alex-isv
GitHub
commit
3be83d3d46
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1 @@
|
|||
tests
|
||||
|
|
@ -35,4 +35,4 @@ sources:
|
|||
- https://github.com/aquarist-labs/s3gw-cosi-driver
|
||||
- https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar
|
||||
type: application
|
||||
version: 0.18.0
|
||||
version: 0.19.0
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ To install s3gw using Helm add the chart to your Helm repository and then run
|
|||
`helm install`:
|
||||
|
||||
```bash
|
||||
helm add repo s3gw https://aquarist-labs.github.io/s3gw-charts/
|
||||
helm repo add s3gw https://aquarist-labs.github.io/s3gw-charts/
|
||||
helm \
|
||||
--namespace s3gw-system \
|
||||
install s3gw \
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
publicDomain: s3.example.com
|
||||
ui:
|
||||
enabled: true
|
||||
publicDomain: s3-ui.example.com
|
||||
ingress:
|
||||
enabled: true
|
||||
storageClass:
|
||||
name: local
|
||||
create: true
|
||||
local: true
|
||||
localPath: /tmp/local-storage
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
publicDomain: s3.example.com
|
||||
ui:
|
||||
enabled: false
|
||||
ingress:
|
||||
enabled: false
|
||||
storageClass:
|
||||
name: local
|
||||
create: true
|
||||
local: true
|
||||
localPath: /tmp/local-storage
|
||||
|
|
@ -2,12 +2,12 @@
|
|||
{{- fail "Please provide a value for `.Values.publicDomain`." }}
|
||||
{{- end }}
|
||||
|
||||
{{- if (and .Values.ui.enabled (empty .Values.ui.publicDomain)) }}
|
||||
{{- if (and .Values.ingress.enabled (and .Values.ui.enabled (empty .Values.ui.publicDomain))) }}
|
||||
{{- fail "Please provide a value for `.Values.ui.publicDomain`." }}
|
||||
{{- end }}
|
||||
|
||||
{{- if (and .Values.useExistingSecret (empty .Values.defaultUserCredentialsSecret)) }}
|
||||
{{- fail "Please provide a secret name for `.Values.defaultUserCredentialSecret`" }}
|
||||
{{- fail "Please provide a secret name for `.Values.defaultUserCredentialsSecret`" }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.useCertManager }}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,6 @@ type: Opaque
|
|||
stringData:
|
||||
DRIVERNAME: {{ include "s3gw-cosi.driverName" . }}
|
||||
ENDPOINT: {{ include "s3gw-cosi.endpoint" . }}
|
||||
ACCESSKEY: {{ .Values.accessKey }}
|
||||
SECRETKEY: {{ .Values.secretKey }}
|
||||
ACCESSKEY: {{ include "s3gw.defaultAccessKey" . }}
|
||||
SECRETKEY: {{ include "s3gw.defaultSecretKey" . }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: 'smoke-{{ .Release.Name }}-bucket-create'
|
||||
namespace: '{{ .Release.Namespace }}'
|
||||
annotations:
|
||||
helm.sh/hook: test
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: create-bucket
|
||||
image: opensuse/tumbleweed:latest
|
||||
command:
|
||||
- /bin/sh
|
||||
- -exc
|
||||
- zypper -n install --no-recommends libs3-tools;
|
||||
|
||||
s3 -u -t 50 create testbucket;
|
||||
|
||||
s3 -u -t 50 list | grep testbucