrics-port
+      {{- if .Values.actionsMetrics.proxy.enabled }}
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true
+      {{- end }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 6 }}
+{{- end }}

helm/actions-runner-controller/templates/auth_proxy_role.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.metrics.proxy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "actions-runner-controller.authProxyRoleName" . }}
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
+{{- end }}

helm/actions-runner-controller/templates/auth_proxy_role_binding.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.metrics.proxy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "actions-runner-controller.authProxyRoleName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "actions-runner-controller.authProxyRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

helm/actions-runner-controller/templates/certificate.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.certManagerEnabled }}
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "actions-runner-controller.servingCertName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
+  secretName: {{ include "actions-runner-controller.servingCertName" . }}
+{{- end }}

helm/actions-runner-controller/templates/ci-secret.yaml

@@ -0,0 +1,14 @@
+# This template only exists to facilitate CI testing of the chart, since
+# a secret is expected to be found in the namespace by the controller manager
+{{ if .Values.createDummySecret -}}
+apiVersion: v1
+data:
+  github_token: dGVzdA==
+kind: Secret
+metadata:
+  name: controller-manager
+  {{- if .Values.authSecret.annotations }}
+  annotations:
+    {{ toYaml .Values.authSecret.annotations | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/actions-runner-controller/templates/controller.metrics.service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  name: {{ include "actions-runner-controller.metricsServiceName" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.metrics.serviceAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - name: metrics-port
+    port: {{ .Values.metrics.port }}
+    targetPort: metrics-port
+  selector:
+    {{- include "actions-runner-controller.selectorLabels" . | nindent 4 }}

helm/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.metrics.serviceMonitor }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.metrics.serviceMonitorLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "actions-runner-controller.serviceMonitorName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: metrics-port
+      {{- if .Values.metrics.proxy.enabled }}
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true
+      {{- end }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }}
+{{- end }}

helm/actions-runner-controller/templates/controller.pdb.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  name: {{ include "actions-runner-controller.pdbName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end  }}
+  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end  }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }}
+{{- end -}}

helm/actions-runner-controller/templates/deployment.yaml

@@ -0,0 +1,213 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "actions-runner-controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        kubectl.kubernetes.io/default-logs-container: "manager"
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "actions-runner-controller.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "actions-runner-controller.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
+      containers:
+      - args:
+        {{- $metricsHost := .Values.metrics.proxy.enabled | ternary "127.0.0.1" "0.0.0.0" }}
+        {{- $metricsPort := .Values.metrics.proxy.enabled | ternary "8080" .Values.metrics.port }}
+        - "--metrics-addr={{ $metricsHost }}:{{ $metricsPort }}"
+        {{- if .Values.enableLeaderElection }}
+        - "--enable-leader-election"
+        {{- end }}
+        {{- if .Values.leaderElectionId }}
+        - "--leader-election-id={{ .Values.leaderElectionId }}"
+        {{- end }}
+        - "--port={{ .Values.webhookPort }}"
+        - "--sync-period={{ .Values.syncPeriod }}"
+        - "--default-scale-down-delay={{ .Values.defaultScaleDownDelay }}"
+        - "--docker-image={{ .Values.image.dindSidecarRepositoryAndTag }}"
+        - "--runner-image={{ .Values.image.actionsRunnerRepositoryAndTag }}"
+        {{- range .Values.image.actionsRunnerImagePullSecrets }}
+        - "--runner-image-pull-secret={{ . }}"
+        {{- end }}
+        {{- if .Values.dockerRegistryMirror }}
+        - "--docker-registry-mirror={{ .Values.dockerRegistryMirror }}"
+        {{- end }}
+        {{- if .Values.scope.singleNamespace }}
+        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        {{- end }}
+        {{- if .Values.logLevel }}
+        - "--log-level={{ .Values.logLevel }}"
+        {{- end }}
+        {{- if .Values.runnerGithubURL  }}
+        - "--runner-github-url={{ .Values.runnerGithubURL }}"
+        {{- end }}
+        {{- if .Values.runner.statusUpdateHook.enabled }}
+        - "--runner-status-update-hook"
+        {{- end }}
+        {{- if .Values.logFormat  }}  
+        - "--log-format={{ .Values.logFormat }}"
+        {{- end }}
+        command:
+        - "/manager"
+        env:
+        {{- if .Values.githubEnterpriseServerURL  }}
+        - name: GITHUB_ENTERPRISE_URL
+          value: {{ .Values.githubEnterpriseServerURL }}
+        {{- end }}
+        {{- if .Values.githubURL  }}
+        - name: GITHUB_URL
+          value: {{ .Values.githubURL }}
+        {{- end }}
+        {{- if .Values.githubUploadURL  }}
+        - name: GITHUB_UPLOAD_URL
+          value: {{ .Values.githubUploadURL }}
+        {{- end }}
+        {{- if .Values.authSecret.enabled }}
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: github_token
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_id
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        - name: GITHUB_APP_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_installation_id
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        - name: GITHUB_APP_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              key: github_app_private_key
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        {{- if .Values.authSecret.github_basicauth_username }}
+        - name: GITHUB_BASICAUTH_USERNAME
+          value: {{ .Values.authSecret.github_basicauth_username }}
+        {{- end }}
+        - name: GITHUB_BASICAUTH_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: github_basicauth_password
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        {{- end }}
+        {{- if kindIs "slice" .Values.env }}
+        {{- toYaml .Values.env | nindent 8 }}
+        {{- else }}
+        {{- range $key, $val := .Values.env }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}"
+        name: manager
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: {{ .Values.webhookPort }}
+          name: webhook-server
+          protocol: TCP
+        {{- if not .Values.metrics.proxy.enabled }}
+        - containerPort: {{ .Values.metrics.port }}
+          name: metrics-port
+          protocol: TCP
+        {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        volumeMounts:
+        {{- if .Values.authSecret.enabled }}
+        - mountPath: "/etc/actions-runner-controller"
+          name: secret
+          readOnly: true
+        {{- end }}
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+        {{- if .Values.additionalVolumeMounts }}
+          {{- toYaml .Values.additionalVolumeMounts | nindent 8 }} 
+        {{- end }}
+      {{- if .Values.metrics.proxy.enabled }}
+      - args:
+        - "--secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        image: "{{ .Values.metrics.proxy.image.repository }}:{{ .Values.metrics.proxy.image.tag }}"
+        name: kube-rbac-proxy
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: {{ .Values.metrics.port }}
+          name: metrics-port
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10
+      volumes:
+      {{- if .Values.authSecret.enabled }}
+      - name: secret
+        secret:
+          secretName: {{ include "actions-runner-controller.secretName" . }}
+      {{- end }}
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ include "actions-runner-controller.servingCertName" . }}
+      - name: tmp
+        emptyDir: {}
+      {{- if .Values.additionalVolumes }}
+        {{- toYaml .Values.additionalVolumes | nindent 6}}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- end }}

helm/actions-runner-controller/templates/githubwebhook.deployment.yaml

@@ -0,0 +1,178 @@
+{{- if .Values.githubWebhookServer.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.githubWebhookServer.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.githubWebhookServer.podAnnotations }}
+      annotations:
+        kubectl.kubernetes.io/default-logs-container: "github-webhook-server"
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 8 }}
+      {{- with .Values.githubWebhookServer.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.githubWebhookServer.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.githubWebhookServer.podSecurityContext | nindent 8 }}
+      {{- with .Values.githubWebhookServer.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
+      containers:
+      - args:
+        {{- $metricsHost := .Values.metrics.proxy.enabled | ternary "127.0.0.1" "0.0.0.0" }}
+        {{- $metricsPort := .Values.metrics.proxy.enabled | ternary "8080" .Values.metrics.port }}
+        - "--metrics-addr={{ $metricsHost }}:{{ $metricsPort }}"
+        {{- if .Values.githubWebhookServer.logLevel }}
+        - "--log-level={{ .Values.githubWebhookServer.logLevel }}"
+        {{- end }}
+        {{- if .Values.scope.singleNamespace }}
+        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        {{- end }}
+        {{- if .Values.runnerGithubURL  }}
+        - "--runner-github-url={{ .Values.runnerGithubURL }}"
+        {{- end }}
+        {{- if .Values.githubWebhookServer.queueLimit }}
+        - "--queue-limit={{ .Values.githubWebhookServer.queueLimit }}"
+        {{- end }}
+        {{- if .Values.githubWebhookServer.logFormat  }}
+        - "--log-format={{ .Values.githubWebhookServer.logFormat }}"
+        {{- end }}
+        command:
+        - "/github-webhook-server"
+        {{- if .Values.githubWebhookServer.lifecycle }}
+        {{- with .Values.githubWebhookServer.lifecycle }}
+        lifecycle:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        env:
+        - name: GITHUB_WEBHOOK_SECRET_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: github_webhook_secret_token
+              name: {{ include "actions-runner-controller-github-webhook-server.secretName" . }}
+              optional: true
+        {{- if .Values.githubEnterpriseServerURL  }}
+        - name: GITHUB_ENTERPRISE_URL
+          value: {{ .Values.githubEnterpriseServerURL }}
+        {{- end }}
+        {{- if .Values.githubURL  }}
+        - name: GITHUB_URL
+          value: {{ .Values.githubURL }}
+        {{- end }}
+        {{- if .Values.githubUploadURL  }}
+        - name: GITHUB_UPLOAD_URL
+          value: {{ .Values.githubUploadURL }}
+        {{- end }}
+        {{- if and .Values.githubWebhookServer.useRunnerGroupsVisibility .Values.githubWebhookServer.secret.enabled }}
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: github_token
+              name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }}
+              optional: true
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_id
+              name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }}
+              optional: true
+        - name: GITHUB_APP_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_installation_id
+              name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }}
+              optional: true
+        - name: GITHUB_APP_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              key: github_app_private_key
+              name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }}
+              optional: true
+        {{- if .Values.authSecret.github_basicauth_username }}
+        - name: GITHUB_BASICAUTH_USERNAME
+          value: {{ .Values.authSecret.github_basicauth_username }}
+        {{- end }}
+        - name: GITHUB_BASICAUTH_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: github_basicauth_password
+              name: {{ include "actions-runner-controller.secretName" . }}
+              optional: true
+        {{- end }}
+        {{- if kindIs "slice" .Values.githubWebhookServer.env }}
+        {{- toYaml .Values.githubWebhookServer.env | nindent 8 }}
+        {{- else }}
+        {{- range $key, $val := .Values.githubWebhookServer.env }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag  | default (cat "v" .Chart.AppVersion | replace " " "") }}"
+        name: github-webhook-server
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: 8000
+          name: http
+          protocol: TCP
+        {{- if not .Values.metrics.proxy.enabled }}
+        - containerPort: {{ .Values.metrics.port }}
+          name: metrics-port
+          protocol: TCP
+        {{- end }}
+        resources:
+          {{- toYaml .Values.githubWebhookServer.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.githubWebhookServer.securityContext | nindent 12 }}
+      {{- if .Values.metrics.proxy.enabled }}
+      - args:
+        - "--secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        image: "{{ .Values.metrics.proxy.image.repository }}:{{ .Values.metrics.proxy.image.tag }}"
+        name: kube-rbac-proxy
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: {{ .Values.metrics.port }}
+          name: metrics-port
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ .Values.githubWebhookServer.terminationGracePeriodSeconds }}
+      {{- with .Values.githubWebhookServer.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.githubWebhookServer.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.githubWebhookServer.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.githubWebhookServer.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

helm/actions-runner-controller/templates/githubwebhook.ingress.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.githubWebhookServer.ingress.enabled -}}
+{{- $fullName := include "actions-runner-controller-github-webhook-server.fullname" . -}}
+{{- $svcPort := (index .Values.githubWebhookServer.service.ports 0).port -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.githubWebhookServer.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.githubWebhookServer.ingress.tls }}
+  tls:
+    {{- range .Values.githubWebhookServer.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  {{- with .Values.githubWebhookServer.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  rules:
+    {{- range .Values.githubWebhookServer.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- if .extraPaths }}
+          {{- toYaml .extraPaths | nindent 10 }}
+          {{- end }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+               name: {{ $fullName }}
+               port:
+                 number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}

helm/actions-runner-controller/templates/githubwebhook.pdb.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.githubWebhookServer.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  name: {{ include "actions-runner-controller-github-webhook-server.pdbName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
+  {{- end  }}
+  {{- if .Values.githubWebhookServer.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.githubWebhookServer.podDisruptionBudget.maxUnavailable }}
+  {{- end  }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 6 }}
+{{- end -}}

helm/actions-runner-controller/templates/githubwebhook.role.yaml

@@ -0,0 +1,90 @@
+{{- if .Values.githubWebhookServer.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller-github-webhook-server.roleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnersets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+{{- end }}

helm/actions-runner-controller/templates/githubwebhook.role_binding.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.githubWebhookServer.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "actions-runner-controller-github-webhook-server.roleName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "actions-runner-controller-github-webhook-server.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

helm/actions-runner-controller/templates/githubwebhook.secrets.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.githubWebhookServer.enabled }}
+{{- if .Values.githubWebhookServer.secret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "actions-runner-controller-github-webhook-server.secretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+type: Opaque
+data:
+{{- if .Values.githubWebhookServer.secret.github_webhook_secret_token }}
+  github_webhook_secret_token: {{ .Values.githubWebhookServer.secret.github_webhook_secret_token | toString | b64enc }}
+{{- end }}
+{{- if .Values.githubWebhookServer.secret.github_app_id }}
+  github_app_id: {{ .Values.githubWebhookServer.secret.github_app_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.githubWebhookServer.secret.github_app_installation_id }}
+  github_app_installation_id: {{ .Values.githubWebhookServer.secret.github_app_installation_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.githubWebhookServer.secret.github_app_private_key }}
+  github_app_private_key: {{ .Values.githubWebhookServer.secret.github_app_private_key | toString | b64enc }}
+{{- end }}
+{{- if .Values.githubWebhookServer.secret.github_token }}
+  github_token: {{ .Values.githubWebhookServer.secret.github_token | toString | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}

helm/actions-runner-controller/templates/githubwebhook.service.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.githubWebhookServer.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+{{- if .Values.githubWebhookServer.service.annotations }}
+  annotations:
+    {{ toYaml .Values.githubWebhookServer.service.annotations | nindent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.githubWebhookServer.service.type }}
+  ports:
+    {{ range $_, $port := .Values.githubWebhookServer.service.ports -}}
+    - {{ $port | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.metrics.serviceMonitor }}
+    - name: metrics-port
+      port: {{ .Values.metrics.port }}
+      targetPort: metrics-port
+    {{- end }}
+  selector:
+    {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 4 }}
+  {{- if .Values.githubWebhookServer.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+    {{- range $ip := .Values.githubWebhookServer.service.loadBalancerSourceRanges }}
+    - {{ $ip -}}
+    {{- end }}
+  {{- end }}
+{{- end }}

helm/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.githubWebhookServer.enabled .Values.metrics.serviceMonitor }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.metrics.serviceMonitorLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "actions-runner-controller-github-webhook-server.serviceMonitorName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: metrics-port
+      {{- if .Values.metrics.proxy.enabled }}
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true
+      {{- end }}
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 6 }}
+{{- end }}

helm/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.githubWebhookServer.enabled -}}
+{{- if .Values.githubWebhookServer.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.githubWebhookServer.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/actions-runner-controller/templates/leader_election_role.yaml

@@ -0,0 +1,33 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create

helm/actions-runner-controller/templates/leader_election_role_binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

helm/actions-runner-controller/templates/manager_role.yaml

@@ -0,0 +1,306 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.managerRoleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerreplicasets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerreplicasets/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerreplicasets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnersets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnersets/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnersets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - "apps"
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - "apps"
+  resources:
+  - statefulsets/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- if .Values.runner.statusUpdateHook.enabled }}
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - get
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - delete
+  - get
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - delete
+  - get
+{{- end }}
+{{- if .Values.rbac.allowGrantingKubernetesContainerModePermissions }}
+{{/* These permissions are required by ARC to create RBAC resources for the runner pod to use the kubernetes container mode. */}}
+{{/* See https://github.com/actions/actions-runner-controller/pull/1268/files#r917331632 */}}
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "batch"
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+  - create
+  - delete
+{{- end }}

helm/actions-runner-controller/templates/manager_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "actions-runner-controller.managerRoleName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "actions-runner-controller.managerRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

helm/actions-runner-controller/templates/manager_role_binding_secrets.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.scope.singleNamespace }}
+kind: RoleBinding
+{{- else }}
+kind: ClusterRoleBinding
+{{- end }}
+metadata:
+  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.scope.singleNamespace }}
+  kind: Role
+  {{- else }}
+  kind: ClusterRole
+  {{- end }}
+  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

helm/actions-runner-controller/templates/manager_role_secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.scope.singleNamespace }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- if .Values.rbac.allowGrantingKubernetesContainerModePermissions }}
+{{/* These permissions are required by ARC to create RBAC resources for the runner pod to use the kubernetes container mode. */}}
+{{/* See https://github.com/actions/actions-runner-controller/pull/1268/files#r917331632 */}}
+  - create
+  - delete
+{{- end }}

helm/actions-runner-controller/templates/manager_secrets.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.authSecret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "actions-runner-controller.secretName" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.authSecret.annotations }}
+  annotations:
+    {{ toYaml .Values.authSecret.annotations | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+type: Opaque
+data:
+{{- if .Values.authSecret.github_app_id }}
+  # Keep this as a string as strings integrate better with things like AWS Parameter Store, see PR #882 for an example
+  github_app_id: {{ .Values.authSecret.github_app_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_app_installation_id }}
+  # Keep this as a string as strings integrate better with things like AWS Parameter Store, see PR #882 for an example
+  github_app_installation_id: {{ .Values.authSecret.github_app_installation_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_app_private_key }}
+  github_app_private_key: {{ .Values.authSecret.github_app_private_key | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_token }}
+  github_token: {{ .Values.authSecret.github_token | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_basicauth_password }}
+  github_basicauth_password: {{ .Values.authSecret.github_basicauth_password | toString | b64enc }}
+{{- end }}
+{{- end }}

helm/actions-runner-controller/templates/runner_editor_role.yaml

@@ -0,0 +1,26 @@
+# permissions to do edit runners.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "actions-runner-controller.runnerEditorRoleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/status
+  verbs:
+  - get
+  - patch
+  - update

helm/actions-runner-controller/templates/runner_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions to do viewer runners.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "actions-runner-controller.runnerViewerRoleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/status
+  verbs:
+  - get

helm/actions-runner-controller/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/actions-runner-controller/templates/webhook_configs.yaml

@@ -0,0 +1,261 @@
+{{/*
+We will use a self managed CA if one is not provided by cert-manager
+*/}}
+{{- $ca := genCA "actions-runner-ca" 3650 }}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace)) 3650 $ca }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration
+  {{- if .Values.certManagerEnabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+  {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-actions-summerwind-dev-v1alpha1-runner
+  failurePolicy: Fail
+  name: mutate.runner.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runners
+  sideEffects: None
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment
+  failurePolicy: Fail
+  name: mutate.runnerdeployment.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerdeployments
+  sideEffects: None
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset
+  failurePolicy: Fail
+  name: mutate.runnerreplicaset.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerreplicasets
+  sideEffects: None
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-runner-set-pod
+  failurePolicy: Fail
+  name: mutate-runner-pod.webhook.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+  sideEffects: None
+  objectSelector:
+    matchLabels:
+      "actions-runner-controller/inject-registration-token": "true"
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration
+  {{- if .Values.certManagerEnabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+  {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-actions-summerwind-dev-v1alpha1-runner
+  failurePolicy: Fail
+  name: validate.runner.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runners
+  sideEffects: None
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment
+  failurePolicy: Fail
+  name: validate.runnerdeployment.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerdeployments
+  sideEffects: None
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+- admissionReviewVersions:
+  - v1beta1
+  {{- if .Values.scope.singleNamespace }}
+  namespaceSelector:
+    matchLabels:
+      name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+  {{- end }}
+  clientConfig:
+    {{- if .Values.admissionWebHooks.caBundle }}
+    caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
+    {{- else if not .Values.certManagerEnabled }}
+    caBundle: {{ $ca.Cert | b64enc | quote }}
+    {{- end }}
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset
+  failurePolicy: Fail
+  name: validate.runnerreplicaset.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerreplicasets
+  sideEffects: None
+{{ if not (or (hasKey .Values.admissionWebHooks "caBundle") .Values.certManagerEnabled) }}
+  timeoutSeconds: {{ .Values.admissionWebHooks.timeoutSeconds | default 10}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "actions-runner-controller.servingCertName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $cert.Cert | b64enc | quote }}
+  tls.key: {{ $cert.Key | b64enc | quote }}
+  ca.crt: {{ $ca.Cert | b64enc | quote }}
+{{- end }}

helm/actions-runner-controller/templates/webhook_service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "actions-runner-controller.webhookServiceName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: 443
+      targetPort: {{ .Values.webhookPort }}
+      protocol: TCP
+      name: https
+  selector:
+    {{- include "actions-runner-controller.selectorLabels" . | nindent 4 }}

helm/actions-runner-controller/values.yaml

@@ -0,0 +1,394 @@
+# Default values for actions-runner-controller.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+labels: {}
+
+replicaCount: 1
+
+webhookPort: 9443
+syncPeriod: 1m
+defaultScaleDownDelay: 10m
+
+enableLeaderElection: true
+# Specifies the controller id for leader election.
+# Must be unique if more than one controller installed onto the same namespace.
+#leaderElectionId: "actions-runner-controller"
+
+# The URL of your GitHub Enterprise server, if you're using one.
+#githubEnterpriseServerURL: https://github.example.com
+
+# Override GitHub URLs in case of using proxy APIs
+#githubURL: ""
+#githubUploadURL: ""
+#runnerGithubURL: ""
+
+# Only 1 authentication method can be deployed at a time
+# Uncomment the configuration you are applying and fill in the details
+#
+# If authSecret.enabled=true these values are inherited to actions-runner-controller's controller-manager container's env.
+#
+# Do set authSecret.enabled=false and set env if you want full control over
+# the GitHub authn related envvars of the container.
+# See https://github.com/actions/actions-runner-controller/pull/937 for more details.
+authSecret:
+  enabled: true
+  create: false
+  name: "controller-manager"
+  annotations: {}
+  ### GitHub Apps Configuration
+  ## NOTE: IDs MUST be strings, use quotes
+  #github_app_id: ""
+  #github_app_installation_id: ""
+  #github_app_private_key: |
+  ### GitHub PAT Configuration
+  #github_token: ""
+  ### Basic auth for github API proxy
+  #github_basicauth_username: ""
+  #github_basicauth_password: ""
+
+# http(s) should be specified for dockerRegistryMirror, e.g.: dockerRegistryMirror="https://<your-docker-registry-mirror>"
+dockerRegistryMirror: ""
+image:
+  repository: "summerwind/actions-runner-controller"
+  actionsRunnerRepositoryAndTag: "summerwind/actions-runner:latest"
+  dindSidecarRepositoryAndTag: "docker:dind"
+  pullPolicy: IfNotPresent
+  # The default image-pull secrets name for self-hosted runner container.
+  # It's added to spec.ImagePullSecrets of self-hosted runner pods.
+  actionsRunnerImagePullSecrets: []
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+runner:
+  statusUpdateHook:
+    enabled: false
+
+rbac:
+  {}
+  # # This allows ARC to dynamically create a ServiceAccount and a Role for each Runner pod that uses "kubernetes" container mode,
+  # # by extending ARC's manager role to have the same permissions required by the pod runs the runner agent in "kubernetes" container mode.
+  # # Without this, Kubernetes blocks ARC to create the role to prevent a priviledge escalation.
+  # # See https://github.com/actions/actions-runner-controller/pull/1268/files#r917327010
+  # allowGrantingKubernetesContainerModePermissions: true
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podLabels: {}
+
+podSecurityContext:
+  {}
+  # fsGroup: 2000
+
+securityContext:
+  {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# Webhook service resource
+service:
+  type: ClusterIP
+  port: 443
+  annotations: {}
+
+# Metrics service resource
+metrics:
+  serviceAnnotations: {}
+  serviceMonitor: false
+  serviceMonitorLabels: {}
+  port: 8443
+  proxy:
+    enabled: true
+    image:
+      repository: quay.io/brancz/kube-rbac-proxy
+      tag: v0.13.1
+
+resources:
+  {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Only one of minAvailable or maxUnavailable can be set
+podDisruptionBudget:
+  enabled: false
+  # minAvailable: 1
+  # maxUnavailable: 3
+
+# Leverage a PriorityClass to ensure your pods survive resource shortages
+# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+# PriorityClass: system-cluster-critical
+priorityClassName: ""
+
+env:
+  {}
+  # specify additional environment variables for the controller pod.
+  # It's possible to specify either key vale pairs e.g.:
+  # http_proxy: "proxy.com:8080"
+  # https_proxy: "proxy.com:8080"
+  # no_proxy: ""
+
+  # or a list of complete environment variable definitions e.g.:
+  # - name: GITHUB_APP_INSTALLATION_ID
+  #   valueFrom:
+  #     secretKeyRef:
+  #       key: some_key_in_the_secret
+  #       name: some-secret-name
+  #       optional: true
+
+## specify additional volumes to mount in the manager container, this can be used
+## to specify additional storage of material or to inject files from ConfigMaps
+## into the running container
+additionalVolumes: []
+
+## specify where the additional volumes are mounted in the manager container
+additionalVolumeMounts: []
+
+scope:
+  # If true, the controller will only watch custom resources in a single namespace
+  singleNamespace: false
+  # If `scope.singleNamespace=true`, the controller will only watch custom resources in this namespace
+  # The default value is "", which means the namespace of the controller
+  watchNamespace: ""
+
+certManagerEnabled: true
+
+admissionWebHooks:
+  {}
+  #caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"
+
+# There may be alternatives to setting `hostNetwork: true`, see
+# https://github.com/actions/actions-runner-controller/issues/1005#issuecomment-993097155
+#hostNetwork: true
+
+## specify log format for actions runner controller.  Valid options are "text" and "json"
+logFormat: text
+
+githubWebhookServer:
+  enabled: false
+  replicaCount: 1
+  useRunnerGroupsVisibility: false
+  ## specify log format for github webhook server.  Valid options are "text" and "json"
+  logFormat: text
+  secret:
+    enabled: false
+    create: false
+    name: "github-webhook-server"
+    ### GitHub Webhook Configuration
+    github_webhook_secret_token: ""
+    ### GitHub Apps Configuration
+    ## NOTE: IDs MUST be strings, use quotes
+    #github_app_id: ""
+    #github_app_installation_id: ""
+    #github_app_private_key: |
+    ### GitHub PAT Configuration
+    #github_token: ""
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+  podAnnotations: {}
+  podLabels: {}
+  podSecurityContext: {}
+  # fsGroup: 2000
+  securityContext: {}
+  resources: {}
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  priorityClassName: ""
+  service:
+    type: ClusterIP
+    annotations: {}
+    ports:
+      - port: 80
+        targetPort: http
+        protocol: TCP
+        name: http
+        #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
+    loadBalancerSourceRanges: []
+  ingress:
+    enabled: false
+    ingressClassName: ""
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+    hosts:
+      - host: chart-example.local
+        paths: []
+        #  - path: /*
+        #    pathType: ImplementationSpecific
+        # Extra paths that are not automatically connected to the server. This is useful when working with annotation based services.
+        extraPaths: []
+        # - path: /*
+        #   backend:
+        #     serviceName: ssl-redirect
+        #     servicePort: use-annotation
+        ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
+        # - path: /*
+        #   pathType: Prefix
+        #   backend:
+        #     service:
+        #       name: ssl-redirect
+        #       port:
+        #         name: use-annotation
+    tls: []
+    #  - secretName: chart-example-tls
+    #    hosts:
+    #      - chart-example.local
+
+  # Only one of minAvailable or maxUnavailable can be set
+  podDisruptionBudget:
+    enabled: false
+    # minAvailable: 1
+    # maxUnavailable: 3
+  # queueLimit: 100
+  terminationGracePeriodSeconds: 10
+  lifecycle: {}
+  # specify additional environment variables for the webhook server pod.
+  # It's possible to specify either key vale pairs e.g.:
+  # my_env_var: "some value"
+  # my_other_env_var: "other value"
+
+  # or a list of complete environment variable definitions e.g.:
+  # - name: GITHUB_WEBHOOK_SECRET_TOKEN
+  #   valueFrom:
+  #     secretKeyRef:
+  #       key: GITHUB_WEBHOOK_SECRET_TOKEN
+  #       name: prod-gha-controller-webhook-token
+  #       optional: true
+  env: {}
+
+actionsMetrics:
+  serviceAnnotations: {}
+  # Set serviceMonitor=true to create a service monitor
+  # as a part of the helm release.
+  # Do note that you also need actionsMetricsServer.enabled=true
+  # to deploy the actions-metrics-server whose k8s service is referenced by the service monitor.
+  serviceMonitor: false
+  serviceMonitorLabels: {}
+  port: 8443
+  proxy:
+    enabled: true
+    image:
+      repository: quay.io/brancz/kube-rbac-proxy
+      tag: v0.13.1
+
+actionsMetricsServer:
+  enabled: false
+  # DO NOT CHANGE THIS!
+  # See the thread below for more context.
+  # https://github.com/actions/actions-runner-controller/pull/1814#discussion_r974758924
+  replicaCount: 1
+  ## specify log format for actions metrics server.  Valid options are "text" and "json"
+  logFormat: text
+  secret:
+    enabled: false
+    create: false
+    name: "actions-metrics-server"
+    ### GitHub Webhook Configuration
+    github_webhook_secret_token: ""
+    ### GitHub Apps Configuration
+    ## NOTE: IDs MUST be strings, use quotes
+    #github_app_id: ""
+    #github_app_installation_id: ""
+    #github_app_private_key: |
+    ### GitHub PAT Configuration
+    #github_token: ""
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+  podAnnotations: {}
+  podLabels: {}
+  podSecurityContext: {}
+  # fsGroup: 2000
+  securityContext: {}
+  resources: {}
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  priorityClassName: ""
+  service:
+    type: ClusterIP
+    annotations: {}
+    ports:
+      - port: 80
+        targetPort: http
+        protocol: TCP
+        name: http
+        #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
+    loadBalancerSourceRanges: []
+  ingress:
+    enabled: false
+    ingressClassName: ""
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+    hosts:
+      - host: chart-example.local
+        paths: []
+        #  - path: /*
+        #    pathType: ImplementationSpecific
+        # Extra paths that are not automatically connected to the server. This is useful when working with annotation based services.
+        extraPaths: []
+        # - path: /*
+        #   backend:
+        #     serviceName: ssl-redirect
+        #     servicePort: use-annotation
+        ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
+        # - path: /*
+        #   pathType: Prefix
+        #   backend:
+        #     service:
+        #       name: ssl-redirect
+        #       port:
+        #         name: use-annotation
+    tls: []
+    #  - secretName: chart-example-tls
+    #    hosts:
+    #      - chart-example.local
+  terminationGracePeriodSeconds: 10
+  lifecycle: {}

helm/airflow/.gitignore

@@ -0,0 +1,9 @@
+# User overrides
+config.yaml
+config.yml
+
+# Build dir
+repository
+
+# Never check in tmpcharts
+tmpcharts

helm/airflow/.helmignore

@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+bin
+
+# We do not want to include our Python Helm Chart Unit test files
+tests

helm/airflow/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 12.10.0
+digest: sha256:731562ef1f62ee687121df2d44ff8131a73aa63841f6cac858c30748ad349d55
+generated: "2023-08-25T13:23:48.02337-06:00"

helm/airflow/Chart.yaml

@@ -0,0 +1,137 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# apiVersion v2 is Helm 3
+---
+apiVersion: v2
+name: airflow
+version: 1.11.0-dev
+appVersion: 2.7.1
+description: The official Helm chart to deploy Apache Airflow, a platform to
+  programmatically author, schedule, and monitor workflows
+home: https://airflow.apache.org/
+sources:
+  - https://github.com/apache/airflow
+icon: https://airflow.apache.org/images/airflow_dark_bg.png
+keywords:
+  - apache
+  - airflow
+  - workflow
+  - scheduler
+dependencies:
+  - name: postgresql
+    version: 12.10.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled
+maintainers:
+  - email: dev@airflow.apache.org
+    name: Apache Airflow PMC
+type: application
+annotations:
+  artifacthub.io/links: |
+    - name: Documentation
+      url: https://airflow.apache.org/docs/helm-chart/1.8.0/
+  artifacthub.io/screenshots: |
+    - title: DAGs View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/dags.png
+    - title: Datasets View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/datasets.png
+    - title: Grid View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/grid.png
+    - title: Graph View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/graph.png
+    - title: Calendar View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/calendar.png
+    - title: Variable View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/variable_hidden.png
+    - title: Gantt Chart
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/gantt.png
+    - title: Task Duration
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/duration.png
+    - title: Code View
+      url: https://airflow.apache.org/docs/apache-airflow/2.7.1/_images/code.png
+  artifacthub.io/changes: |
+    - description: Add support for container security context
+      kind: added
+      links:
+      - name: '#31043'
+        url: https://github.com/apache/airflow/pull/31043
+    - description: Validate ``executor`` and ``config.core.executor`` match
+      kind: changed
+      links:
+      - name: '#30693'
+        url: https://github.com/apache/airflow/pull/30693
+    - description: Support ``minAvailable`` property for PodDisruptionBudget
+      kind: changed
+      links:
+      - name: '#30603'
+        url: https://github.com/apache/airflow/pull/30603
+    - description: Add ``volumeMounts`` to dag processor ``waitForMigrations``
+      kind: changed
+      links:
+      - name: '#30990'
+        url: https://github.com/apache/airflow/pull/30990
+    - description: Template extra volumes
+      kind: changed
+      links:
+      - name: '#30773'
+        url: https://github.com/apache/airflow/pull/30773
+    - description: Fix webserver probes timeout and period
+      kind: fixed
+      links:
+      - name: '#30609'
+        url: https://github.com/apache/airflow/pull/30609
+    - description: Add missing ``waitForMigrations`` for workers
+      kind: fixed
+      links:
+      - name: '#31625'
+        url: https://github.com/apache/airflow/pull/31625
+    - description: Add missing ``priorityClassName`` to K8S worker pod template
+      kind: fixed
+      links:
+      - name: '#31328'
+        url: https://github.com/apache/airflow/pull/31328
+    - description: Adding log groomer sidecar to dag processor
+      kind: fixed
+      links:
+      - name: '#30726'
+        url: https://github.com/apache/airflow/pull/30726
+    - description: Do not propagate global security context to statsd and redis
+      kind: fixed
+      links:
+      - name: '#31865'
+        url: https://github.com/apache/airflow/pull/31865
+    - description: 'Misc: Default Airflow version to 2.6.3'
+      kind: changed
+      links:
+      - name: '#31979'
+        url: https://github.com/apache/airflow/pull/31979
+    - description: 'Misc: Use template comments for the chart license header'
+      kind: changed
+      links:
+      - name: '#30569'
+        url: https://github.com/apache/airflow/pull/30569
+    - description: 'Misc: Align ``apiVersion`` and ``kind`` order in chart templates'
+      kind: changed
+      links:
+      - name: '#31850'
+        url: https://github.com/apache/airflow/pull/31850
+    - description: 'Misc: Cleanup Kubernetes < 1.23 support'
+      kind: changed
+      links:
+      - name: '#31847'
+        url: https://github.com/apache/airflow/pull/31847

helm/airflow/INSTALL

@@ -0,0 +1,14 @@
+## INSTALL / BUILD instructions for Apache Airflow Chart
+
+# The Assumption here is that you have a running Kubernetes cluster
+# and helm installed & configured to talk with the cluster
+
+# Run `helm install` Command
+helm install airflow .
+
+# If you want to install in a particular namespace
+## Create that namespace (example 'airflow' here, change it as needed)
+kubectl create namespace airflow
+
+## Install the chart in that namespace
+helm install airflow -n airflow .

helm/airflow/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

helm/airflow/NOTICE

@@ -0,0 +1,17 @@
+Apache Airflow
+Copyright 2016-2021 The Apache Software Foundation
+
+This product includes software developed at The Apache Software
+Foundation (http://www.apache.org/).
+=======================================================================
+
+postgresql:
+-----
+This product contains vendored-in postgresql Helm chart.
+
+Copyright © 2022 Bitnami
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

helm/airflow/README.md

@@ -0,0 +1,63 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ -->
+
+# Helm Chart for Apache Airflow
+
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/apache-airflow)](https://artifacthub.io/packages/search?repo=apache-airflow)
+
+[Apache Airflow](https://airflow.apache.org/) is a platform to programmatically author, schedule and monitor workflows.
+
+## Introduction
+
+This chart will bootstrap an [Airflow](https://airflow.apache.org) deployment on a [Kubernetes](http://kubernetes.io)
+cluster using the [Helm](https://helm.sh) package manager.
+
+## Requirements
+
+- Kubernetes 1.24+ cluster
+- Helm 3.0+
+- PV provisioner support in the underlying infrastructure (optionally)
+
+## Features
+
+* Supported executors: ``LocalExecutor``, ``CeleryExecutor``, ``KubernetesExecutor``, ``LocalKubernetesExecutor``, ``CeleryKubernetesExecutor``
+* Supported Airflow version: ``1.10+``, ``2.0+``
+* Supported database backend: ``PostgresSQL``, ``MySQL``
+* Autoscaling for ``CeleryExecutor`` provided by KEDA
+* PostgreSQL and PgBouncer with a battle-tested configuration
+* Monitoring:
+   * StatsD/Prometheus metrics for Airflow
+   * Prometheus metrics for PgBouncer
+   * Flower
+* Automatic database migration after a new deployment
+* Administrator account creation during deployment
+* Kerberos secure configuration
+* One-command deployment for any type of executor. You don't need to provide other services e.g. Redis/Database to test the Airflow.
+
+## Documentation
+
+Full documentation for Helm Chart (latest **stable** release) lives [on the website](https://airflow.apache.org/docs/helm-chart/).
+
+> Note: If you're looking for documentation for main branch (latest development branch): you can find it on [s.apache.org/airflow-docs/](http://apache-airflow-docs.s3-website.eu-central-1.amazonaws.com/docs/helm-chart/latest/index.html).
+> Source code for documentation is in [../docs/helm-chart](https://github.com/apache/airflow/tree/main/docs/helm-chart)
+>
+
+## Contributing
+
+Want to help build Apache Airflow? Check out our [contributing documentation](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst).

helm/airflow/RELEASE_NOTES.rst

@@ -0,0 +1,749 @@
+ .. Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+ ..   http://www.apache.org/licenses/LICENSE-2.0
+
+ .. Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+.. contents:: Apache Airflow Helm Chart Releases
+   :local:
+   :depth: 1
+
+Run ``helm repo update`` before upgrading the chart to the latest version.
+
+.. towncrier release notes start
+
+
+Airflow Helm Chart 1.10.0 (2023-06-26)
+--------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+Default Airflow image is updated to ``2.6.2`` (#31979)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.6.2``, previously it was ``2.5.3``.
+
+New Features
+^^^^^^^^^^^^
+
+- Add support for container security context (#31043)
+
+Improvements
+^^^^^^^^^^^^
+
+- Validate ``executor`` and ``config.core.executor`` match (#30693)
+- Support ``minAvailable`` property for PodDisruptionBudget (#30603)
+- Add ``volumeMounts`` to dag processor ``waitForMigrations`` (#30990)
+- Template extra volumes (#30773)
+
+Bug Fixes
+^^^^^^^^^
+
+- Fix webserver probes timeout and period (#30609)
+- Add missing ``waitForMigrations`` for workers (#31625)
+- Add missing ``priorityClassName`` to K8S worker pod template (#31328)
+- Adding log groomer sidecar to dag processor (#30726)
+- Do not propagate global security context to statsd and redis (#31865)
+
+Misc
+^^^^
+
+- Default Airflow version to 2.6.2 (#31979)
+- Use template comments for the chart license header (#30569)
+- Align ``apiVersion`` and ``kind`` order in chart templates (#31850)
+- Cleanup Kubernetes < 1.23 support (#31847)
+
+Airflow Helm Chart 1.9.0 (2023-04-14)
+-------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+Default PgBouncer and PgBouncer Exporter images have been updated (#29919)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The PgBouncer and PgBouncer Exporter images are based on newer software/os. They are also multi-platform AMD/ARM images:
+
+  * ``pgbouncer``: 1.16.1 based on alpine 3.14 (``airflow-pgbouncer-2023.02.24-1.16.1``)
+  * ``pgbouncer-exporter``: 0.14.0 based on alpine 3.17 (``apache/airflow:airflow-pgbouncer-exporter-2023.02.21-0.14.0``)
+
+Default Airflow image is updated to ``2.5.3`` (#30411)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.5.3``, previously it was ``2.5.1``.
+
+New Features
+^^^^^^^^^^^^
+
+- Add support for ``hostAliases`` for Airflow webserver and scheduler (#30051)
+- Add support for annotations on StatsD Deployment and cleanup CronJob (#30126)
+- Add support for annotations in logs PVC (#29270)
+- Add support for annotations in extra ConfigMap and Secrets (#30303)
+- Add support for pod annotations to PgBouncer (#30168)
+- Add support for ``ttlSecondsAfterFinished`` on ``migrateDatabaseJob`` and ``createUserJob`` (#29314)
+- Add support for using SHA digest of Docker images (#30214)
+
+Improvements
+^^^^^^^^^^^^
+
+- Template extra volumes in Helm Chart (#29357)
+- Make Liveness/Readiness Probe timeouts configurable for PgBouncer Exporter (#29752)
+- Enable individual trigger logging (#29482)
+
+Bug Fixes
+^^^^^^^^^
+
+- Add ``config.kubernetes_executor`` to values (#29818)
+- Block extra properties in image config (#30217)
+- Remove replicas if KEDA is enabled (#29838)
+- Mount ``kerberos.keytab`` to worker when enabled (#29526)
+- Fix adding annotations for dag persistence PVC (#29622)
+- Fix ``bitnami/postgresql`` default username and password (#29478)
+- Add global volumes in pod template file (#29295)
+- Add log groomer sidecar to triggerer service (#29392)
+- Helm deployment fails when ``postgresql.nameOverride`` is used (#29214)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Add gitSync optional env description (#29378)
+- Add webserver NodePort example (#29460)
+- Include Rancher in Helm chart install instructions (#28416)
+- Change RSA SSH host key to reflect update from Github (#30286)
+
+Misc
+^^^^
+
+- Update Airflow version to 2.5.3 (#30411)
+- Switch to newer versions of PgBouncer and PgBouncer Exporter in chart (#29919)
+- Reformat chart templates (#29917)
+- Reformat chart templates part 2 (#29941)
+- Reformat chart templates part 3 (#30312)
+- Replace deprecated k8s registry references (#29938)
+- Fix ``airflow_dags_mount`` formatting (#29296)
+- Fix ``webserver.service.ports`` formatting (#29297)
+
+Airflow Helm Chart 1.8.0 (2023-02-06)
+-------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+``bitnami/postgresql`` subchart updated to ``12.1.9`` (#29071)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The version of postgresql installed is still version 11.
+
+If you are upgrading an existing helm release with the built-in postgres database, you will either need to delete your release and reinstall fresh, or manually delete these 2 objects:
+
+.. code-block::
+
+    kubectl delete secret {RELEASE_NAME}-postgresql
+    kubectl delete statefulset {RELEASE_NAME}-postgresql
+
+As a reminder, it is recommended to `set up an external database <https://airflow.apache.org/docs/helm-chart/stable/production-guide.html#database>`_ in production.
+
+This version of the chart uses different variable names for setting usernames and passwords in the postgres database.
+
+- ``postgresql.auth.enablePostgresUser`` is used to determine if the "postgres" admin account will be created.
+- ``postgresql.auth.postgresPassword`` sets the password for the "postgres" user.
+- ``postgresql.auth.username`` and ``postrgesql.auth.password`` are used to set credentials for a non-admin account if desired.
+- ``postgresql.postgresqlUsername`` and ``postgresql.postresqlPassword``, which were used in the previous version of the chart, are no longer used.
+
+Users will need to make those changes in their values files if they are changing the Postgres configuration.
+
+Previously the subchart version was ``10.5.3``.
+
+Default ``dags.gitSync.wait`` reduced to ``5`` seconds (#27625)
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default for ``dags.gitSync.wait`` has been reduced from ``60`` seconds to ``5`` seconds to reduce the likelihood of DAGs
+becoming inconsistent between Airflow components. This will, however, increase traffic to the remote git repository.
+
+Default Airflow image is updated to ``2.5.1`` (#29074)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.5.1``, previously it was ``2.4.1``.
+
+Default git-sync image is updated to ``3.6.3`` (#27848)
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default git-sync image that is used with the Chart is now ``3.6.3``, previously it was ``3.4.0``.
+
+Default redis image is updated to ``7-bullseye`` (#27443)
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default redis image that is used with the Chart is now ``7-bullseye``, previously it was ``6-bullseye``.
+
+New Features
+^^^^^^^^^^^^
+
+- Add annotations on deployments (#28688)
+- Add global volume & volumeMounts to the chart (#27781)
+
+Improvements
+^^^^^^^^^^^^
+
+- Add support for ``webserverConfigConfigMapName`` (#27419)
+- Enhance chart to allow overriding command-line args to statsd exporter (#28041)
+- Add support for NodePort in Services (#26945)
+- Add worker log-groomer-sidecar enable option (#27178)
+- Add HostAliases to Pod template file (#27544)
+- Allow PgBouncer replicas to be configurable (#27439)
+
+Bug Fixes
+^^^^^^^^^
+
+- Create scheduler service to serve task logs for LocalKubernetesExecutor (#28828)
+- Fix NOTES.txt to show correct URL (#28264)
+- Add worker service account for LocalKubernetesExecutor (#28813)
+- Remove checks for 1.19 api checks (#28461)
+- Add airflow_local_settings to all airflow containers (#27779)
+- Make custom env vars optional for job templates (#27148)
+- Decrease default gitSync wait (#27625)
+- Add ``extraVolumeMounts`` to sidecars too (#27420)
+- Fix PgBouncer after PostgreSQL subchart upgrade (#29207)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Enhance production guide with a few Argo specific guidelines (#29078)
+- Add doc note about Pod template images (#29032)
+- Update production guide db section (#28610)
+- Fix to LoadBalancer snippet (#28014)
+- Fix gitSync example code (#28083)
+- Correct repo example for cloning via ssh (#27671)
+
+Misc
+^^^^
+
+- Update Airflow version to 2.5.1 (#29074)
+- Update git-sync to 3.6.3 (#27848)
+- Upgrade ``bitnami/postgresql`` subchart to 12.1.9 (#29071)
+- Update redis to 7 (#27443)
+- Replace helm chart icon (#27704)
+
+Airflow Helm Chart 1.7.0 (2022-10-14)
+-------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+Default Airflow image is updated to ``2.4.1`` (#26485)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.4.1``, previously it was ``2.3.2``.
+
+New Features
+^^^^^^^^^^^^
+
+- Make cleanup job history configurable (#26838)
+- Added labels to specific Airflow components (#25031)
+- Add StatsD ``overrideMappings`` in Helm chart values (#26598)
+- Adding ``podAnnotations`` to StatsD deployment template (#25732)
+- Container specific extra environment variables (#24784)
+- Custom labels for extra Secrets and ConfigMaps (#25283)
+- Add ``revisionHistoryLimit`` to all deployments (#25059)
+- Adding ``podAnnotations`` to Redis StatefulSet (#23708)
+- Provision Standalone Dag Processor (#23711)
+- Add configurable scheme for webserver probes (#22815)
+- Add support for KEDA HPA config to Helm chart (#24220)
+
+Improvements
+^^^^^^^^^^^^
+
+- Add 'executor' label to Airflow scheduler deployment (#25684)
+- Add default ``flower_url_prefix`` in Helm chart values (#26415)
+- Add liveness probe to Celery workers (#25561)
+- Use ``sql_alchemy_conn`` for celery result backend when ``result_backend`` is not set (#24496)
+
+Bug Fixes
+^^^^^^^^^
+
+- Fix pod template ``imagePullPolicy`` (#26423)
+- Do not declare a volume for ``sshKeySecret`` if dag persistence is enabled (#22913)
+- Pass worker annotations to generated pod template (#24647)
+- Fix semver compare number for ``jobs check`` command (#24480)
+- Use ``--local`` flag for liveness probes in Airflow 2.5+ (#24999)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Improve documentation on helm hooks disabling (#26747)
+- Remove ``ssh://`` prefix from git repo value (#26632)
+- Fix ``defaultAirflowRepository`` comment (#26428)
+- Baking DAGs into Docker image (#26401)
+- Reload pods when using the same DAG tag (#24576)
+- Minor clarifications about ``result_backend``, dag processor, and ``helm uninstall`` (#24929)
+- Add hyperlinks to GitHub PRs for Release Notes (#24532)
+- Terraform should not use Helm hooks for starting jobs (#26604)
+- Flux should not use Helm hooks for starting jobs (#24288)
+- Provide details on how to pull Airflow image from a private repository (#24394)
+- Helm logo no longer a link (#23977)
+- Document LocalKubernetesExecutor support in chart (#23876)
+- Update Production Guide (#23836)
+
+Misc
+^^^^
+
+- Default Airflow version to 2.4.1 (#26485)
+- Vendor in the Bitnami chart (#24395)
+- Remove kubernetes 1.20 support (#25871)
+
+
+Airflow Helm Chart 1.6.0 (2022-05-20)
+-------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+Default Airflow image is updated to ``2.3.0`` (#23386)
+""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.3.0``, previously it was ``2.2.4``.
+
+``ingress.enabled`` is deprecated
+"""""""""""""""""""""""""""""""""
+
+Instead of having a single flag to control ingress resources for both the webserver and flower, there
+are now separate flags to control them individually, ``ingress.web.enabled`` and ``ingress.flower.enabled``.
+``ingress.enabled`` is now deprecated, but will still continue to control them both.
+
+Flower disabled by default
+""""""""""""""""""""""""""
+
+Flower is no longer enabled by default when using CeleryExecutor. If you'd like to deploy it, set
+``flower.enabed`` to true in your values file.
+
+New Features
+^^^^^^^^^^^^
+
+- Support ``annotations`` on ``volumeClaimTemplates`` (#23433)
+- Add support for ``topologySpreadConstraints`` to Helm Chart (#22712)
+- Helm support for LocalKubernetesExecutor (#22388)
+- Add ``securityContext`` config for Redis to Helm chart (#22182)
+- Allow ``annotations`` on Helm DAG PVC (#22261)
+- enable optional ``subPath`` for DAGs volume mount (#22323)
+- Added support to override ``auth_type`` in ``auth_file`` in PgBouncer Helm configuration (#21999)
+- Add ``extraVolumeMounts`` to Flower (#22414)
+- Add webserver ``PodDisruptionBudget`` (#21735)
+
+Improvements
+^^^^^^^^^^^^
+
+- Ensure the messages from migration job show up early (#23479)
+- Allow migration jobs and init containers to be optional (#22195)
+- Use jobs check command for liveness probe check in Airflow 2 (#22143)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Adds ``resultBackendSecretName`` warning in Helm production docs (#23307)
+
+Misc
+^^^^
+
+- Update default Airflow version to ``2.3.0`` (#23386)
+- Move the database configuration to a new section (#22284)
+- Disable flower in chart by default (#23737)
+
+
+Airflow Helm Chart 1.5.0, (2022-03-07)
+--------------------------------------
+
+Significant changes
+^^^^^^^^^^^^^^^^^^^
+
+Default Airflow image is updated to ``2.2.4``
+"""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.2.4``, previously it was ``2.2.3``.
+
+Removed ``config.api``
+""""""""""""""""""""""
+
+This section configured the authentication backend for the Airflow API but used the same values as the Airflow default setting, which made it unnecessary to
+declare the same again.
+
+New Features
+^^^^^^^^^^^^
+
+- Add support for custom command and args in jobs (#20864)
+- Support for ``priorityClassName`` (#20794)
+- Add ``envFrom`` to the Flower deployment (#21401)
+- Add annotations to cleanup pods (#21484)
+
+Improvements
+^^^^^^^^^^^^
+
+- Speedup liveness probe for scheduler and triggerer (#20833, #21108)
+- Update git-sync to v3.4.0 (#21309)
+- Remove default auth backend setting (#21640)
+
+Bug Fixes
+^^^^^^^^^
+
+- Fix elasticsearch URL when username/password are empty (#21222)
+- Mount ``airflow.cfg`` in wait-for-airflow-migrations containers (#20609)
+- Grant pod log reader to triggerer ServiceAccount (#21111)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Simplify chart docs for configuring Airflow (#21747)
+- Add extra information about time synchronization needed (#21685)
+- Fix extra containers docs (#20787)
+
+Misc
+^^^^
+
+- Use ``2.2.4`` as default Airflow version (#21745)
+- Change Redis image to bullseye (#21875)
+
+Airflow Helm Chart 1.4.0, (2022-01-10)
+--------------------------------------
+
+Significant changes
+^^^^^^^^^^^^^^^^^^^
+
+Default Airflow image is updated to ``2.2.3``
+"""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.2.3``, previously it was ``2.2.1``.
+
+``ingress.web.hosts`` and ``ingress.flower.hosts`` parameters data type has changed and ``ingress.web.tls`` and ``ingress.flower.tls`` have moved
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+``ingress.web.hosts`` and ``ingress.flower.hosts`` have had their types have been changed from an array of strings to an array of objects. ``ingress.web.tls`` and ``ingress.flower.tls`` can now be specified per host in ``ingress.web.hosts`` and ``ingress.flower.hosts`` respectively.
+
+The old parameter names will continue to work, however support for them will be removed in a future release so please update your values file.
+
+Fixed precedence of ``nodeSelector``, ``affinity`` and ``tolerations`` params
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+``nodeSelector``, ``affinity`` and ``tolerations`` params precedence has been fixed on all components. Now component-specific params
+(e.g. ``webserver.affinity``) takes precedence over the global param (e.g. ``affinity``).
+
+Default ``KubernetesExecutor`` worker affinity removed
+""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+Previously a default affinity was added to ``KubernetesExecutor`` workers to spread the workers out across nodes. This default affinity is no
+longer set because, in general, there is no reason to spread task-specific workers across nodes.
+
+Changes in webserver and flower ``NetworkPolicy`` default ports
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The defaults for ``webserver.networkPolicy.ingress.ports`` and ``flower.networkPolicy.ingress.ports`` moved away from using named ports to numerical ports to avoid issues with OpenShift.
+
+Increase default ``livenessProbe`` ``timeoutSeconds`` for scheduler and triggerer
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The default timeout for the scheduler and triggerer ``livenessProbe`` has been increased from 10 seconds to 20 seconds.
+
+New Features
+^^^^^^^^^^^^
+
+- Add ``type`` to extra secrets param (#20599)
+- Support elasticsearch connection ``scheme`` (#20564)
+- Allows to disable built-in secret variables individually (#18974)
+- Add support for ``securityContext`` (#18249)
+- Add extra containers, volumes and volume mounts for jobs (#18808)
+- Allow ingress multiple hostnames w/diff secrets (#18542)
+- PgBouncer extra volumes, volume mounts, and ``sslmode`` (#19749)
+- Allow specifying kerberos keytab (#19054)
+- Allow disabling the Helm hooks (#18776, #20018)
+- Add ``migration-wait-timeout`` (#20069)
+
+Improvements
+^^^^^^^^^^^^
+
+- Increase default ``livenessProbe`` timeout (#20698)
+- Strict schema for k8s objects for values.yaml (#19181)
+- Remove unnecessary ``pod_template_file`` defaults (#19690)
+- Use built-in ``check-migrations`` command for Airflow>=2 (#19676)
+
+Bug Fixes
+^^^^^^^^^
+
+- Fix precedence of ``affinity``, ``nodeSelector``, and ``tolerations`` (#20641)
+- Fix chart elasticsearch default port 80 to 9200. (#20616)
+- Fix network policy issue for webserver and flower ui (#20199)
+- Use local definitions for k8s schema validation (#20544)
+- Add custom labels for ingresses/PVCs (#20535)
+- Fix extra secrets/configmaps labels (#20464)
+- Fix flower restarts on update (#20316)
+- Properly quote namespace names (#20266)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Add ``helm dependency update`` step to chart INSTALL (#20702)
+- Reword section covering the envvar secrets (#20566)
+- Add "Customizing Workers" page (#20331)
+- Include Datadog example in production guide (#17996)
+- Update production Helm guide database section to use k8s secret (#19892)
+- Fix ``multiNamespaceMode`` docs to also cover KPO (#19879)
+- Clarify Helm behaviour when it comes to loading default connections (#19708)
+
+Misc
+^^^^
+
+- Use ``2.2.3`` as default Airflow version (#20450)
+- Add ArtifactHUB annotations for docs and screenshots (#20558)
+- Add kubernetes 1.21 support (#19557)
+
+Airflow Helm Chart 1.3.0 (2021-11-08)
+-------------------------------------
+
+Significant changes
+^^^^^^^^^^^^^^^^^^^
+
+Default Airflow image is updated to ``2.2.1``
+"""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow image that is used with the Chart is now ``2.2.1`` (which is Python ``3.7``), previously it was ``2.1.4`` (which is Python ``3.6``).
+
+The triggerer component requires Python ``3.7``. If you require Python ``3.6`` and Airflow ``2.2.0`` or later, use a ``3.6`` based image and set ``triggerer.enabled=False`` in your values.
+
+Resources made configurable for ``airflow-run-airflow-migrations`` job
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+Now it's possible to set resources requests and limits for migration job through ``migrateDatabaseJob.resources`` value.
+
+New Features
+^^^^^^^^^^^^
+
+- Chart: Add resources for ``cleanup`` and ``createuser`` jobs (#19263)
+- Chart: Add labels to jobs created by cleanup pods (#19225)
+- Add migration job resources (#19175)
+- Allow custom pod annotations to all components (#18481)
+- Chart: Make PgBouncer cmd/args configurable (#18910)
+- Chart: Use python 3.7 by default; support disabling triggerer (#18920)
+
+Improvements
+^^^^^^^^^^^^
+
+- Chart: Increase default liveness probe timeout (#19003)
+- Chart: Mount DAGs in triggerer (#18753)
+
+Bug Fixes
+^^^^^^^^^
+
+- Allow Airflow UI to create worker pod via Clear > Run (#18272)
+- Allow Airflow standard images to run in OpenShift utilizing the official Helm chart #18136 (#18147)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Chart: Fix ``extraEnvFrom`` examples (#19144)
+- Chart docs: Update webserver secret key reference configuration (#18595)
+- Fix helm chart links in source install guide (#18588)
+
+Misc
+^^^^
+
+- Chart: Update default Airflow version to ``2.2.1`` (#19326)
+- Modernize dockerfiles builds (#19327)
+- Chart: Use strict k8s schemas for template validation (#19379)
+
+Airflow Helm Chart 1.2.0 (2021-09-28)
+-------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+``ingress.web.host`` and ``ingress.flower.host`` parameters have been renamed and data type changed
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+``ingress.web.host`` and ``ingress.flower.host`` parameters have been renamed to ``ingress.web.hosts`` and ``ingress.flower.hosts``, respectively. Their types have been changed from a string to an array of strings.
+
+The old parameter names will continue to work, however support for them will be removed in a future release so please update your values file.
+
+Default Airflow version is updated to ``2.1.4``
+"""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow version that is installed with the Chart is now ``2.1.4``, previously it was ``2.1.2``.
+
+Removed ``ingress.flower.precedingPaths`` and ``ingress.flower.succeedingPaths`` parameters
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+``ingress.flower.precedingPaths`` and ``ingress.flower.succeedingPaths`` parameters have been removed as they had previously had no effect on rendered YAML output.
+
+Change of default ``path`` on Ingress
+"""""""""""""""""""""""""""""""""""""
+
+With the move to support the stable Kubernetes Ingress API the default path has been changed from being unset to ``/``. For most Ingress controllers this should not change the behavior of the resulting Ingress resource.
+
+New Features
+^^^^^^^^^^^^
+
+- Add Triggerer to Helm Chart (#17743)
+- Chart: warn when webserver secret key isn't set (#18306)
+- add ``extraContainers`` for ``migrateDatabaseJob`` (#18379)
+- Labels on job templates (#18403)
+- Chart: Allow running and waiting for DB Migrations using default image (#18218)
+- Chart: Make cleanup cronjob cmd/args configurable (#17970)
+- Chart: configurable number of retention days for log groomers (#17764)
+- Chart: Add ``loadBalancerSourceRanges`` in webserver and flower services (#17666)
+- Chart: Support ``extraContainers`` in k8s workers (#17562)
+
+
+Improvements
+^^^^^^^^^^^^
+
+- Switch to latest version of PGBouncer-Exporter (#18429)
+- Chart: Ability to access http k8s via multiple hostnames (#18257)
+- Chart: Use stable API versions where available (#17211)
+- Chart: Allow ``podTemplate`` to be templated (#17560)
+
+Bug Fixes
+^^^^^^^^^
+
+- Chart: Fix applying ``labels`` on Triggerer (#18299)
+- Fixes warm shutdown for celery worker. (#18068)
+- Chart: Fix minor Triggerer issues (#18105)
+- Chart: fix webserver secret key update (#18079)
+- Chart: fix running with ``uid`` ``0`` (#17688)
+- Chart: use ServiceAccount template for log reader RoleBinding (#17645)
+- Chart: Fix elasticsearch-secret template port default function (#17428)
+- KEDA task count query should ignore k8s queue (#17433)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Chart Doc: Delete extra space in adding connections doc (#18424)
+- Improves installing from sources pages for all components (#18251)
+- Chart docs: Format ``loadBalancerSourceRanges`` using code-block (#17763)
+- Doc: Fix a broken link in an ssh-related warning message (#17294)
+- Chart: Add instructions to Update Helm Repo before upgrade (#17282)
+- Chart docs: better note for logs existing PVC permissions (#17177)
+
+Misc
+^^^^
+
+- Chart: Update the default Airflow version to ``2.1.4`` (#18354)
+
+Airflow Helm Chart 1.1.0 (2021-07-26)
+-------------------------------------
+
+Significant Changes
+^^^^^^^^^^^^^^^^^^^
+
+Run ``helm repo update`` before upgrading the chart to the latest version.
+
+Default Airflow version is updated to ``2.1.2``
+"""""""""""""""""""""""""""""""""""""""""""""""
+
+The default Airflow version that is installed with the Chart is now ``2.1.2``, previously it was ``2.0.2``.
+
+Helm 2 no longer supported
+""""""""""""""""""""""""""
+
+This chart has dropped support for `Helm 2 as it has been deprecated <https://helm.sh/blog/helm-v2-deprecation-timeline/>`__ and no longer receiving security updates since November 2020.
+
+``webserver.extraNetworkPolicies`` and ``flower.extraNetworkPolicies`` parameters have been renamed
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+``webserver.extraNetworkPolicies`` and ``flower.extraNetworkPolicies`` have been renamed to ``webserver.networkPolicy.ingress.from`` and ``flower.networkPolicy.ingress.from``, respectively. Their values and behavior are the same.
+
+The old parameter names will continue to work, however support for them will be removed in a future release so please update your values file.
+
+Removed ``dags.gitSync.root``, ``dags.gitSync.dest``, and ``dags.gitSync.excludeWebserver`` parameters
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The ``dags.gitSync.root`` and ``dags.gitSync.dest`` parameters did not provide any useful behaviors to chart users so they have been removed.
+If you have them set in your values file you can safely remove them.
+
+The ``dags.gitSync.excludeWebserver`` parameter was mistakenly included in the charts ``values.schema.json``. If you have it set in your values file,
+you can safely remove it.
+
+``nodeSelector``, ``affinity`` and ``tolerations`` on ``migrateDatabaseJob`` and ``createUserJob`` jobs
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The ``migrateDatabaseJob`` and ``createUserJob`` jobs were incorrectly using the ``webserver``'s ``nodeSelector``, ``affinity``
+and ``tolerations`` (if set). Each job is now configured separately.
+
+New Features
+^^^^^^^^^^^^
+
+- Chart: Allow using ``krb5.conf`` with ``CeleryExecutor`` (#16822)
+- Chart: Refactor webserver and flower NetworkPolicy (#16619)
+- Chart: Apply worker's node assigning settings to Pod Template File (#16663)
+- Chart: Support for overriding webserver and flower service ports (#16572)
+- Chart: Support ``extraContainers`` and ``extraVolumes`` in flower (#16515)
+- Chart: Allow configuration of pod resources in helm chart (#16425)
+- Chart: Support job level annotations; fix jobs scheduling config (#16331)
+- feat: Helm chart adding ``minReplicaCount`` to the KEDA ``worker-kedaautoscaler.yaml`` (#16262)
+- Chart: Adds support for custom command and args (#16153)
+- Chart: Add extra ini config to ``pgbouncer`` (#16120)
+- Chart: Add ``extraInitContainers`` to scheduler/webserver/workers (#16098)
+- Configurable resources for git-sync sidecar (#16080)
+- Chart: Template ``airflowLocalSettings`` and ``webserver.webserverConfig`` (#16074)
+- Support ``strategy``/``updateStrategy`` on scheduler (#16069)
+- Chart: Add both airflow and extra annotations to jobs (#16058)
+- ``loadBalancerIP`` and ``annotations`` for both Flower and Webserver (#15972)
+
+Improvements
+^^^^^^^^^^^^
+
+- Chart: Update Postgres subchart to 10.5.3 (#17041)
+- Chart: Update the default Airflow version to ``2.1.2`` (#17013)
+- Update default image as ``2.1.1`` for Helm Chart (#16785)
+- Chart: warn when using default logging with ``KubernetesExecutor`` (#16784)
+- Drop support for Helm 2 (#16575)
+- Chart: ``podAntiAffinity`` for scheduler, webserver, and workers (#16315)
+- Chart: Update the default Airflow Version to ``2.1.0`` (#16273)
+- Chart: Only mount DAGs in webserver when required (#16229)
+- Chart: Remove ``git-sync``: ``root`` and ``dest`` params (#15955)
+- Chart: Add warning about missing ``knownHosts`` (#15950)
+
+Bug Fixes
+^^^^^^^^^
+
+- Chart: Create a random secret for Webserver's flask secret key (#17142)
+- Chart: fix labels on cleanup ServiceAccount (#16722)
+- Chart: Fix overriding node assigning settings on Worker Deployment (#16670)
+- Chart: Always deploy a ``gitsync`` init container (#16339)
+- Chart: Fix updating from ``KubernetesExecutor`` to ``CeleryExecutor`` (#16242)
+- Chart: Adds labels to Kubernetes worker pods (#16203)
+- Chart: Allow ``webserver.base_url`` to be templated (#16126)
+- Chart: Fix ``PgBouncer`` exporter sidecar (#16099)
+- Remove ``dags.gitSync.excludeWebserver`` from chart ``values.schema.json`` (#16070)
+- Chart: Fix Elasticsearch secret created without Elasticsearch enabled (#16015)
+- Handle special characters in passwords for Helm Chart (#16004)
+- Fix flower ServiceAccount created without flower enable (#16011)
+- Chart: ``gitsync`` Clean Up for ``KubernetesExecutor``  (#15925)
+- Mount DAGs read only when using ``gitsync`` (#15953)
+
+Doc only changes
+^^^^^^^^^^^^^^^^
+
+- Chart docs: note uid write permissions for existing PVC (#17170)
+- Chart Docs: Add single-line description for ``multiNamespaceMode`` (#17147)
+- Chart: Update description for Helm chart to include 'official' (#17040)
+- Chart: Better comment and example for ``podTemplate`` (#16859)
+- Chart: Add more clear docs for setting ``pod_template_file.yaml`` (#16632)
+- Fix description on ``scheduler.livenessprobe.periodSeconds`` (#16486)
+- Chart docs: Fix ``extrasecrets`` example (#16305)
+- Small improvements for ``README.md`` files (#16244)
+
+Misc
+^^^^
+
+- Removes pylint from our toolchain (#16682)
+- Update link to match what is in pre-commit (#16408)
+- Chart: Update the ``appVersion`` to 2.1.0 in ``Chart.yaml`` (#16337)
+- Rename the main branch of the Airflow repo to be ``main`` (#16149)
+- Update Chart version to ``1.1.0-rc1`` (#16124)

helm/airflow/dockerfiles/README.md

@@ -0,0 +1,28 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ -->
+
+Those are images that are needed for the Helm Chart.
+
+In each of the images you can find "build_and_push.sh" script that builds and pushes the image.
+
+You need to be a PMC with direct push access to "apache/airflow" DockerHub registry
+to be able to push to the Airflow DockerHub registry.
+
+You can set the DOCKERHUB_USER variable to push to your own DockerHub user if you want
+ to test the image or build your own image.

helm/airflow/dockerfiles/pgbouncer-exporter/Dockerfile

@@ -0,0 +1,57 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+ARG ALPINE_VERSION="3.17"
+ARG GO_VERSION
+
+FROM golang:${GO_VERSION} AS builder
+
+ARG PGBOUNCER_EXPORTER_VERSION
+
+WORKDIR /usr/src/myapp
+
+SHELL ["/bin/bash", "-o", "pipefail", "-e", "-u", "-x", "-c"]
+
+RUN URL="https://github.com/jbub/pgbouncer_exporter/archive/v${PGBOUNCER_EXPORTER_VERSION}.tar.gz" \
+    && curl -L "${URL}" | tar -zx --strip-components 1 \
+    && PLATFORM=$([ "$(uname -m)" = "aarch64" ] && echo "arm64" || echo "amd64" )\
+    && GOOS=linux GOARCH="${PLATFORM}" CGO_ENABLED=0 go build -v
+
+FROM alpine:${ALPINE_VERSION} AS final
+
+# We want to make sure this one includes latest security fixes.
+# "Pin versions in apk add" https://github.com/hadolint/hadolint/wiki/DL3018
+# hadolint ignore=DL3018
+RUN apk --no-cache add libressl libressl-dev openssl
+
+COPY --from=builder /usr/src/myapp/pgbouncer_exporter /bin
+
+ARG PGBOUNCER_EXPORTER_VERSION
+ARG AIRFLOW_PGBOUNCER_EXPORTER_VERSION
+ARG GO_VERSION
+ARG COMMIT_SHA
+
+LABEL org.apache.airflow.component="pgbouncer-exporter" \
+    org.apache.airflow.pgbouncer-exporter.version="${PGBOUNCER_EXPORTER_VERSION}" \
+    org.apache.airflow.go.version="${GO_VERSION}" \
+    org.apache.airflow.airflow-pgbouncer-exporter.version="${AIRFLOW_PGBOUNCER_EXPORTER_VERSION}" \
+    org.apache.airflow.commit-sha="${COMMIT_SHA}" \
+    maintainer="Apache Airflow Community <dev@airflow.apache.org>"
+
+HEALTHCHECK CMD ["/bin/pgbouncer_exporter", "health"]
+
+USER nobody
+
+ENTRYPOINT ["/bin/pgbouncer_exporter"]
+CMD ["server"]

helm/airflow/dockerfiles/pgbouncer-exporter/build_and_push.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+set -euo pipefail
+DOCKERHUB_USER=${DOCKERHUB_USER:="apache"}
+readonly DOCKERHUB_USER
+DOCKERHUB_REPO=${DOCKERHUB_REPO:="airflow"}
+readonly DOCKERHUB_REPO
+
+PGBOUNCER_EXPORTER_VERSION="0.14.0"
+readonly PGBOUNCER_EXPORTER_VERSION
+
+AIRFLOW_PGBOUNCER_EXPORTER_VERSION="2023.02.21"
+readonly AIRFLOW_PGBOUNCER_EXPORTER_VERSION
+
+EXPECTED_GO_VERSION="1.19.6"
+readonly EXPECTED_GO_VERSION
+
+COMMIT_SHA=$(git rev-parse HEAD)
+readonly COMMIT_SHA
+
+TAG="${DOCKERHUB_USER}/${DOCKERHUB_REPO}:airflow-pgbouncer-exporter-${AIRFLOW_PGBOUNCER_EXPORTER_VERSION}-${PGBOUNCER_EXPORTER_VERSION}"
+readonly TAG
+
+function center_text() {
+    columns=$(tput cols || echo 80)
+    printf "%*s\n" $(( (${#1} + columns) / 2)) "$1"
+}
+
+cd "$( dirname "${BASH_SOURCE[0]}" )" || exit 1
+
+center_text "Building image"
+
+# Note, you need buildx and qemu installed for your docker. They come pre-installed with docker-desktop, but
+# as described in:
+# * https://docs.docker.com/build/install-buildx/
+# * https://docs.docker.com/build/building/multi-platform/
+# You can also install them easily on all docker-based systems
+# You might also need to create a different builder to build multi-platform images
+# For example by running `docker buildx create --use`
+
+docker buildx build . \
+    --platform linux/amd64,linux/arm64 \
+    --pull \
+    --push \
+    --build-arg "PGBOUNCER_EXPORTER_VERSION=${PGBOUNCER_EXPORTER_VERSION}" \
+    --build-arg "AIRFLOW_PGBOUNCER_EXPORTER_VERSION=${AIRFLOW_PGBOUNCER_EXPORTER_VERSION}"\
+    --build-arg "COMMIT_SHA=${COMMIT_SHA}" \
+    --build-arg "GO_VERSION=${EXPECTED_GO_VERSION}" \
+    --tag "${TAG}"
+
+center_text "Checking image"
+
+docker run --rm "${TAG}" --version

helm/airflow/dockerfiles/pgbouncer/Dockerfile

@@ -0,0 +1,77 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+ARG ALPINE_VERSION="3.14"
+FROM alpine:${ALPINE_VERSION} AS builder
+SHELL ["/bin/ash", "-e", "-x", "-c", "-o", "pipefail"]
+
+ARG PGBOUNCER_VERSION
+ARG AIRFLOW_PGBOUNCER_VERSION
+
+ARG PGBOUNCER_SHA256
+
+# Those are build deps only but still we want the latest versions of those
+# "Pin versions in apk add" https://github.com/hadolint/hadolint/wiki/DL3018
+# hadolint ignore=DL3018
+RUN apk --no-cache add make pkgconfig build-base libtool wget gcc g++ libevent-dev libressl-dev c-ares-dev ca-certificates
+# We are not using Dash so we can safely ignore the "Dash warning"
+# "In dash, something is not supported." https://github.com/koalaman/shellcheck/wiki/SC2169
+# hadolint ignore=SC2169,SC3060
+RUN wget --progress=dot:giga "https://github.com/pgbouncer/pgbouncer/releases/download/pgbouncer_${PGBOUNCER_VERSION//\./_}/pgbouncer-${PGBOUNCER_VERSION}.tar.gz" \
+    && echo "${PGBOUNCER_SHA256}  pgbouncer-${PGBOUNCER_VERSION}.tar.gz" | sha256sum -c - \
+    && tar -xzvf pgbouncer-$PGBOUNCER_VERSION.tar.gz
+
+WORKDIR /pgbouncer-$PGBOUNCER_VERSION
+RUN ./configure --prefix=/usr --disable-debug && make && make install \
+    && mkdir /etc/pgbouncer \
+    && cp ./etc/pgbouncer.ini /etc/pgbouncer/ \
+    && touch /etc/pgbouncer/userlist.txt \
+    && sed -i -e "s|logfile = |#logfile = |"  \
+           -e "s|pidfile = |#pidfile = |"  \
+           -e "s|listen_addr = .*|listen_addr = 0.0.0.0|" \
+           -e "s|auth_type = .*|auth_type = md5|" \
+           /etc/pgbouncer/pgbouncer.ini
+
+FROM alpine:${ALPINE_VERSION}
+
+ARG PGBOUNCER_VERSION
+ARG AIRFLOW_PGBOUNCER_VERSION
+ARG COMMIT_SHA
+
+
+# We want to make sure this one includes latest security fixes.
+# "Pin versions in apk add" https://github.com/hadolint/hadolint/wiki/DL3018
+# hadolint ignore=DL3018
+RUN apk --no-cache add libevent libressl c-ares
+
+COPY --from=builder /etc/pgbouncer /etc/pgbouncer
+COPY --from=builder /usr/bin/pgbouncer /usr/bin/pgbouncer
+
+LABEL org.apache.airflow.component="pgbouncer" \
+    org.apache.airflow.pgbouncer.version="${PGBOUNCER_VERSION}" \
+    org.apache.airflow.airflow-pgbouncer.version="${AIRFLOW_PGBOUNCER_VERSION}" \
+    org.apache.airflow.commit-sha="${COMMIT_SHA}" \
+    maintainer="Apache Airflow Community <dev@airflow.apache.org>"
+
+# Healthcheck
+HEALTHCHECK --interval=10s --timeout=3s CMD stat /tmp/.s.PGSQL.*
+
+EXPOSE 6432
+
+USER nobody
+
+# pgbouncer can't run as root, so let's drop to 'nobody'
+ENTRYPOINT ["/usr/bin/pgbouncer", "-u", "nobody", "/etc/pgbouncer/pgbouncer.ini" ]

helm/airflow/dockerfiles/pgbouncer/build_and_push.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+set -euo pipefail
+DOCKERHUB_USER=${DOCKERHUB_USER:="apache"}
+readonly DOCKERHUB_USER
+
+DOCKERHUB_REPO=${DOCKERHUB_REPO:="airflow"}
+readonly DOCKERHUB_REPO
+
+PGBOUNCER_VERSION="1.16.1"
+readonly PGBOUNCER_VERSION
+
+PGBOUNCER_SHA256="087477e9e4766d032b04b7b006c0c8d64160a54141a7bfc2c6e5ae7ae11bf7fc"
+readonly PGBOUNCER_SHA256
+
+AIRFLOW_PGBOUNCER_VERSION="2023.02.24"
+readonly AIRFLOW_PGBOUNCER_VERSION
+
+COMMIT_SHA=$(git rev-parse HEAD)
+readonly COMMIT_SHA
+
+TAG="${DOCKERHUB_USER}/${DOCKERHUB_REPO}:airflow-pgbouncer-${AIRFLOW_PGBOUNCER_VERSION}-${PGBOUNCER_VERSION}"
+readonly TAG
+
+function center_text() {
+    columns=$(tput cols || echo 80)
+    printf "%*s\n" $(( (${#1} + columns) / 2)) "$1"
+}
+
+cd "$( dirname "${BASH_SOURCE[0]}" )" || exit 1
+
+center_text "Building image"
+
+# Note, you need buildx and qemu installed for your docker. They come pre-installed with docker-desktop, but
+# as described in:
+# * https://docs.docker.com/build/install-buildx/
+# * https://docs.docker.com/build/building/multi-platform/
+# You can also install them easily on all docker-based systems
+# You might also need to create a different builder to build multi-platform images
+# For example by running `docker buildx create --use`
+
+docker buildx build . \
+    --platform linux/amd64,linux/arm64 \
+    --pull \
+    --push \
+    --build-arg "PGBOUNCER_VERSION=${PGBOUNCER_VERSION}" \
+    --build-arg "AIRFLOW_PGBOUNCER_VERSION=${AIRFLOW_PGBOUNCER_VERSION}"\
+    --build-arg "PGBOUNCER_SHA256=${PGBOUNCER_SHA256}"\
+    --build-arg "COMMIT_SHA=${COMMIT_SHA}" \
+    --tag "${TAG}"
+
+center_text "Checking image"
+
+docker run --rm "${TAG}" pgbouncer --version

helm/airflow/files/pod-template-file.kubernetes-helm-yaml

@@ -0,0 +1,141 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+---
+{{- $nodeSelector := or .Values.workers.nodeSelector .Values.nodeSelector }}
+{{- $affinity := or .Values.workers.affinity .Values.affinity }}
+{{- $tolerations := or .Values.workers.tolerations .Values.tolerations }}
+{{- $topologySpreadConstraints := or .Values.workers.topologySpreadConstraints .Values.topologySpreadConstraints }}
+{{- $securityContext := include "airflowPodSecurityContext" (list . .Values.workers) }}
+{{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.workers) }}
+{{- $containerLifecycleHooks := or .Values.workers.containerLifecycleHooks .Values.containerLifecycleHooks }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: placeholder-name
+  labels:
+    tier: airflow
+    component: worker
+    release: {{ .Release.Name }}
+    {{- if or (.Values.labels) (.Values.workers.labels) }}
+      {{- mustMerge .Values.workers.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.airflowPodAnnotations .Values.workers.podAnnotations }}
+  annotations:
+    {{- if .Values.airflowPodAnnotations }}
+      {{- toYaml .Values.airflowPodAnnotations | nindent 4 }}
+    {{- end }}
+    {{- if .Values.workers.podAnnotations }}
+      {{- toYaml .Values.workers.podAnnotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if or (and .Values.dags.gitSync.enabled (not .Values.dags.persistence.enabled)) .Values.workers.extraInitContainers }}
+  initContainers:
+    {{- if and .Values.dags.gitSync.enabled (not .Values.dags.persistence.enabled) }}
+      {{- include "git_sync_container" (dict "Values" .Values "is_init" "true" "Template" .Template) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.workers.extraInitContainers }}
+      {{- toYaml .Values.workers.extraInitContainers | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  containers:
+    - envFrom: {{- include "custom_airflow_environment_from" . | default "\n  []" | indent 6 }}
+      env:
+        - name: AIRFLOW__CORE__EXECUTOR
+          value: LocalExecutor
+        {{- include "standard_airflow_environment" . | indent 6}}
+        {{- include "custom_airflow_environment" . | indent 6 }}
+        {{- include "container_extra_envs" (list . .Values.workers.env) | indent 6 }}
+      image: {{ template "pod_template_image" . }}
+      imagePullPolicy: {{ .Values.images.pod_template.pullPolicy }}
+      securityContext: {{ $containerSecurityContext | nindent 8 }}
+      {{- if $containerLifecycleHooks }}
+      lifecycle: {{- tpl (toYaml $containerLifecycleHooks) . | nindent 8 }}
+      {{- end }}
+      name: base
+      resources: {{- toYaml .Values.workers.resources | nindent 8 }}
+      volumeMounts:
+        - mountPath: {{ template "airflow_logs" . }}
+          name: logs
+        {{- include "airflow_config_mount" . | nindent 8 }}
+        {{- if or .Values.dags.gitSync.enabled .Values.dags.persistence.enabled }}
+          {{- include "airflow_dags_mount" . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.volumeMounts }}
+          {{- toYaml .Values.volumeMounts | nindent 8 }}
+        {{- end }}
+        {{- if .Values.workers.extraVolumeMounts }}
+          {{- tpl (toYaml .Values.workers.extraVolumeMounts) . | nindent 8 }}
+        {{- end }}
+    {{- if .Values.workers.extraContainers }}
+      {{- toYaml .Values.workers.extraContainers | nindent 4 }}
+    {{- end }}
+  {{- if .Values.workers.priorityClassName }}
+  priorityClassName: {{ .Values.workers.priorityClassName }}
+  {{- end }}
+  {{- if .Values.workers.runtimeClassName }}
+  priorityClassName: {{ .Values.workers.runtimeClassName }}
+  {{- end }}
+  {{- if or .Values.registry.secretName .Values.registry.connection }}
+  imagePullSecrets:
+    - name: {{ template "registry_secret" . }}
+  {{- end }}
+  {{- if .Values.workers.hostAliases }}
+  hostAliases: {{- toYaml .Values.workers.hostAliases | nindent 4 }}
+  {{- end }}
+  restartPolicy: Never
+  securityContext: {{ $securityContext | nindent 4 }}
+  nodeSelector: {{- toYaml $nodeSelector | nindent 4 }}
+  affinity: {{- toYaml $affinity | nindent 4 }}
+  {{- if .Values.schedulerName }}
+  schedulerName: {{ .Values.schedulerName }}
+  {{- end }}
+  terminationGracePeriodSeconds: {{ .Values.workers.terminationGracePeriodSeconds }}
+  tolerations: {{- toYaml $tolerations | nindent 4 }}
+  topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 4 }}
+  serviceAccountName: {{ include "worker.serviceAccountName" . }}
+  volumes:
+  {{- if .Values.dags.persistence.enabled }}
+  - name: dags
+    persistentVolumeClaim:
+      claimName: {{ template "airflow_dags_volume_claim" . }}
+  {{- else if .Values.dags.gitSync.enabled }}
+  - name: dags
+    emptyDir: {}
+  {{- end }}
+  {{- if .Values.logs.persistence.enabled }}
+  - name: logs
+    persistentVolumeClaim:
+      claimName: {{ template "airflow_logs_volume_claim" . }}
+  {{- else }}
+  - emptyDir: {}
+    name: logs
+  {{- end }}
+  {{- if and  .Values.dags.gitSync.enabled  .Values.dags.gitSync.sshKeySecret }}
+    {{- include "git_sync_ssh_key_volume" . | nindent 2 }}
+  {{- end }}
+  - configMap:
+      name: {{ include "airflow_config" . }}
+    name: config
+  {{- if .Values.volumes }}
+    {{- toYaml .Values.volumes | nindent 2 }}
+  {{- end }}
+  {{- if .Values.workers.extraVolumes }}
+    {{- tpl (toYaml .Values.workers.extraVolumes) . | nindent 2 }}
+  {{- end }}

helm/airflow/files/statsd-mappings.yml

@@ -0,0 +1,87 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+mappings:
+  # Map dot separated stats to labels
+  - match: airflow.dagrun.dependency-check.*.*
+    name: "airflow_dagrun_dependency_check"
+    labels:
+      dag_id: "$1"
+
+  - match: airflow.operator_successes_(.*)
+    match_type: regex
+    name: "airflow_operator_successes"
+    labels:
+      operator: "$1"
+
+  - match: airflow.operator_failures_(.*)
+    match_type: regex
+    name: "airflow_operator_failures"
+    labels:
+      operator: "$1"
+
+  - match: airflow.scheduler_heartbeat
+    match_type: regex
+    name: "airflow_scheduler_heartbeat"
+    labels:
+      type: counter
+
+  - match: airflow.dag.*.*.duration
+    name: "airflow_task_duration"
+    labels:
+      dag_id: "$1"
+      task_id: "$2"
+
+  - match: airflow.dagrun.duration.success.*
+    name: "airflow_dagrun_duration"
+    labels:
+      dag_id: "$1"
+
+  - match: airflow.dagrun.duration.failed.*
+    name: "airflow_dagrun_failed"
+    labels:
+      dag_id: "$1"
+
+  - match: airflow.dagrun.schedule_delay.*
+    name: "airflow_dagrun_schedule_delay"
+    labels:
+      dag_id: "$1"
+
+  - match: airflow.dag_processing.last_runtime.*
+    name: "airflow_dag_processing_last_runtime"
+    labels:
+      dag_file: "$1"
+
+  - match: airflow.dag_processing.last_run.seconds_ago.*
+    name: "airflow_dag_processing_last_run_seconds_ago"
+    labels:
+      dag_file: "$1"
+
+  - match: airflow.pool.open_slots.*
+    name: "airflow_pool_open_slots"
+    labels:
+      pool: "$1"
+
+  - match: airflow.pool.used_slots.*
+    name: "airflow_pool_used_slots"
+    labels:
+      pool: "$1"
+
+  - match: airflow.pool.starving_tasks.*
+    name: "airflow_pool_starving_tasks"
+    labels:
+      pool: "$1"

helm/airflow/newsfragments/31066.significant.rst

@@ -0,0 +1,23 @@
+Support naming customization on helm chart resources, some resources may be renamed during upgrade
+
+This is a new opt-in switch ``useStandardNaming``, for backwards compatibility, to leverage the standard naming convention, which allows full use of fullnameOverride and nameOverride in all resources.
+
+Only the following resources will be renamed using default of ``useStandardNaming=false``:
+- ConfigMap {release}-airflow-config to {release}-config
+- Secret {release}-airflow-metadata to {release}-metadata
+- Secret {release}-airflow-result-backend to {release}-result-backend
+
+For existing installations, all your resources will be recreated with a new name and helm will delete previous resources.
+
+This won't delete existing PVCs for logs used by statefulset/deployments, but it will recreate them with brand new PVCs.
+If you do want to preserve logs history you'll need to manually copy the data of these volumes into the new volumes after
+deployment. Depending on what storage backend/class you're using this procedure may vary. If you don't mind starting
+with fresh logs/redis volumes, you can just delete the old pvcs that will be names, for example:
+
+.. code-block:: bash
+
+    kubectl delete pvc -n airflow logs-gta-triggerer-0
+    kubectl delete pvc -n airflow logs-gta-worker-0
+    kubectl delete pvc -n airflow redis-db-gta-redis-0
+
+If you do not change ``useStandardNaming`` or ``fullnameOverride`` after upgrade, you can proceed as usual and no unexpected behaviours will be presented.

helm/airflow/newsfragments/33747.significant.rst

@@ -0,0 +1,3 @@
+``bitnami/postgresql`` subchart updated to ``12.10.0``
+
+The PostgreSQL subchart that is used with the Chart is now ``12.10.0``, previously it was ``12.1.9``.

helm/airflow/newsfragments/33748.significant.rst

@@ -0,0 +1,3 @@
+Default git-sync image is updated to ``3.6.9``
+
+The default git-sync image that is used with the Chart is now ``3.6.9``, previously it was ``3.6.3``.

helm/airflow/newsfragments/34186.significant.rst

@@ -0,0 +1,3 @@
+Default Airflow image is updated to ``2.7.1``
+
+The default Airflow image that is used with the Chart is now ``2.7.1``, previously it was ``2.6.2``.

helm/airflow/newsfragments/config.toml

@@ -0,0 +1,50 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+[tool.towncrier]
+name = "Airflow Helm Chart"
+filename = "RELEASE_NOTES.rst"
+underlines = ["-", '^']
+
+[[tool.towncrier.type]]
+directory = "significant"
+name = "Significant Changes"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "feature"
+name = "Features"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "improvement"
+name = "Improvements"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "bugfix"
+name = "Bug Fixes"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "doc"
+name = "Doc only Changes"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "misc"
+name = "Misc"
+showcontent = true

helm/airflow/override_values.yaml

@@ -0,0 +1,197 @@
+## Prerequirements
+
+## Airflow Namespace 생성
+# kubectl create namespace airflow
+
+## Web Server Secret Key 생성
+# kubectl create secret -n airflow generic webserver-secret --from-literal="webserver-secret-key=$(python3 -c 'import secrets; print(secrets.token_hex(16))')"
+
+## GitHub 연동을 위한 Secret Key 생성
+# kubectl create secret generic airflow-git-ssh-secret \
+#   --from-file=gitSshKey=[사용할 SSH Private key] \
+#   -n airflow
+
+## keda 활용 시 설치
+# helm repo add kedacore https://kedacore.github.io/charts
+# helm repo update
+# kubectl create namespace keda
+# helm install keda kedacore/keda --namespace keda --version "v2.0.0"
+
+---
+
+webserverSecretKeySecretName: webserver-secret
+
+executor: "CeleryKubernetesExecutor"
+
+workers:
+  replicas: 1
+  resources: 
+   limits:
+    cpu: 1
+    memory: 3Gi
+   requests:
+    cpu: 1
+    memory: 2Gi
+  keda:
+    enabled: true
+    minReplicaCount: 1
+    maxReplicaCount: 3
+    # advanced: 
+    #   horizontalPodAutoscalerConfig:
+    #     behavior:
+    #       scaleDown:
+    #         stabilizationWindowSeconds: 600
+    #         policies:
+    #           - type: Percent
+    #             value: 100
+    #             periodSeconds: 15
+
+scheduler:
+  replicas: 1
+  resources: 
+   limits:
+    cpu: 1
+    memory: 1Gi
+   requests:
+    cpu: 500m
+    memory: 1Gi
+
+webserver:
+  replicas: 1
+  resources: 
+    limits:
+      cpu: 1
+      memory: 2Gi
+    requests:
+      cpu: 500m
+      memory: 1Gi
+  service:
+    type: NodePort
+    ports:
+      - name: airflow-ui
+        port: 8080
+        targetPort: 8080
+        nodePort: 30180
+  defaultUser:
+    email: minchulahn@ex-em.com
+
+triggerer:
+  replicas: 1
+  resources: 
+   limits:
+    cpu: 1
+    memory: 1Gi
+   requests:
+    cpu: 500m
+    memory: 1Gi
+
+statsd:
+  resources: 
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
+redis:
+  resources:
+   limits:
+    cpu: 100m
+    memory: 128Mi
+   requests:
+    cpu: 100m
+    memory: 128Mi
+
+dags:
+  gitSync:
+    enabled: true
+    repo: git@github.com:cloudmoa/dsk-airflow-pipeline.git
+    branch: main
+    subPath: dags
+    sshKeySecret: airflow-git-ssh-secret
+
+postgresql:
+  primary:
+    service:
+      type: NodePort
+      nodePorts:
+        postgresql:  30185
+
+logs:
+  persistence:
+    enabled: true
+
+config:
+  core:
+    dags_folder: '{{ include "airflow_dags" . }}'
+    # This is ignored when used with the official Docker image
+    load_examples: 'False'
+    executor: '{{ .Values.executor }}'
+    # For Airflow 1.10, backward compatibility; moved to [logging] in 2.0
+    colored_console_log: 'False'
+    remote_logging: '{{- ternary "True" "False" .Values.elasticsearch.enabled }}'
+  logging:
+    remote_logging: '{{- ternary "True" "False" .Values.elasticsearch.enabled }}'
+    colored_console_log: 'False'
+  metrics:
+    statsd_on: '{{ ternary "True" "False" .Values.statsd.enabled }}'
+    statsd_port: 9125
+    statsd_prefix: airflow
+    statsd_host: '{{ printf "%s-statsd" .Release.Name }}'
+  webserver:
+    enable_proxy_fix: 'True'
+    # For Airflow 1.10
+    rbac: 'True'
+  celery:
+    flower_url_prefix: '{{ .Values.ingress.flower.path }}'
+    worker_concurrency: 16
+  scheduler:
+    standalone_dag_processor: '{{ ternary "True" "False" .Values.dagProcessor.enabled }}'
+    # statsd params included for Airflow 1.10 backward compatibility; moved to [metrics] in 2.0
+    statsd_on: '{{ ternary "True" "False" .Values.statsd.enabled }}'
+    statsd_port: 9125
+    statsd_prefix: airflow
+    statsd_host: '{{ printf "%s-statsd" .Release.Name }}'
+    # `run_duration` included for Airflow 1.10 backward compatibility; removed in 2.0.
+    run_duration: 41460
+  elasticsearch:
+    json_format: 'True'
+    log_id_template: "{dag_id}_{task_id}_{execution_date}_{try_number}"
+  elasticsearch_configs:
+    max_retries: 3
+    timeout: 30
+    retry_timeout: 'True'
+  kerberos:
+    keytab: '{{ .Values.kerberos.keytabPath }}'
+    reinit_frequency: '{{ .Values.kerberos.reinitFrequency }}'
+    principal: '{{ .Values.kerberos.principal }}'
+    ccache: '{{ .Values.kerberos.ccacheMountPath }}/{{ .Values.kerberos.ccacheFileName }}'
+  celery_kubernetes_executor:
+    kubernetes_queue: 'kubernetes'
+  # The `kubernetes` section is deprecated in Airflow >= 2.5.0 due to an airflow.cfg schema change.
+  # The `kubernetes` section can be removed once the helm chart no longer supports Airflow < 2.5.0.
+  kubernetes:
+    namespace: '{{ .Release.Namespace }}'
+    # The following `airflow_` entries are for Airflow 1, and can be removed when it is no longer supported.
+    airflow_configmap: '{{ include "airflow_config" . }}'
+    airflow_local_settings_configmap: '{{ include "airflow_config" . }}'
+    pod_template_file: '{{ include "airflow_pod_template_file" . }}/pod_template_file.yaml'
+    worker_container_repository: '{{ .Values.images.airflow.repository | default .Values.defaultAirflowRepository }}'
+    worker_container_tag: '{{ .Values.images.airflow.tag | default .Values.defaultAirflowTag }}'
+    multi_namespace_mode: '{{ ternary "True" "False" .Values.multiNamespaceMode }}'
+  # The `kubernetes_executor` section duplicates the `kubernetes` section in Airflow >= 2.5.0 due to an airflow.cfg schema change.
+  kubernetes_executor:
+    namespace: '{{ .Release.Namespace }}'
+    pod_template_file: '{{ include "airflow_pod_template_file" . }}/pod_template_file.yaml'
+    worker_container_repository: '{{ .Values.images.airflow.repository | default .Values.defaultAirflowRepository }}'
+    worker_container_tag: '{{ .Values.images.airflow.tag | default .Values.defaultAirflowTag }}'
+    multi_namespace_mode: '{{ ternary "True" "False" .Values.multiNamespaceMode }}'
+  email:
+    email_backend: airflow.providers.amazon.aws.utils.emailer.send_email
+    email_conn_id: aws_ses
+    default_email_on_retry: True
+    default_email_on_failure: True
+    from_email: DataSaker <notice@datasaker.io>
+  api:
+    auth_backends: airflow.api.auth.backend.basic_auth

helm/airflow/templates/NOTES.txt

@@ -0,0 +1,206 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+
+Thank you for installing Apache {{ title .Chart.Name }} {{ .Values.airflowVersion }}!
+
+Your release is named {{ .Release.Name }}.
+
+{{- if or .Values.ingress.web.enabled .Values.ingress.flower.enabled .Values.ingress.enabled }}
+You can now access your service(s) by following defined Ingress urls:
+
+{{- if .Values.ingress.web.host }}
+
+DEPRECATION WARNING:
+   `ingress.web.host` has been renamed to `ingress.web.hosts` and is now an array.
+   Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if .Values.ingress.web.tls }}
+
+DEPRECATION WARNING:
+   `ingress.web.tls` has been renamed to `ingress.web.hosts[*].tls` and can be set per host.
+   Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if .Values.ingress.flower.host }}
+
+DEPRECATION WARNING:
+   `ingress.flower.host` has been renamed to `ingress.flower.hosts` and is now an array.
+   Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+
+{{- if .Values.ingress.flower.tls }}
+
+DEPRECATION WARNING:
+   `ingress.flower.tls` has been renamed to `ingress.flower.hosts[*].tls` and can be set per host.
+   Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if .Values.ingress.enabled }}
+
+DEPRECATION WARNING:
+   `ingress.enabled` has been deprecated. There are now separate flags to control the webserver and
+   flower individually, ``ingress.web.enabled`` and ``ingress.flower.enabled``.
+   Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if or .Values.ingress.web.enabled .Values.ingress.enabled }}
+Airflow Webserver:
+{{- range .Values.ingress.web.hosts | default (list .Values.ingress.web.host) }}
+      {{- $tlsEnabled := $.Values.ingress.web.tls.enabled -}}
+      {{- $hostname := $.Values.ingress.web.host -}}
+      {{- if . | kindIs "string" | not }}
+      {{- if .tls }}
+      {{- $tlsEnabled = .tls.enabled -}}
+      {{- $hostname = .name -}}
+      {{- end }}
+      {{- end }}
+      http{{ if $tlsEnabled }}s{{ end }}://{{ $hostname }}{{ $.Values.ingress.web.path }}/
+{{- end }}
+{{- end }}
+{{- if and (or .Values.ingress.flower.enabled .Values.ingress.enabled) (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")) }}
+Flower dashboard:
+{{- range .Values.ingress.flower.hosts | default (list .Values.ingress.flower.host) }}
+      {{- $tlsEnabled := $.Values.ingress.flower.tls.enabled -}}
+      {{- $hostname := $.Values.ingress.flower.host -}}
+      {{- if . | kindIs "string" | not }}
+      {{- if .tls }}
+      {{- $tlsEnabled = .tls.enabled -}}
+      {{- $hostname = .name -}}
+      {{- end }}
+      {{- end }}
+      http{{ if $tlsEnabled }}s{{ end }}://{{ $hostname }}{{ $.Values.ingress.flower.path }}/
+{{- end }}
+{{- end }}
+{{- else }}
+You can now access your dashboard(s) by executing the following command(s) and visiting the corresponding port at localhost in your browser:
+
+Airflow Webserver:     kubectl port-forward svc/{{ include "airflow.fullname" . }}-webserver {{ .Values.ports.airflowUI }}:{{ .Values.ports.airflowUI }} --namespace {{ .Release.Namespace }}
+
+{{- if .Values.flower.enabled }}
+{{- if or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")}}
+Flower dashboard:      kubectl port-forward svc/{{ include "airflow.fullname" . }}-flower {{ .Values.ports.flowerUI }}:{{ .Values.ports.flowerUI }} --namespace {{ .Release.Namespace }}
+
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{- if .Values.webserver.defaultUser.enabled}}
+Default Webserver (Airflow UI) Login credentials:
+    username: {{ .Values.webserver.defaultUser.username }}
+    password: {{ .Values.webserver.defaultUser.password }}
+{{- end }}
+
+{{- if .Values.postgresql.enabled }}
+Default Postgres connection credentials:
+    username: {{ .Values.data.metadataConnection.user }}
+    password: {{ .Values.data.metadataConnection.pass }}
+    port: {{ .Values.data.metadataConnection.port }}
+
+{{- end }}
+
+{{- if not .Values.fernetKeySecretName }}
+
+You can get Fernet Key value by running the following:
+
+    echo Fernet Key: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ .Release.Name }}-fernet-key -o jsonpath="{.data.fernet-key}" | base64 --decode)
+
+{{- end }}
+
+{{- if or (eq .Values.executor "KubernetesExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
+{{- if and (not .Values.logs.persistence.enabled) (eq (lower (tpl .Values.config.logging.remote_logging .)) "false") }}
+
+WARNING:
+    Kubernetes workers task logs may not persist unless you configure log persistence or remote logging!
+    Logging options can be found at: https://airflow.apache.org/docs/helm-chart/stable/manage-logs.html
+    (This warning can be ignored if logging is configured with environment variables or secrets backend)
+
+{{- end }}
+{{- end }}
+
+{{- if and .Values.dags.gitSync.enabled .Values.dags.gitSync.sshKeySecret (not .Values.dags.gitSync.knownHosts)}}
+
+#####################################################
+#  WARNING: You should set dags.gitSync.knownHosts  #
+#####################################################
+
+You are using ssh authentication for your gitsync repo, however you currently have SSH known_hosts verification disabled,
+making you susceptible to man-in-the-middle attacks!
+
+Information on how to set knownHosts can be found here:
+https://airflow.apache.org/docs/helm-chart/stable/production-guide.html#knownhosts
+
+{{- end }}
+
+{{- if .Values.flower.extraNetworkPolicies }}
+
+DEPRECATION WARNING:
+   `flower.extraNetworkPolicies` has been renamed to `flower.networkPolicy.peers`.
+   Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+
+{{- if .Values.webserver.extraNetworkPolicies }}
+
+DEPRECATION WARNING:
+    `webserver.extraNetworkPolicies` has been renamed to `webserver.networkPolicy.peers`.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+{{- if not (or .Values.webserverSecretKey .Values.webserverSecretKeySecretName) }}
+
+{{- if .Values.securityContext }}
+
+ DEPRECATION WARNING:
+    `securityContext` has been renamed to `securityContexts`, to be enabled on container and pod level.
+    Please change your values as support for the old name will be dropped in a future release.
+
+{{- end }}
+
+###########################################################
+#  WARNING: You should set a static webserver secret key  #
+###########################################################
+
+You are using a dynamically generated webserver secret key, which can lead to
+unnecessary restarts of your Airflow components.
+
+Information on how to set a static webserver secret key can be found here:
+https://airflow.apache.org/docs/helm-chart/stable/production-guide.html#webserver-secret-key
+
+{{- end }}
+
+{{- if or .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword }}
+
+   {{ fail "postgresql.postgresqlUsername and postgresql.postgresqlPassword are no longer supported. If you wish to use the 'postgres' user, set its password with postgresql.auth.postgresPassword. If you wish to create a different user, do so with postgresql.auth.username and postgresql.auth.password." }}
+
+{{- end }}
+
+{{- if ne .Values.executor (tpl .Values.config.core.executor $) }}
+   {{ fail "Please configure the executor with `executor`, not `config.core.executor`." }}
+{{- end }}

helm/airflow/templates/_helpers.yaml

@@ -0,0 +1,985 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "airflow.fullname" -}}
+  {{- if not .Values.useStandardNaming }}
+    {{- .Release.Name }}
+  {{- else if .Values.fullnameOverride }}
+    {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- $name := default .Chart.Name .Values.nameOverride }}
+    {{- if contains $name .Release.Name }}
+      {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- define "airflow.serviceAccountName" -}}
+  {{ if .Values.fullnameOverride }}
+    {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- $name := default .Chart.Name .Values.nameOverride }}
+    {{- if contains $name .Release.Name }}
+      {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/* Standard Airflow environment variables */}}
+{{- define "standard_airflow_environment" }}
+  # Hard Coded Airflow Envs
+  {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__CORE__FERNET_KEY }}
+  - name: AIRFLOW__CORE__FERNET_KEY
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "fernet_key_secret" . }}
+        key: fernet-key
+  {{- end }}
+  # For Airflow <2.3, backward compatibility; moved to [database] in 2.3
+  {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__CORE__SQL_ALCHEMY_CONN }}
+  - name: AIRFLOW__CORE__SQL_ALCHEMY_CONN
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "airflow_metadata_secret" . }}
+        key: connection
+  {{- end }}
+  {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__DATABASE__SQL_ALCHEMY_CONN }}
+  - name: AIRFLOW__DATABASE__SQL_ALCHEMY_CONN
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "airflow_metadata_secret" . }}
+        key: connection
+  {{- end }}
+  {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW_CONN_AIRFLOW_DB }}
+  - name: AIRFLOW_CONN_AIRFLOW_DB
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "airflow_metadata_secret" . }}
+        key: connection
+  {{- end }}
+  {{- if and .Values.workers.keda.enabled .Values.pgbouncer.enabled (not .Values.workers.keda.usePgbouncer) }}
+  - name: KEDA_DB_CONN
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "airflow_metadata_secret" . }}
+        key: kedaConnection
+  {{- end }}
+  {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__WEBSERVER__SECRET_KEY }}
+  - name: AIRFLOW__WEBSERVER__SECRET_KEY
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "webserver_secret_key_secret" . }}
+        key: webserver-secret-key
+  {{- end }}
+  {{- if or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
+    {{- if or (semverCompare "<2.4.0" .Values.airflowVersion) (.Values.data.resultBackendSecretName) (.Values.data.resultBackendConnection) }}
+    {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__CELERY__CELERY_RESULT_BACKEND }}
+  # (Airflow 1.10.* variant)
+  - name: AIRFLOW__CELERY__CELERY_RESULT_BACKEND
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "airflow_result_backend_secret" . }}
+        key: connection
+    {{- end }}
+    {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__CELERY__RESULT_BACKEND }}
+  - name: AIRFLOW__CELERY__RESULT_BACKEND
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "airflow_result_backend_secret" . }}
+        key: connection
+    {{- end }}
+    {{- end }}
+    {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__CELERY__BROKER_URL }}
+  - name: AIRFLOW__CELERY__BROKER_URL
+    valueFrom:
+      secretKeyRef:
+        name: {{ default (printf "%s-broker-url" .Release.Name) .Values.data.brokerUrlSecretName }}
+        key: connection
+    {{- end }}
+  {{- end }}
+  {{- if .Values.elasticsearch.enabled }}
+  # The elasticsearch variables were updated to the shorter names in v1.10.4
+    {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__ELASTICSEARCH__HOST }}
+  - name: AIRFLOW__ELASTICSEARCH__HOST
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "elasticsearch_secret" . }}
+        key: connection
+    {{- end }}
+    {{- if .Values.enableBuiltInSecretEnvVars.AIRFLOW__ELASTICSEARCH__ELASTICSEARCH_HOST }}
+  # This is the older format for these variable names, kept here for backward compatibility
+  - name: AIRFLOW__ELASTICSEARCH__ELASTICSEARCH_HOST
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "elasticsearch_secret" . }}
+        key: connection
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/* User defined Airflow environment variables */}}
+{{- define "custom_airflow_environment" }}
+  # Dynamically created environment variables
+  {{- range $i, $config := .Values.env }}
+  - name: {{ $config.name }}
+    value: {{ $config.value | quote }}
+    {{- if or (eq $.Values.executor "KubernetesExecutor") (eq $.Values.executor "LocalKubernetesExecutor") (eq $.Values.executor "CeleryKubernetesExecutor") }}
+  - name: AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__{{ $config.name }}
+    value: {{ $config.value | quote }}
+    {{- end }}
+  {{- end }}
+  # Dynamically created secret envs
+  {{- range $i, $config := .Values.secret }}
+  - name: {{ $config.envName }}
+    valueFrom:
+      secretKeyRef:
+        name: {{ $config.secretName }}
+        key: {{ default "value" $config.secretKey }}
+  {{- end }}
+  {{- if or (eq $.Values.executor "LocalKubernetesExecutor") (eq $.Values.executor "KubernetesExecutor") (eq $.Values.executor "CeleryKubernetesExecutor") }}
+    {{- range $i, $config := .Values.secret }}
+  - name: AIRFLOW__KUBERNETES_SECRETS__{{ $config.envName }}
+    value: {{ printf "%s=%s" $config.secretName $config.secretKey }}
+    {{- end }}
+  {{ end }}
+  # Extra env
+  {{- $Global := . }}
+  {{- with .Values.extraEnv }}
+    {{- tpl . $Global | nindent 2 }}
+  {{- end }}
+{{- end }}
+
+{{/* User defined Airflow environment from */}}
+{{- define "custom_airflow_environment_from" }}
+  {{- $Global := . }}
+  {{- with .Values.extraEnvFrom }}
+    {{- tpl . $Global | nindent 2 }}
+  {{- end }}
+{{- end }}
+
+{{/*  Git ssh key volume */}}
+{{- define "git_sync_ssh_key_volume" }}
+- name: git-sync-ssh-key
+  secret:
+    secretName: {{ .Values.dags.gitSync.sshKeySecret }}
+    defaultMode: 288
+{{- end }}
+
+{{/*  Git sync container */}}
+{{- define "git_sync_container" }}
+- name: {{ .Values.dags.gitSync.containerName }}{{ if .is_init }}-init{{ end }}
+  image: {{ template "git_sync_image" . }}
+  imagePullPolicy: {{ .Values.images.gitSync.pullPolicy }}
+  securityContext: {{- include "localContainerSecurityContext" .Values.dags.gitSync | nindent 4 }}
+  env:
+    {{- if .Values.dags.gitSync.sshKeySecret }}
+    - name: GIT_SSH_KEY_FILE
+      value: "/etc/git-secret/ssh"
+    - name: GIT_SYNC_SSH
+      value: "true"
+    {{- if .Values.dags.gitSync.knownHosts }}
+    - name: GIT_KNOWN_HOSTS
+      value: "true"
+    - name: GIT_SSH_KNOWN_HOSTS_FILE
+      value: "/etc/git-secret/known_hosts"
+    {{- else }}
+    - name: GIT_KNOWN_HOSTS
+      value: "false"
+    {{- end }}
+    {{ else if .Values.dags.gitSync.credentialsSecret }}
+    - name: GIT_SYNC_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: {{ .Values.dags.gitSync.credentialsSecret | quote }}
+          key: GIT_SYNC_USERNAME
+    - name: GIT_SYNC_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: {{ .Values.dags.gitSync.credentialsSecret | quote }}
+          key: GIT_SYNC_PASSWORD
+    {{- end }}
+    - name: GIT_SYNC_REV
+      value: {{ .Values.dags.gitSync.rev | quote }}
+    - name: GIT_SYNC_BRANCH
+      value: {{ .Values.dags.gitSync.branch | quote }}
+    - name: GIT_SYNC_REPO
+      value: {{ .Values.dags.gitSync.repo | quote }}
+    - name: GIT_SYNC_DEPTH
+      value: {{ .Values.dags.gitSync.depth | quote }}
+    - name: GIT_SYNC_ROOT
+      value: "/git"
+    - name: GIT_SYNC_DEST
+      value: "repo"
+    - name: GIT_SYNC_ADD_USER
+      value: "true"
+    - name: GIT_SYNC_WAIT
+      value: {{ .Values.dags.gitSync.wait | quote }}
+    - name: GIT_SYNC_MAX_SYNC_FAILURES
+      value: {{ .Values.dags.gitSync.maxFailures | quote }}
+    {{- if .is_init }}
+    - name: GIT_SYNC_ONE_TIME
+      value: "true"
+    {{- end }}
+    {{- with .Values.dags.gitSync.env }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  resources: {{ toYaml .Values.dags.gitSync.resources | nindent 6 }}
+  volumeMounts:
+  - name: dags
+    mountPath: /git
+  {{- if .Values.dags.gitSync.sshKeySecret }}
+  - name: git-sync-ssh-key
+    mountPath: /etc/git-secret/ssh
+    readOnly: true
+    subPath: gitSshKey
+  {{- if .Values.dags.gitSync.knownHosts }}
+  - name: config
+    mountPath: /etc/git-secret/known_hosts
+    readOnly: true
+    subPath: known_hosts
+  {{- end }}
+  {{- end }}
+  {{- if .Values.dags.gitSync.extraVolumeMounts }}
+    {{- tpl (toYaml .Values.dags.gitSync.extraVolumeMounts) . | nindent 2 }}
+  {{- end }}
+{{- end }}
+
+{{/* This helper will change when customers deploy a new image */}}
+{{- define "airflow_image" -}}
+  {{- $repository := .Values.images.airflow.repository | default .Values.defaultAirflowRepository -}}
+  {{- $tag := .Values.images.airflow.tag | default .Values.defaultAirflowTag -}}
+  {{- $digest := .Values.images.airflow.digest | default .Values.defaultAirflowDigest -}}
+  {{- if $digest }}
+    {{- printf "%s@%s" $repository $digest -}}
+  {{- else }}
+    {{- printf "%s:%s" $repository $tag -}}
+  {{- end }}
+{{- end }}
+
+{{- define "pod_template_image" -}}
+  {{- printf "%s:%s" (.Values.images.pod_template.repository | default .Values.defaultAirflowRepository) (.Values.images.pod_template.tag | default .Values.defaultAirflowTag) }}
+{{- end }}
+
+{{/* This helper is used for airflow containers that do not need the users code */}}
+{{ define "default_airflow_image" -}}
+  {{- $repository := .Values.defaultAirflowRepository -}}
+  {{- $tag := .Values.defaultAirflowTag -}}
+  {{- $digest := .Values.defaultAirflowDigest -}}
+  {{- if $digest }}
+    {{- printf "%s@%s" $repository $digest -}}
+  {{- else }}
+    {{- printf "%s:%s" $repository $tag -}}
+  {{- end }}
+{{- end }}
+
+{{ define "airflow_image_for_migrations" -}}
+  {{- if .Values.images.useDefaultImageForMigration }}
+    {{- template "default_airflow_image" . }}
+  {{- else }}
+    {{- template "airflow_image" . }}
+  {{- end }}
+{{- end }}
+
+{{- define "flower_image" -}}
+  {{- printf "%s:%s" (.Values.images.flower.repository | default .Values.defaultAirflowRepository) (.Values.images.flower.tag | default .Values.defaultAirflowTag) }}
+{{- end }}
+
+{{- define "statsd_image" -}}
+  {{- printf "%s:%s" .Values.images.statsd.repository .Values.images.statsd.tag }}
+{{- end }}
+
+{{- define "redis_image" -}}
+  {{- printf "%s:%s" .Values.images.redis.repository .Values.images.redis.tag }}
+{{- end }}
+
+{{- define "pgbouncer_image" -}}
+  {{- printf "%s:%s" .Values.images.pgbouncer.repository .Values.images.pgbouncer.tag }}
+{{- end }}
+
+{{- define "pgbouncer_exporter_image" -}}
+  {{- printf "%s:%s" .Values.images.pgbouncerExporter.repository .Values.images.pgbouncerExporter.tag }}
+{{- end }}
+
+{{- define "git_sync_image" -}}
+  {{- printf "%s:%s" .Values.images.gitSync.repository .Values.images.gitSync.tag }}
+{{- end }}
+
+{{- define "fernet_key_secret" -}}
+  {{- default (printf "%s-fernet-key" .Release.Name) .Values.fernetKeySecretName }}
+{{- end }}
+
+{{- define "webserver_secret_key_secret" -}}
+  {{- default (printf "%s-webserver-secret-key" (include "airflow.fullname" .)) .Values.webserverSecretKeySecretName }}
+{{- end }}
+
+{{- define "redis_password_secret" -}}
+  {{- default (printf "%s-redis-password" .Release.Name) .Values.redis.passwordSecretName }}
+{{- end }}
+
+{{- define "airflow_metadata_secret" -}}
+  {{- default (printf "%s-metadata" (include "airflow.fullname" .)) .Values.data.metadataSecretName }}
+{{- end }}
+
+{{- define "airflow_result_backend_secret" -}}
+  {{- default (printf "%s-result-backend" (include "airflow.fullname" .)) .Values.data.resultBackendSecretName }}
+{{- end }}
+
+{{- define "airflow_pod_template_file" -}}
+  {{- printf "%s/pod_templates" .Values.airflowHome }}
+{{- end }}
+
+{{- define "pgbouncer_config_secret" -}}
+  {{- default (printf "%s-pgbouncer-config" (include "airflow.fullname" .)) .Values.pgbouncer.configSecretName }}
+{{- end }}
+
+{{- define "pgbouncer_certificates_secret" -}}
+  {{- printf "%s-pgbouncer-certificates" (include "airflow.fullname" .) }}
+{{- end }}
+
+{{- define "pgbouncer_stats_secret" -}}
+  {{- default (printf "%s-pgbouncer-stats" (include "airflow.fullname" .)) .Values.pgbouncer.metricsExporterSidecar.statsSecretName }}
+{{- end }}
+
+{{- define "registry_secret" -}}
+  {{- default (printf "%s-registry" (include "airflow.fullname" .)) .Values.registry.secretName }}
+{{- end }}
+
+{{- define "elasticsearch_secret" -}}
+  {{- default (printf "%s-elasticsearch" (include "airflow.fullname" .)) .Values.elasticsearch.secretName }}
+{{- end }}
+
+{{- define "flower_secret" -}}
+  {{- default (printf "%s-flower" (include "airflow.fullname" .)) .Values.flower.secretName }}
+{{- end }}
+
+{{- define "kerberos_keytab_secret" -}}
+  {{- printf "%s-kerberos-keytab" (include "airflow.fullname" .) }}
+{{- end }}
+
+{{- define "kerberos_ccache_path" -}}
+  {{- printf "%s/%s" .Values.kerberos.ccacheMountPath .Values.kerberos.ccacheFileName }}
+{{- end }}
+
+{{- define "celery_executor_namespace" -}}
+  {{- if semverCompare ">=2.7.0" .Values.airflowVersion }}
+    {{- print "airflow.providers.celery.executors.celery_executor.app" -}}
+  {{- else }}
+    {{- print "airflow.executors.celery_executor.app" -}}
+  {{- end }}
+{{- end }}
+
+{{- define "pgbouncer_config" -}}
+{{ $resultBackendConnection := .Values.data.resultBackendConnection | default .Values.data.metadataConnection }}
+{{ $pgMetadataHost := .Values.data.metadataConnection.host | default (printf "%s-%s.%s" .Release.Name "postgresql" .Release.Namespace) }}
+{{ $pgResultBackendHost := $resultBackendConnection.host | default (printf "%s-%s.%s" .Release.Name "postgresql" .Release.Namespace) }}
+[databases]
+{{ .Release.Name }}-metadata = host={{ $pgMetadataHost }} dbname={{ .Values.data.metadataConnection.db }} port={{ .Values.data.metadataConnection.port }} pool_size={{ .Values.pgbouncer.metadataPoolSize }} {{ .Values.pgbouncer.extraIniMetadata | default "" }}
+{{ .Release.Name }}-result-backend = host={{ $pgResultBackendHost }} dbname={{ $resultBackendConnection.db }} port={{ $resultBackendConnection.port }} pool_size={{ .Values.pgbouncer.resultBackendPoolSize }} {{ .Values.pgbouncer.extraIniResultBackend | default "" }}
+
+[pgbouncer]
+pool_mode = transaction
+listen_port = {{ .Values.ports.pgbouncer }}
+listen_addr = *
+auth_type = {{ .Values.pgbouncer.auth_type }}
+auth_file = {{ .Values.pgbouncer.auth_file }}
+stats_users = {{ .Values.data.metadataConnection.user }}
+ignore_startup_parameters = extra_float_digits
+max_client_conn = {{ .Values.pgbouncer.maxClientConn }}
+verbose = {{ .Values.pgbouncer.verbose }}
+log_disconnections = {{ .Values.pgbouncer.logDisconnections }}
+log_connections = {{ .Values.pgbouncer.logConnections }}
+
+server_tls_sslmode = {{ .Values.pgbouncer.sslmode }}
+server_tls_ciphers = {{ .Values.pgbouncer.ciphers }}
+
+{{- if .Values.pgbouncer.ssl.ca }}
+server_tls_ca_file = /etc/pgbouncer/root.crt
+{{- end }}
+{{- if .Values.pgbouncer.ssl.cert }}
+server_tls_cert_file = /etc/pgbouncer/server.crt
+{{- end }}
+{{- if .Values.pgbouncer.ssl.key }}
+server_tls_key_file = /etc/pgbouncer/server.key
+{{- end }}
+
+{{- if .Values.pgbouncer.extraIni }}
+{{ .Values.pgbouncer.extraIni }}
+{{- end }}
+{{- end }}
+
+{{ define "pgbouncer_users" }}
+{{- $resultBackendConnection := .Values.data.resultBackendConnection | default .Values.data.metadataConnection }}
+{{ .Values.data.metadataConnection.user | quote }} {{ .Values.data.metadataConnection.pass | quote }}
+{{ $resultBackendConnection.user | quote }} {{ $resultBackendConnection.pass | quote }}
+{{- end }}
+
+{{- define "airflow_logs" -}}
+  {{- printf "%s/logs" .Values.airflowHome | quote }}
+{{- end }}
+
+{{- define "airflow_logs_no_quote" -}}
+  {{- printf "%s/logs" .Values.airflowHome }}
+{{- end }}
+
+{{- define "airflow_logs_volume_claim" -}}
+  {{- if .Values.logs.persistence.existingClaim }}
+    {{- .Values.logs.persistence.existingClaim }}
+  {{- else }}
+    {{- printf "%s-logs" .Release.Name }}
+  {{- end }}
+{{- end }}
+
+{{- define "airflow_dags" -}}
+  {{- if .Values.dags.gitSync.enabled }}
+    {{- printf "%s/dags/repo/%s" .Values.airflowHome .Values.dags.gitSync.subPath }}
+  {{- else }}
+    {{- printf "%s/dags" .Values.airflowHome }}
+  {{- end }}
+{{- end }}
+
+{{- define "airflow_dags_volume_claim" -}}
+  {{- if .Values.dags.persistence.existingClaim }}
+    {{- .Values.dags.persistence.existingClaim }}
+  {{- else }}
+    {{- printf "%s-dags" .Release.Name }}
+  {{- end }}
+{{- end }}
+
+{{- define "airflow_dags_mount" -}}
+- name: dags
+  mountPath: {{ printf "%s/dags" .Values.airflowHome }}
+  {{- if .Values.dags.persistence.subPath }}
+  subPath: {{ .Values.dags.persistence.subPath }}
+  {{- end }}
+  readOnly: {{ .Values.dags.gitSync.enabled | ternary "True" "False" }}
+{{- end }}
+
+{{- define "airflow_config_path" -}}
+  {{- printf "%s/airflow.cfg" .Values.airflowHome | quote }}
+{{- end }}
+
+{{- define "airflow_webserver_config_path" -}}
+  {{- printf "%s/webserver_config.py" .Values.airflowHome | quote }}
+{{- end }}
+
+{{- define "airflow_webserver_config_configmap_name" -}}
+  {{- default (printf "%s-webserver-config" .Release.Name) .Values.webserver.webserverConfigConfigMapName }}
+{{- end }}
+
+{{- define "airflow_webserver_config_mount" -}}
+- name: webserver-config
+  mountPath: {{ template "airflow_webserver_config_path" . }}
+  subPath: webserver_config.py
+  readOnly: True
+{{- end }}
+
+{{- define "airflow_local_setting_path" -}}
+  {{- printf "%s/config/airflow_local_settings.py" .Values.airflowHome | quote }}
+{{- end }}
+
+{{- define "airflow_config" -}}
+  {{- printf "%s-config" (include "airflow.fullname" .) }}
+{{- end }}
+
+{{- define "airflow_config_mount" -}}
+- name: config
+  mountPath: {{ template "airflow_config_path" . }}
+  subPath: airflow.cfg
+  readOnly: true
+  {{- if .Values.airflowLocalSettings }}
+- name: config
+  mountPath: {{ template "airflow_local_setting_path" . }}
+  subPath: airflow_local_settings.py
+  readOnly: true
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the webserver service account to use */}}
+{{- define "webserver.serviceAccountName" -}}
+  {{- if .Values.webserver.serviceAccount.create }}
+    {{- default (printf "%s-webserver" (include "airflow.serviceAccountName" .)) .Values.webserver.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.webserver.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the redis service account to use */}}
+{{- define "redis.serviceAccountName" -}}
+  {{- if .Values.redis.serviceAccount.create }}
+    {{- default (printf "%s-redis" (include "airflow.serviceAccountName" .)) .Values.redis.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.redis.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the flower service account to use */}}
+{{- define "flower.serviceAccountName" -}}
+  {{- if .Values.flower.serviceAccount.create }}
+    {{- default (printf "%s-flower" (include "airflow.serviceAccountName" .)) .Values.flower.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.flower.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the scheduler service account to use */}}
+{{- define "scheduler.serviceAccountName" -}}
+  {{- if .Values.scheduler.serviceAccount.create }}
+    {{- default (printf "%s-scheduler" (include "airflow.serviceAccountName" .)) .Values.scheduler.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.scheduler.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the StatsD service account to use */}}
+{{- define "statsd.serviceAccountName" -}}
+  {{- if .Values.statsd.serviceAccount.create }}
+    {{- default (printf "%s-statsd" (include "airflow.serviceAccountName" .)) .Values.statsd.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.statsd.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the create user job service account to use */}}
+{{- define "createUserJob.serviceAccountName" -}}
+  {{- if .Values.createUserJob.serviceAccount.create }}
+    {{- default (printf "%s-create-user-job" (include "airflow.serviceAccountName" .)) .Values.createUserJob.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.createUserJob.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the migrate database job service account to use */}}
+{{- define "migrateDatabaseJob.serviceAccountName" -}}
+  {{- if .Values.migrateDatabaseJob.serviceAccount.create }}
+    {{- default (printf "%s-migrate-database-job" (include "airflow.serviceAccountName" .)) .Values.migrateDatabaseJob.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.migrateDatabaseJob.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the worker service account to use */}}
+{{- define "worker.serviceAccountName" -}}
+  {{- if .Values.workers.serviceAccount.create }}
+    {{- default (printf "%s-worker" (include "airflow.serviceAccountName" .)) .Values.workers.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.workers.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the triggerer service account to use */}}
+{{- define "triggerer.serviceAccountName" -}}
+  {{- if .Values.triggerer.serviceAccount.create }}
+    {{- default (printf "%s-triggerer" (include "airflow.serviceAccountName" .)) .Values.triggerer.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.triggerer.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the dag processor service account to use */}}
+{{- define "dagProcessor.serviceAccountName" -}}
+  {{- if .Values.dagProcessor.serviceAccount.create }}
+    {{- default (printf "%s-dag-processor" (include "airflow.serviceAccountName" .)) .Values.dagProcessor.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.dagProcessor.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the pgbouncer service account to use */}}
+{{- define "pgbouncer.serviceAccountName" -}}
+  {{- if .Values.pgbouncer.serviceAccount.create }}
+    {{- default (printf "%s-pgbouncer" (include "airflow.serviceAccountName" .)) .Values.pgbouncer.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.pgbouncer.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{/* Create the name of the cleanup service account to use */}}
+{{- define "cleanup.serviceAccountName" -}}
+  {{- if .Values.cleanup.serviceAccount.create }}
+    {{- default (printf "%s-cleanup" (include "airflow.serviceAccountName" .)) .Values.cleanup.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.cleanup.serviceAccount.name }}
+  {{- end }}
+{{- end }}
+
+{{- define "wait-for-migrations-command" -}}
+  {{- if semverCompare ">=2.0.0" .Values.airflowVersion }}
+  - airflow
+  - db
+  - check-migrations
+  - --migration-wait-timeout={{ .Values.images.migrationsWaitTimeout }}
+  {{- else }}
+  - python
+  - -c
+  - |
+        import airflow
+        import logging
+        import os
+        import time
+
+        from alembic.config import Config
+        from alembic.runtime.migration import MigrationContext
+        from alembic.script import ScriptDirectory
+
+        from airflow import settings
+
+        package_dir = os.path.abspath(os.path.dirname(airflow.__file__))
+        directory = os.path.join(package_dir, 'migrations')
+        config = Config(os.path.join(package_dir, 'alembic.ini'))
+        config.set_main_option('script_location', directory)
+        config.set_main_option('sqlalchemy.url', settings.SQL_ALCHEMY_CONN.replace('%', '%%'))
+        script_ = ScriptDirectory.from_config(config)
+
+        timeout=60
+
+        with settings.engine.connect() as connection:
+            context = MigrationContext.configure(connection)
+            ticker = 0
+            while True:
+                source_heads = set(script_.get_heads())
+
+                db_heads = set(context.get_current_heads())
+                if source_heads == db_heads:
+                    break
+
+                if ticker >= timeout:
+                    raise TimeoutError("There are still unapplied migrations after {} seconds.".format(ticker))
+                ticker += 1
+                time.sleep(1)
+                logging.info('Waiting for migrations... %s second(s)', ticker)
+  {{- end }}
+{{- end }}
+
+{{- define "scheduler_liveness_check_command" }}
+  {{- if semverCompare ">=2.5.0" .Values.airflowVersion }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check --job-type SchedulerJob --local
+  {{- else if semverCompare ">=2.1.0" .Values.airflowVersion }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check --job-type SchedulerJob --hostname $(hostname)
+  {{- else }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 exec /entrypoint python -Wignore -c "
+    import os
+    os.environ['AIRFLOW__CORE__LOGGING_LEVEL'] = 'ERROR'
+    os.environ['AIRFLOW__LOGGING__LOGGING_LEVEL'] = 'ERROR'
+    from airflow.jobs.scheduler_job import SchedulerJob
+    from airflow.utils.db import create_session
+    from airflow.utils.net import get_hostname
+    import sys
+    with create_session() as session:
+        job = session.query(SchedulerJob).filter_by(hostname=get_hostname()).order_by(
+            SchedulerJob.latest_heartbeat.desc()).limit(1).first()
+    sys.exit(0 if job.is_alive() else 1)"
+  {{- end }}
+{{- end }}
+
+
+{{- define  "scheduler_startup_check_command" }}
+  {{- if semverCompare ">=2.5.0" .Values.airflowVersion }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check --job-type SchedulerJob --local
+  {{- else if semverCompare ">=2.1.0" .Values.airflowVersion }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check --job-type SchedulerJob --hostname $(hostname)
+  {{- else }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 exec /entrypoint python -Wignore -c "
+    import os
+    os.environ['AIRFLOW__CORE__LOGGING_LEVEL'] = 'ERROR'
+    os.environ['AIRFLOW__LOGGING__LOGGING_LEVEL'] = 'ERROR'
+    from airflow.jobs.scheduler_job import SchedulerJob
+    from airflow.utils.db import create_session
+    from airflow.utils.net import get_hostname
+    import sys
+    with create_session() as session:
+        job = session.query(SchedulerJob).filter_by(hostname=get_hostname()).order_by(
+            SchedulerJob.latest_heartbeat.desc()).limit(1).first()
+    sys.exit(0 if job.is_alive() else 1)"
+  {{- end }}
+{{- end }}
+
+{{- define "triggerer_liveness_check_command" }}
+  {{- if semverCompare ">=2.5.0" .Values.airflowVersion }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check --job-type TriggererJob --local
+  {{- else }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check --job-type TriggererJob --hostname $(hostname)
+  {{- end }}
+{{- end }}
+
+{{- define "dag_processor_liveness_check_command" }}
+  {{- $commandArgs := (list) -}}
+  {{- if semverCompare ">=2.5.0" .Values.airflowVersion }}
+    {{- $commandArgs = append $commandArgs "--local" -}}
+    {{- if semverCompare ">=2.5.2" .Values.airflowVersion }}
+      {{- $commandArgs = concat $commandArgs (list "--job-type" "DagProcessorJob") -}}
+    {{- end }}
+  {{- else }}
+    {{- $commandArgs = concat $commandArgs (list "--hostname" "$(hostname)") -}}
+  {{- end }}
+  - sh
+  - -c
+  - |
+    CONNECTION_CHECK_MAX_COUNT=0 AIRFLOW__LOGGING__LOGGING_LEVEL=ERROR exec /entrypoint \
+    airflow jobs check {{ join " " $commandArgs }}
+{{- end }}
+
+{{- define "registry_docker_config" }}
+  {{- $host := .Values.registry.connection.host }}
+  {{- $email := .Values.registry.connection.email }}
+  {{- $user := .Values.registry.connection.user }}
+  {{- $pass := .Values.registry.connection.pass }}
+
+  {{- $config := dict "auths" }}
+  {{- $auth := dict }}
+  {{- $data := dict }}
+  {{- $_ := set $data "username" $user }}
+  {{- $_ := set $data "password" $pass }}
+  {{- $_ := set $data "email" $email }}
+  {{- $_ := set $data "auth" (printf "%v:%v" $user $pass | b64enc) }}
+  {{- $_ := set $auth $host $data }}
+  {{- $_ := set $config "auths" $auth }}
+  {{ $config | toJson | print }}
+{{- end }}
+
+{{/*
+Set the default value for pod securityContext
+If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid.
+
+    +-----------------------------+      +------------------------+      +----------------------+      +-----------------+      +-------------------------+
+    | <node>.securityContexts.pod |  ->  | <node>.securityContext |  ->  | securityContexts.pod |  ->  | securityContext |  ->  | Values.uid + Values.gid |
+    +-----------------------------+      +------------------------+      +----------------------+      +-----------------+      +-------------------------+
+
+Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod,
+any extra values set to securityContext or uid+gid will be ignored.
+
+The template can be called like so:
+   include "airflowPodSecurityContext" (list . .Values.webserver)
+
+Where `.` is the global variables scope and `.Values.webserver` the local variables scope for the webserver template.
+*/}}
+{{- define "airflowPodSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContexts.pod -}}
+      {{ toYaml .securityContexts.pod | print }}
+    {{- else if .securityContext -}}
+      {{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContexts.pod -}}
+      {{ toYaml $.Values.securityContexts.pod | print }}
+    {{- else if $.Values.securityContext -}}
+      {{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Set the default value for pod securityContext
+If no value is passed for <node>.securityContexts.pod or <node>.securityContext, defaults to UID in the local node.
+
+    +-----------------------------+      +------------------------+      +-------------+
+    | <node>.securityContexts.pod |  ->  | <node>.securityContext |  ->  | <node>.uid  |
+    +-----------------------------+      +------------------------+      +-------------+
+
+The template can be called like so:
+  include "localPodSecurityContext" (list . .Values.schedule)
+
+It is important to pass the local variables scope to this template as it is used to determine the local node value for uid.
+*/}}
+{{- define "localPodSecurityContext" -}}
+  {{- if .securityContexts.pod -}}
+    {{ toYaml .securityContexts.pod | print }}
+  {{- else if .securityContext -}}
+    {{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for container securityContext
+If no value is passed for <node>.securityContexts.container or <node>.securityContext, defaults to UID in the local node.
+
+    +-----------------------------------+      +------------------------+      +-------------+
+    | <node>.securityContexts.container |  ->  | <node>.securityContext |  ->  | <node>.uid  |
+    +-----------------------------------+      +------------------------+      +-------------+
+
+The template can be called like so:
+  include "localContainerSecurityContext" .Values.statsd
+
+It is important to pass the local variables scope to this template as it is used to determine the local node value for uid.
+*/}}
+{{- define "localContainerSecurityContext" -}}
+  {{- if .securityContexts.container -}}
+    {{ toYaml .securityContexts.container | print }}
+  {{- else if .securityContext -}}
+    {{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for workers chown for persistent storage
+If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid.
+The template looks for `runAsUser` and `fsGroup` specifically, any other parameter will be ignored.
+
+    +-----------------------------+      +----------------------------------------------------+      +------------------+      +-------------------------+
+    | <node>.securityContexts.pod |  ->  | securityContexts.pod | <node>.securityContexts.pod |  ->  | securityContexts |  ->  | Values.uid + Values.gid |
+    +-----------------------------+      +----------------------------------------------------+      +------------------+      +-------------------------+
+
+Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod,
+any extra values set to securityContexts or uid+gid will be ignored.
+
+The template can be called like so:
+   include "airflowPodSecurityContextsIds" (list . .Values.webserver)
+
+Where `.` is the global variables scope and `.Values.workers` the local variables scope for the workers template.
+*/}}
+{{- define "airflowPodSecurityContextsIds" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContexts.pod -}}
+      {{ pluck "runAsUser" .securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContexts.pod | first | default $.Values.gid }}
+    {{- else if $.Values.securityContext -}}
+      {{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }}
+    {{- else if $.Values.securityContexts.pod -}}
+      {{ pluck "runAsUser" $.Values.securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContexts.pod | first | default $.Values.gid }}
+    {{- else if $.Values.securityContext -}}
+      {{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }}
+    {{- else -}}
+{{ $.Values.uid }}:{{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for container securityContext
+If no value is passed for securityContexts.container or <node>.securityContexts.container, defaults to deny privileges escallation and dropping all POSIX capabilities.
+
+    +-----------------------------------+      +----------------------------+      +-----------------------------------------------------------+
+    | <node>.securityContexts.container |  ->  | securityContexts.containers |  ->  | allowPrivilegesEscalation: false, capabilities.drop: [ALL]|
+    +-----------------------------------+      +----------------------------+      +-----------------------------------------------------------+
+
+The template can be called like so:
+   include "containerSecurityContext" (list . .Values.webserver)
+
+Where `.` is the global variables scope and `.Values.webserver` the local variables scope for the webserver template.
+*/}}
+{{- define "containerSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContexts.container -}}
+      {{ toYaml .securityContexts.container | print }}
+    {{- else if $.Values.securityContexts.containers -}}
+      {{ toYaml $.Values.securityContexts.containers | print }}
+    {{- else -}}
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for external container securityContext(redis and statsd).
+If no value is passed for <node>.securityContexts.container, defaults to deny privileges escallation and dropping all POSIX capabilities.
+
+    +-----------------------------------+      +-----------------------------------------------------------+
+    | <node>.securityContexts.container |  ->  | allowPrivilegesEscalation: false, capabilities.drop: [ALL]|
+    +-----------------------------------+      +-----------------------------------------------------------+
+
+The template can be called like so:
+  include "externalContainerSecurityContext" .Values.statsd
+*/}}
+{{- define "externalContainerSecurityContext" -}}
+  {{- if .securityContexts.container -}}
+    {{ toYaml .securityContexts.container | print }}
+  {{- else -}}
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+  {{- end -}}
+{{- end -}}
+
+{{- define "container_extra_envs" -}}
+  {{- $ := index . 0 -}}
+  {{- $env := index . 1 -}}
+  {{- range $i, $config := $env }}
+  - name: {{ $config.name }}
+    value: {{ $config.value | quote }}
+    {{- if or (eq $.Values.executor "KubernetesExecutor") (eq $.Values.executor "LocalKubernetesExecutor") (eq $.Values.executor "CeleryKubernetesExecutor") }}
+  - name: AIRFLOW__KUBERNETES_ENVIRONMENT_VARIABLES__{{ $config.name }}
+    value: {{ $config.value | quote }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- define "kedaNetworkPolicySelector" }}
+  {{- if .Values.workers.keda.enabled }}
+
+  {{- if .Values.workers.keda.namespaceLabels }}
+      - namespaceSelector:
+          matchLabels: {{- toYaml .Values.workers.keda.namespaceLabels | nindent 10 }}
+        podSelector:
+  {{- else }}
+      - podSelector:
+  {{- end }}
+          matchLabels:
+            app: keda-operator
+  {{- end }}
+{{- end }}

helm/airflow/templates/check-values.yaml

@@ -0,0 +1,64 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+{{- /*
+The sole purpose of this yaml file is it to check the values file is consistent for some complexe combinations.
+*/ -}}
+
+{{- /*
+##############################
+   Redis related checks
+#############################
+*/ -}}
+
+  {{- if or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
+    {{- if .Values.redis.enabled }}
+
+      {{- if and .Values.redis.passwordSecretName (not .Values.data.brokerUrlSecretName) }}
+        {{ required "When using the internal redis of the chart and setting the value redis.passwordSecretName, you must also set the value data.brokerUrlSecretName." nil }}
+      {{- end }}
+
+      {{- if and .Values.redis.passwordSecretName .Values.redis.password }}
+        {{ required "You must not set both values redis.passwordSecretName and redis.password" nil }}
+      {{- end }}
+
+    {{- else }}
+
+      {{- if not (or .Values.data.brokerUrlSecretName .Values.data.brokerUrl) }}
+        {{ required "You must set one of the values data.brokerUrlSecretName or data.brokerUrl when using a Celery based executor with redis.enabled set to false (we need the url to the redis instance)." nil }}
+      {{- end }}
+
+    {{- end }}
+
+    {{- if and .Values.data.brokerUrlSecretName .Values.data.brokerUrl }}
+      {{ required "You must not set both values data.brokerUrlSecretName and data.brokerUrl" nil }}
+    {{- end }}
+
+  {{- end }}
+
+  {{- if .Values.elasticsearch.enabled  }}
+    {{- if and .Values.elasticsearch.secretName .Values.elasticsearch.connection }}
+      {{ required "You must not set both values elasticsearch.secretName and elasticsearch.connection" nil }}
+    {{- end }}
+
+    {{- if not (or .Values.elasticsearch.secretName .Values.elasticsearch.connection) }}
+      {{ required "You must set one of the values elasticsearch.secretName or elasticsearch.connection when using a Elasticsearch" nil }}
+    {{- end }}
+
+  {{- end }}

helm/airflow/templates/cleanup/cleanup-cronjob.yaml

@@ -0,0 +1,109 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Cleanup Pods CronJob
+#################################
+{{- if .Values.cleanup.enabled }}
+{{- $nodeSelector := or .Values.cleanup.nodeSelector .Values.nodeSelector }}
+{{- $affinity := or .Values.cleanup.affinity .Values.affinity }}
+{{- $tolerations := or .Values.cleanup.tolerations .Values.tolerations }}
+{{- $topologySpreadConstraints := or .Values.cleanup.topologySpreadConstraints .Values.topologySpreadConstraints }}
+{{- $securityContext := include "airflowPodSecurityContext" (list . .Values.cleanup) }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "airflow.fullname" . }}-cleanup
+  labels:
+    tier: airflow
+    component: airflow-cleanup-pods
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.cleanup.jobAnnotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  schedule: "{{ tpl .Values.cleanup.schedule . }}"
+  # The cron job does not allow concurrent runs; if it is time for a new job run and the previous job run hasn't finished yet, the cron job skips the new job run
+  concurrencyPolicy: Forbid
+  {{- if .Values.cleanup.failedJobsHistoryLimit }}
+  failedJobsHistoryLimit: {{ .Values.cleanup.failedJobsHistoryLimit }}
+  {{- end }}
+  {{- if .Values.cleanup.successfulJobsHistoryLimit }}
+  successfulJobsHistoryLimit: {{ .Values.cleanup.successfulJobsHistoryLimit }}
+  {{- end }}
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+          labels:
+            tier: airflow
+            component: airflow-cleanup-pods
+            release: {{ .Release.Name }}
+            {{- if or (.Values.labels) (.Values.cleanup.labels) }}
+              {{- mustMerge .Values.cleanup.labels .Values.labels | toYaml | nindent 12 }}
+            {{- end }}
+          annotations:
+            sidecar.istio.io/inject: "false"
+            {{- if .Values.airflowPodAnnotations }}
+              {{- toYaml .Values.airflowPodAnnotations | nindent 12 }}
+            {{- end }}
+            {{- if .Values.cleanup.podAnnotations }}
+              {{- toYaml .Values.cleanup.podAnnotations | nindent 12 }}
+            {{- end }}
+        spec:
+          restartPolicy: Never
+          nodeSelector: {{- toYaml $nodeSelector | nindent 12 }}
+          affinity: {{- toYaml $affinity | nindent 12 }}
+          {{- if .Values.schedulerName }}
+          schedulerName: {{ .Values.schedulerName }}
+          {{- end }}
+          tolerations: {{- toYaml $tolerations | nindent 12 }}
+          topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 12 }}
+          serviceAccountName: {{ include "cleanup.serviceAccountName" . }}
+          {{- if or .Values.registry.secretName .Values.registry.connection }}
+          imagePullSecrets:
+            - name: {{ template "registry_secret" . }}
+          {{- end }}
+          securityContext: {{ $securityContext | nindent 12 }}
+          containers:
+            - name: airflow-cleanup-pods
+              image: {{ template "airflow_image" . }}
+              imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+              {{- if .Values.cleanup.command }}
+              command: {{ tpl (toYaml .Values.cleanup.command) . | nindent 16 }}
+              {{- end }}
+              {{- if .Values.cleanup.args }}
+              args: {{ tpl (toYaml .Values.cleanup.args) . | nindent 16 }}
+              {{- end }}
+              env:
+                {{- include "standard_airflow_environment" . | indent 12 }}
+                {{- include "container_extra_envs" (list . .Values.cleanup.env) | indent 12 }}
+              volumeMounts: {{- include "airflow_config_mount" . | nindent 16 }}
+              resources: {{- toYaml .Values.cleanup.resources | nindent 16 }}
+          volumes:
+            - name: config
+              configMap:
+                name: {{ template "airflow_config" . }}
+{{- end }}

helm/airflow/templates/cleanup/cleanup-serviceaccount.yaml

@@ -0,0 +1,40 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Cleanup ServiceAccount
+#################################
+{{- if and .Values.cleanup.serviceAccount.create .Values.cleanup.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.cleanup.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ include "cleanup.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or (.Values.labels) (.Values.cleanup.labels) }}
+      {{- mustMerge .Values.cleanup.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- with .Values.cleanup.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/airflow/templates/configmaps/configmap.yaml

@@ -0,0 +1,74 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow ConfigMap
+#################################
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "airflow_config" . }}
+  labels:
+    tier: airflow
+    component: config
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end -}}
+  {{- if .Values.airflowConfigAnnotations }}
+  annotations: {{- toYaml .Values.airflowConfigAnnotations | nindent 4 }}
+  {{- end }}
+{{- $Global := . }}
+data:
+  # These are system-specified config overrides.
+  airflow.cfg: |-
+    {{- range $section, $settings := .Values.config }}
+    [{{ $section }}]
+    {{- range $key, $val := $settings }}
+    {{ $key }} = {{ tpl ($val | toString) $Global }}
+    {{- end }}
+    {{ end }}
+
+  {{- if .Values.airflowLocalSettings }}
+  airflow_local_settings.py: |-
+    {{- tpl .Values.airflowLocalSettings . | nindent 4 }}
+  {{- end }}
+
+  {{- if and .Values.dags.gitSync.enabled .Values.dags.gitSync.knownHosts }}
+  known_hosts: |-
+    {{- .Values.dags.gitSync.knownHosts | nindent 4 }}
+  {{- end }}
+
+{{/*  {{- if or (eq $.Values.executor "LocalKubernetesExecutor") (eq $.Values.executor "KubernetesExecutor") (eq $.Values.executor "CeleryKubernetesExecutor") }}*/}}
+{{/*  {{- if semverCompare ">=1.10.12" .Values.airflowVersion }}*/}}
+  pod_template_file.yaml: |-
+    {{- if .Values.podTemplate }}
+      {{- tpl .Values.podTemplate . | nindent 4 }}
+    {{- else }}
+      {{- tpl (.Files.Get "files/pod-template-file.kubernetes-helm-yaml") . | nindent 4 }}
+    {{- end }}
+{{/*  {{- end }}*/}}
+{{/*  {{- end }}*/}}
+
+  {{- if .Values.kerberos.enabled }}
+  krb5.conf: |-
+    {{- tpl .Values.kerberos.config . | nindent 4 }}
+  {{- end }}

helm/airflow/templates/configmaps/extra-configmaps.yaml

@@ -0,0 +1,53 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+####################################################
+## Extra ConfigMaps provisioned via the chart values
+####################################################
+{{- $Global := . }}
+{{- range $configMapName, $configMapContent := .Values.extraConfigMaps }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ tpl $configMapName $Global | quote }}
+  labels:
+    release: {{ $Global.Release.Name }}
+    chart: "{{ $Global.Chart.Name }}-{{ $Global.Chart.Version }}"
+    heritage: {{ $Global.Release.Service }}
+    {{- with $Global.Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $configMapContent.labels }}
+      {{- toYaml $configMapContent.labels | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+    "helm.sh/hook-weight": "0"
+    {{- if $configMapContent.annotations }}
+      {{- toYaml $configMapContent.annotations | nindent 4 }}
+    {{- end }}
+{{- if $configMapContent.data }}
+data:
+  {{- with $configMapContent.data }}
+    {{- tpl . $Global | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/configmaps/statsd-configmap.yaml

@@ -0,0 +1,52 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow StatsD ConfigMap
+#################################
+{{- if and .Values.statsd.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "airflow.fullname" . }}-statsd
+  labels:
+    tier: airflow
+    component: config
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.statsd.configMapAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  mappings.yml: |-
+    {{- if .Values.statsd.overrideMappings }}
+    mappings:
+      {{- toYaml .Values.statsd.overrideMappings | nindent 6 }}
+    {{- else }}
+      {{- .Files.Get "files/statsd-mappings.yml" | nindent 4 }}
+      {{- if .Values.statsd.extraMappings }}
+        {{- toYaml .Values.statsd.extraMappings | nindent 6 }}
+      {{- end }}
+    {{- end }}
+{{- end }}

helm/airflow/templates/configmaps/webserver-configmap.yaml

@@ -0,0 +1,44 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow ConfigMap
+#################################
+{{- if and .Values.webserver.webserverConfig (not .Values.webserver.webserverConfigConfigMapName) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "airflow_webserver_config_configmap_name" . }}
+  labels:
+    tier: airflow
+    component: config
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.webserver.configMapAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  webserver_config.py: |-
+    {{- tpl .Values.webserver.webserverConfig . | nindent 4 }}
+{{- end }}

helm/airflow/templates/dag-processor/dag-processor-deployment.yaml

@@ -0,0 +1,261 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Dag Processor Deployment
+#################################
+{{- if semverCompare ">=2.3.0" .Values.airflowVersion }}
+{{- if .Values.dagProcessor.enabled }}
+{{- $nodeSelector := or .Values.dagProcessor.nodeSelector .Values.nodeSelector }}
+{{- $affinity := or .Values.dagProcessor.affinity .Values.affinity }}
+{{- $tolerations := or .Values.dagProcessor.tolerations .Values.tolerations }}
+{{- $topologySpreadConstraints := or .Values.dagProcessor.topologySpreadConstraints .Values.topologySpreadConstraints }}
+{{- $revisionHistoryLimit := or .Values.dagProcessor.revisionHistoryLimit .Values.revisionHistoryLimit }}
+{{- $securityContext := include "airflowPodSecurityContext" (list . .Values.dagProcessor) }}
+{{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.dagProcessor) }}
+{{- $containerLifecycleHooks := or .Values.dagProcessor.containerLifecycleHooks .Values.containerLifecycleHooks }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "airflow.fullname" . }}-dag-processor
+  labels:
+    tier: airflow
+    component: dag-processor
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.dagProcessor.annotations }}
+  annotations: {{- toYaml .Values.dagProcessor.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.dagProcessor.replicas }}
+  {{- if $revisionHistoryLimit }}
+  revisionHistoryLimit: {{ $revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      tier: airflow
+      component: dag-processor
+      release: {{ .Release.Name }}
+  {{- if .Values.dagProcessor.strategy }}
+  strategy: {{- toYaml .Values.dagProcessor.strategy | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        tier: airflow
+        component: dag-processor
+        release: {{ .Release.Name }}
+        {{- with .Values.labels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/metadata-secret: {{ include (print $.Template.BasePath "/secrets/metadata-connection-secret.yaml") . | sha256sum }}
+        checksum/pgbouncer-config-secret: {{ include (print $.Template.BasePath "/secrets/pgbouncer-config-secret.yaml") . | sha256sum }}
+        checksum/airflow-config: {{ include (print $.Template.BasePath "/configmaps/configmap.yaml") . | sha256sum }}
+        checksum/extra-configmaps: {{ include (print $.Template.BasePath "/configmaps/extra-configmaps.yaml") . | sha256sum }}
+        checksum/extra-secrets: {{ include (print $.Template.BasePath "/secrets/extra-secrets.yaml") . | sha256sum }}
+        {{- if .Values.dagProcessor.safeToEvict }}
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+        {{- end }}
+        {{- if .Values.airflowPodAnnotations }}
+          {{- toYaml .Values.airflowPodAnnotations | nindent 8 }}
+        {{- end }}
+        {{- if .Values.dagProcessor.podAnnotations }}
+          {{- toYaml .Values.dagProcessor.podAnnotations | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.dagProcessor.priorityClassName }}
+      priorityClassName: {{ .Values.dagProcessor.priorityClassName }}
+      {{- end }}
+      nodeSelector: {{- toYaml $nodeSelector | nindent 8 }}
+      affinity:
+      {{- if $affinity }}
+        {{- toYaml $affinity | nindent 8 }}
+      {{- else }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  component: dag-processor
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      {{- end }}
+      {{- if .Values.schedulerName }}
+      schedulerName: {{ .Values.schedulerName }}
+      {{- end }}
+      tolerations: {{- toYaml $tolerations | nindent 8 }}
+      topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
+      terminationGracePeriodSeconds: {{ .Values.dagProcessor.terminationGracePeriodSeconds }}
+      restartPolicy: Always
+      serviceAccountName: {{ include "dagProcessor.serviceAccountName" . }}
+      securityContext: {{ $securityContext | nindent 8 }}
+      {{- if or .Values.registry.secretName .Values.registry.connection }}
+      imagePullSecrets:
+        - name: {{ template "registry_secret" . }}
+      {{- end }}
+      initContainers:
+        {{- if .Values.dagProcessor.waitForMigrations.enabled }}
+        - name: wait-for-airflow-migrations
+          resources: {{- toYaml .Values.dagProcessor.resources | nindent 12 }}
+          image: {{ template "airflow_image_for_migrations" . }}
+          imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+          volumeMounts:
+            {{- if .Values.volumeMounts }}
+              {{- toYaml .Values.volumeMounts | nindent 12 }}
+            {{- end }}
+            {{- if .Values.dagProcessor.extraVolumeMounts }}
+              {{- tpl (toYaml .Values.dagProcessor.extraVolumeMounts) . | nindent 12 }}
+            {{- end }}
+            {{- include "airflow_config_mount" . | nindent 12 }}
+          args: {{- include "wait-for-migrations-command" . | indent 10 }}
+          envFrom: {{- include "custom_airflow_environment_from" . | default "\n  []" | indent 10 }}
+          env:
+            {{- include "custom_airflow_environment" . | indent 10 }}
+            {{- include "standard_airflow_environment" . | indent 10 }}
+            {{- if .Values.dagProcessor.waitForMigrations.env }}
+              {{- tpl (toYaml .Values.dagProcessor.waitForMigrations.env) $ | nindent 12 }}
+            {{- end }}
+        {{- end }}
+        {{- if and (.Values.dags.gitSync.enabled) (not .Values.dags.persistence.enabled) }}
+          {{- include "git_sync_container" (dict "Values" .Values "is_init" "true" "Template" .Template) | nindent 8 }}
+        {{- end }}
+        {{- if .Values.dagProcessor.extraInitContainers }}
+          {{- toYaml .Values.dagProcessor.extraInitContainers | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: dag-processor
+          image: {{ template "airflow_image" . }}
+          imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+          securityContext: {{ $containerSecurityContext | nindent 12 }}
+          {{- if $containerLifecycleHooks  }}
+          lifecycle: {{- tpl (toYaml $containerLifecycleHooks) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dagProcessor.command }}
+          command: {{ tpl (toYaml .Values.dagProcessor.command) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dagProcessor.args }}
+          args: {{ tpl (toYaml .Values.dagProcessor.args) . | nindent 12 }}
+          {{- end }}
+          resources: {{- toYaml .Values.dagProcessor.resources | nindent 12 }}
+          volumeMounts:
+            {{- if .Values.volumeMounts }}
+              {{- toYaml .Values.volumeMounts | nindent 12 }}
+            {{- end }}
+            {{- if .Values.dagProcessor.extraVolumeMounts }}
+              {{- tpl (toYaml .Values.dagProcessor.extraVolumeMounts) . | nindent 12 }}
+            {{- end }}
+            - name: logs
+              mountPath: {{ template "airflow_logs" . }}
+            {{- include "airflow_config_mount" . | nindent 12 }}
+            {{- if or .Values.dags.persistence.enabled .Values.dags.gitSync.enabled }}
+              {{- include "airflow_dags_mount" . | nindent 12 }}
+            {{- end }}
+          envFrom: {{- include "custom_airflow_environment_from" . | default "\n  []" | indent 10 }}
+          env:
+            {{- include "custom_airflow_environment" . | indent 10 }}
+            {{- include "standard_airflow_environment" . | indent 10 }}
+            {{- include "container_extra_envs" (list . .Values.dagProcessor.env) | indent 10 }}
+          livenessProbe:
+            initialDelaySeconds: {{ .Values.dagProcessor.livenessProbe.initialDelaySeconds }}
+            timeoutSeconds: {{ .Values.dagProcessor.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.dagProcessor.livenessProbe.failureThreshold }}
+            periodSeconds: {{ .Values.dagProcessor.livenessProbe.periodSeconds }}
+            exec:
+              command:
+                {{- if .Values.dagProcessor.livenessProbe.command }}
+                  {{- toYaml .Values.dagProcessor.livenessProbe.command | nindent 16 }}
+                {{- else }}
+                  {{- include "dag_processor_liveness_check_command" . | indent 14 }}
+                {{- end }}
+        {{- if and (.Values.dags.gitSync.enabled) (not .Values.dags.persistence.enabled) }}
+          {{- include "git_sync_container" . | indent 8 }}
+        {{- end }}
+        {{- if .Values.dagProcessor.logGroomerSidecar.enabled }}
+        - name: dag-processor-log-groomer
+          resources: {{- toYaml .Values.dagProcessor.logGroomerSidecar.resources | nindent 12 }}
+          image: {{ template "airflow_image" . }}
+          imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+          {{- if .Values.dagProcessor.logGroomerSidecar.command }}
+          command: {{ tpl (toYaml .Values.dagProcessor.logGroomerSidecar.command) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dagProcessor.logGroomerSidecar.args }}
+          args: {{- tpl (toYaml .Values.dagProcessor.logGroomerSidecar.args) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dagProcessor.logGroomerSidecar.retentionDays }}
+          env:
+            - name: AIRFLOW__LOG_RETENTION_DAYS
+              value: "{{ .Values.dagProcessor.logGroomerSidecar.retentionDays }}"
+          {{- end }}
+          volumeMounts:
+            - name: logs
+              mountPath: {{ template "airflow_logs" . }}
+            {{- if .Values.volumeMounts }}
+              {{- toYaml .Values.volumeMounts | nindent 12 }}
+            {{- end }}
+            {{- if .Values.dagProcessor.extraVolumeMounts }}
+              {{- tpl (toYaml .Values.dagProcessor.extraVolumeMounts) . | nindent 12 }}
+            {{- end }}
+            {{- if or .Values.webserver.webserverConfig .Values.webserver.webserverConfigConfigMapName }}
+              {{- include "airflow_webserver_config_mount" . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+        {{- if .Values.dagProcessor.extraContainers }}
+          {{- toYaml .Values.dagProcessor.extraContainers | nindent 8 }}
+        {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ template "airflow_config" . }}
+        {{- if or .Values.webserver.webserverConfig .Values.webserver.webserverConfigConfigMapName }}
+        - name: webserver-config
+          configMap:
+            name: {{ template "airflow_webserver_config_configmap_name" . }}
+        {{- end }}
+        {{- if .Values.dags.persistence.enabled }}
+        - name: dags
+          persistentVolumeClaim:
+            claimName: {{ template "airflow_dags_volume_claim" . }}
+        {{- else if .Values.dags.gitSync.enabled }}
+        - name: dags
+          emptyDir: {}
+        {{- end }}
+        {{- if and .Values.dags.gitSync.enabled .Values.dags.gitSync.sshKeySecret }}
+          {{- include "git_sync_ssh_key_volume" . | indent 8 }}
+        {{- end }}
+        {{- if .Values.volumes }}
+          {{- toYaml .Values.volumes | nindent 8 }}
+        {{- end }}
+        {{- if .Values.dagProcessor.extraVolumes }}
+          {{- tpl (toYaml .Values.dagProcessor.extraVolumes) . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.logs.persistence.enabled }}
+        - name: logs
+          persistentVolumeClaim:
+            claimName: {{ template "airflow_logs_volume_claim" . }}
+        {{- else }}
+        - name: logs
+          emptyDir: {}
+{{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/dag-processor/dag-processor-serviceaccount.yaml

@@ -0,0 +1,43 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Dag Processor ServiceAccount
+#################################
+{{- if semverCompare ">=2.3.0" .Values.airflowVersion }}
+{{- if and .Values.dagProcessor.serviceAccount.create .Values.dagProcessor.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.dagProcessor.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ include "dagProcessor.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    component: dag-processor
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.dagProcessor.serviceAccount.annotations}}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/dags-persistent-volume-claim.yaml

@@ -0,0 +1,52 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+######################################
+## Airflow DAGs PersistentVolumeClaim
+######################################
+{{- if and (not .Values.dags.persistence.existingClaim ) .Values.dags.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "airflow_dags_volume_claim" . }}
+  labels:
+    tier: airflow
+    component: dags-pvc
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.dags.persistence.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  accessModes: [{{ .Values.dags.persistence.accessMode | quote }}]
+  resources:
+    requests:
+      storage: {{ .Values.dags.persistence.size | quote }}
+  {{- if .Values.dags.persistence.storageClassName }}
+  {{- if (eq "-" .Values.dags.persistence.storageClassName) }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: "{{ .Values.dags.persistence.storageClassName }}"
+  {{- end }}
+  {{- end }}
+{{- end }}

helm/airflow/templates/flower/flower-deployment.yaml

@@ -0,0 +1,169 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Flower Deployment
+#################################
+{{- if .Values.flower.enabled }}
+{{- if or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
+{{- $nodeSelector := or .Values.flower.nodeSelector .Values.nodeSelector }}
+{{- $affinity := or .Values.flower.affinity .Values.affinity }}
+{{- $tolerations := or .Values.flower.tolerations .Values.tolerations }}
+{{- $topologySpreadConstraints := or .Values.flower.topologySpreadConstraints .Values.topologySpreadConstraints }}
+{{- $revisionHistoryLimit := or .Values.flower.revisionHistoryLimit .Values.revisionHistoryLimit }}
+{{- $securityContext := include "airflowPodSecurityContext" (list . .Values.flower) }}
+{{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.flower) }}
+{{- $containerLifecycleHooks := or .Values.flower.containerLifecycleHooks .Values.containerLifecycleHooks }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "airflow.fullname" . }}-flower
+  labels:
+    tier: airflow
+    component: flower
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.flower.annotations }}
+  annotations: {{- toYaml .Values.flower.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  {{- if $revisionHistoryLimit }}
+  revisionHistoryLimit: {{ $revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      tier: airflow
+      component: flower
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        tier: airflow
+        component: flower
+        release: {{ .Release.Name }}
+        {{- if or (.Values.labels) (.Values.flower.labels) }}
+          {{- mustMerge .Values.flower.labels .Values.labels | toYaml | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/airflow-config: {{ include (print $.Template.BasePath "/configmaps/configmap.yaml") . | sha256sum }}
+        checksum/flower-secret: {{ include (print $.Template.BasePath "/secrets/flower-secret.yaml") . | sha256sum }}
+        {{- if or (.Values.airflowPodAnnotations) (.Values.flower.podAnnotations) }}
+          {{- mustMerge .Values.flower.podAnnotations .Values.airflowPodAnnotations | toYaml | nindent 8 }}
+        {{- end }}
+    spec:
+      nodeSelector: {{- toYaml $nodeSelector | nindent 8 }}
+      affinity: {{- toYaml $affinity | nindent 8 }}
+      {{- if .Values.schedulerName }}
+      schedulerName: {{ .Values.schedulerName }}
+      {{- end }}
+      tolerations: {{- toYaml $tolerations | nindent 8 }}
+      topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
+      serviceAccountName: {{ include "flower.serviceAccountName" . }}
+      {{- if .Values.flower.priorityClassName }}
+      priorityClassName: {{ .Values.flower.priorityClassName }}
+      {{- end }}
+      restartPolicy: Always
+      securityContext: {{ $securityContext | nindent 8 }}
+      {{- if or .Values.registry.secretName .Values.registry.connection }}
+      imagePullSecrets:
+        - name: {{ template "registry_secret" . }}
+      {{- end }}
+      containers:
+        - name: flower
+          image: {{ template "flower_image" . }}
+          imagePullPolicy: {{ .Values.images.flower.pullPolicy }}
+          securityContext: {{ $containerSecurityContext | nindent 12 }}
+          {{- if $containerLifecycleHooks  }}
+          lifecycle: {{- tpl (toYaml $containerLifecycleHooks) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.flower.command }}
+          command: {{ tpl (toYaml .Values.flower.command) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.flower.args }}
+          args: {{ tpl (toYaml .Values.flower.args) . | nindent 12 }}
+          {{- end }}
+          resources: {{- toYaml .Values.flower.resources | nindent 12 }}
+          volumeMounts:
+            {{- include "airflow_config_mount" . | nindent 12 }}
+            {{- if .Values.volumeMounts }}
+              {{- toYaml .Values.volumeMounts | nindent 12 }}
+            {{- end }}
+            {{- if .Values.flower.extraVolumeMounts }}
+              {{- tpl (toYaml .Values.flower.extraVolumeMounts) . | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: flower-ui
+              containerPort: {{ .Values.ports.flowerUI }}
+          livenessProbe:
+            failureThreshold: 10
+            exec:
+              command:
+                - curl
+                {{- if (or .Values.flower.secretName (and .Values.flower.username .Values.flower.password))}}
+                - "--user"
+                - $AIRFLOW__CELERY__FLOWER_BASIC_AUTH
+                {{- end }}
+                - {{ printf "localhost:%s" (.Values.ports.flowerUI | toString) }}
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            failureThreshold: 10
+            exec:
+              command:
+                - curl
+                {{- if (or .Values.flower.secretName (and .Values.flower.username .Values.flower.password))}}
+                - "--user"
+                - $AIRFLOW__CELERY__FLOWER_BASIC_AUTH
+                {{- end }}
+                - {{ printf "localhost:%s" (.Values.ports.flowerUI | toString) }}
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          envFrom:
+          {{- include "custom_airflow_environment_from" . | default "\n  []" | indent 10 }}
+          env:
+            {{- if (or .Values.flower.secretName (and .Values.flower.username .Values.flower.password))}}
+            - name: AIRFLOW__CELERY__FLOWER_BASIC_AUTH
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "flower_secret" . }}
+                  key: basicAuth
+            {{- end }}
+            {{- include "standard_airflow_environment" . | indent 10 }}
+            {{- include "custom_airflow_environment" . | indent 10 }}
+            {{- include "container_extra_envs" (list . .Values.flower.env) | indent 10 }}
+        {{- if .Values.flower.extraContainers }}
+          {{- toYaml .Values.flower.extraContainers | nindent 8 }}
+        {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ template "airflow_config" . }}
+        {{- if .Values.volumes }}
+          {{- toYaml .Values.volumes | nindent 8 }}
+        {{- end }}
+        {{- if .Values.flower.extraVolumes }}
+          {{- tpl (toYaml .Values.flower.extraVolumes) . | nindent 8 }}
+        {{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/flower/flower-ingress.yaml

@@ -0,0 +1,94 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Flower Ingress
+#################################
+{{- if .Values.flower.enabled }}
+{{- if and (or .Values.ingress.flower.enabled .Values.ingress.enabled) (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")) }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "airflow.fullname" . }}-flower-ingress
+  labels:
+    tier: airflow
+    component: flower-ingress
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or (.Values.labels) (.Values.flower.labels) }}
+      {{- mustMerge .Values.flower.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- with .Values.ingress.flower.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.flower.hosts (.Values.ingress.flower.hosts | first | kindIs "string" | not) }}
+  {{- $anyTlsHosts := false -}}
+  {{- range .Values.ingress.flower.hosts }}
+  {{- if .tls }}
+  {{- if .tls.enabled }}
+  {{- $anyTlsHosts = true -}}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- if $anyTlsHosts }}
+  tls:
+  {{- range .Values.ingress.flower.hosts }}
+  {{- if .tls }}
+  {{- if .tls.enabled }}
+    - hosts:
+        - {{ .name | quote }}
+      secretName: {{ .tls.secretName }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- else if .Values.ingress.flower.tls.enabled }}
+  tls:
+    - hosts:
+        {{- .Values.ingress.flower.hosts | default (list .Values.ingress.flower.host) | toYaml | nindent 8 }}
+      secretName: {{ .Values.ingress.flower.tls.secretName }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.flower.hosts | default (list .Values.ingress.flower.host) }}
+    - http:
+        paths:
+          - backend:
+              service:
+                name: {{ $.Release.Name }}-flower
+                port:
+                  name: flower-ui
+            {{- if $.Values.ingress.flower.path }}
+            path: {{ $.Values.ingress.flower.path }}
+            pathType: {{ $.Values.ingress.flower.pathType }}
+            {{- end }}
+      {{- $hostname := . -}}
+      {{- if . | kindIs "string" | not }}
+      {{- $hostname = .name -}}
+      {{- end }}
+      {{- if $hostname }}
+      host: {{ tpl $hostname $ | quote }}
+      {{- end }}
+    {{- end }}
+  {{- if .Values.ingress.flower.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.flower.ingressClassName }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/flower/flower-networkpolicy.yaml

@@ -0,0 +1,60 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Flower NetworkPolicy
+#################################
+{{- if .Values.flower.enabled }}
+{{- $celery_executors := list "CeleryExecutor" "CeleryKubernetesExecutor"}}
+{{- if and .Values.networkPolicies.enabled (has .Values.executor $celery_executors) }}
+{{- $from := or .Values.flower.networkPolicy.ingress.from .Values.flower.extraNetworkPolicies }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "airflow.fullname" . }}-flower-policy
+  labels:
+    tier: airflow
+    component: airflow-flower-policy
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or (.Values.labels) (.Values.flower.labels) }}
+      {{- mustMerge .Values.flower.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      tier: airflow
+      component: flower
+      release: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  {{- if $from }}
+  ingress:
+    - from: {{- toYaml $from | nindent 6 }}
+      ports:
+      {{ range .Values.flower.networkPolicy.ingress.ports }}
+        -
+          {{- range $key, $val := . }}
+          {{ $key }}: {{ tpl (toString $val) $ }}
+          {{- end }}
+      {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/flower/flower-service.yaml

@@ -0,0 +1,61 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Flower Service Component
+#################################
+{{- if .Values.flower.enabled }}
+{{- if or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "airflow.fullname" . }}-flower
+  labels:
+    tier: airflow
+    component: flower
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or (.Values.labels) (.Values.flower.labels) }}
+      {{- mustMerge .Values.flower.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- with .Values.flower.service.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.flower.service.type }}
+  selector:
+    tier: airflow
+    component: flower
+    release: {{ .Release.Name }}
+  ports:
+  {{ range .Values.flower.service.ports }}
+    -
+      {{- range $key, $val := . }}
+      {{ $key }}: {{ tpl (toString $val) $ }}
+      {{- end }}
+  {{- end }}
+  {{- if .Values.flower.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.flower.service.loadBalancerIP }}
+  {{- end }}
+  {{- if .Values.flower.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{- toYaml .Values.flower.service.loadBalancerSourceRanges | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

helm/airflow/templates/flower/flower-serviceaccount.yaml

@@ -0,0 +1,41 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+######################################
+## Airflow Flower ServiceAccount
+######################################
+{{- if and .Values.flower.enabled (or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "CeleryKubernetesExecutor")) .Values.flower.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.flower.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ include "flower.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    component: flower
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or (.Values.labels) (.Values.flower.labels) }}
+      {{- mustMerge .Values.flower.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- with .Values.flower.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/airflow/templates/jobs/create-user-job-serviceaccount.yaml

@@ -0,0 +1,41 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+###########################################
+## Airflow Create User Job ServiceAccount
+###########################################
+{{- if and .Values.createUserJob.serviceAccount.create .Values.webserver.defaultUser.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.createUserJob.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ include "createUserJob.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    component: create-user-job
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- if or (.Values.labels) (.Values.createUserJob.labels) }}
+      {{- mustMerge .Values.createUserJob.labels .Values.labels | toYaml | nindent 4 }}
+    {{- end }}
+  {{- with .Values.createUserJob.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/airflow/templates/jobs/create-user-job.yaml

@@ -0,0 +1,134 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+################################
+## Airflow Create User Job
+#################################
+{{- if .Values.webserver.defaultUser.enabled }}
+{{- $nodeSelector := or .Values.createUserJob.nodeSelector .Values.nodeSelector }}
+{{- $affinity := or .Values.createUserJob.affinity .Values.affinity }}
+{{- $tolerations := or .Values.createUserJob.tolerations .Values.tolerations }}
+{{- $topologySpreadConstraints := or .Values.createUserJob.topologySpreadConstraints .Values.topologySpreadConstraints }}
+{{- $securityContext := include "airflowPodSecurityContext" (list . .Values.createUserJob) }}
+{{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.createUserJob) }}
+{{- $containerLifecycleHooks := or .Values.createUserJob.containerLifecycleHooks .Values.containerLifecycleHooks }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "airflow.fullname" . }}-create-user
+  labels:
+    tier: airflow
+    component: create-user-job
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- $annotations := dict }}
+  {{- if .Values.createUserJob.useHelmHooks }}
+    {{- $_ := set $annotations "helm.sh/hook" "post-install,post-upgrade" }}
+    {{- $_ := set $annotations "helm.sh/hook-weight" "2" }}
+    {{- $_ := set $annotations "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded" }}
+  {{- end }}
+  {{- with $annotations := merge $annotations .Values.createUserJob.jobAnnotations }}
+  annotations: {{- $annotations | toYaml | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not (kindIs "invalid" .Values.createUserJob.ttlSecondsAfterFinished) }}
+  ttlSecondsAfterFinished: {{ .Values.createUserJob.ttlSecondsAfterFinished }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        tier: airflow
+        component: create-user-job
+        release: {{ .Release.Name }}
+        {{- if or (.Values.labels) (.Values.createUserJob.labels) }}
+          {{- mustMerge .Values.createUserJob.labels .Values.labels | toYaml | nindent 8 }}
+        {{- end }}
+      {{- if or .Values.airflowPodAnnotations .Values.createUserJob.annotations }}
+      annotations:
+        {{- if .Values.airflowPodAnnotations }}
+          {{- toYaml .Values.airflowPodAnnotations | nindent 8 }}
+        {{- end }}
+        {{- if .Values.createUserJob.annotations }}
+          {{- toYaml .Values.createUserJob.annotations | nindent 8 }}
+        {{- end }}
+      {{- end }}
+    spec:
+      securityContext: {{ $securityContext | nindent 8 }}
+      restartPolicy: OnFailure
+      nodeSelector: {{- toYaml $nodeSelector | nindent 8 }}
+      affinity: {{- toYaml $affinity | nindent 8 }}
+      {{- if .Values.schedulerName }}
+      schedulerName: {{ .Values.schedulerName }}
+      {{- end }}
+      tolerations: {{- toYaml $tolerations | nindent 8 }}
+      topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
+      serviceAccountName: {{ include "createUserJob.serviceAccountName" . }}
+      {{- if or .Values.registry.secretName .Values.registry.connection }}
+      imagePullSecrets:
+        - name: {{ template "registry_secret" . }}
+      {{- end }}
+      containers:
+        - name: create-user
+          image: {{ template "airflow_image" . }}
+          imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+          securityContext: {{ $containerSecurityContext | nindent 12 }}
+          {{- if $containerLifecycleHooks  }}
+          lifecycle: {{- tpl (toYaml $containerLifecycleHooks) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.createUserJob.command }}
+          command: {{ tpl (toYaml .Values.createUserJob.command) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.createUserJob.args }}
+          args: {{ tpl (toYaml .Values.createUserJob.args) . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.createUserJob.applyCustomEnv }}
+          envFrom: {{- include "custom_airflow_environment_from" . | default "\n  []" | indent 10 }}
+          env: {{- include "custom_airflow_environment" . | indent 10 }}
+          {{- else }}
+          env:
+          {{- end }}
+          {{- include "standard_airflow_environment" . | indent 10 }}
+          {{- include "container_extra_envs" (list . .Values.createUserJob.env) | indent 10 }}
+          resources: {{- toYaml .Values.createUserJob.resources | nindent 12 }}
+          volumeMounts:
+            {{- include "airflow_config_mount" . | nindent 12 }}
+            {{- if .Values.volumeMounts }}
+              {{- toYaml .Values.volumeMounts | nindent 12 }}
+            {{- end }}
+            {{- if .Values.createUserJob.extraVolumeMounts }}
+              {{- tpl (toYaml .Values.createUserJob.extraVolumeMounts) . | nindent 12 }}
+            {{- end }}
+        {{- if .Values.createUserJob.extraContainers }}
+          {{- toYaml .Values.createUserJob.extraContainers | nindent 8 }}
+        {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ template "airflow_config" . }}
+        {{- if .Values.volumes }}
+          {{- toYaml .Values.volumes | nindent 8 }}
+        {{- end }}
+        {{- if .Values.createUserJob.extraVolumes }}
+          {{- tpl (toYaml .Values.createUserJob.extraVolumes) . | nindent 8 }}
+        {{- end }}
+{{- end }}

helm/airflow/templates/jobs/migrate-database-job-serviceaccount.yaml

@@ -0,0 +1,41 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/}}
+
+#############################################
+## Airflow Migrate Database Job ServiceAccount
+##############################################
+{{- if .Values.migrateDatabaseJob.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.migrateDatabaseJob.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ include "migrateDatabaseJob.serviceAccountName" . }}
+  labels:
+    tier: airflow
+    component: run-airflow-migrations
+    release: {{ .Release.Name }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    heritage: {{ .Release.Service }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.migrateDatabaseJob.serviceAccount.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}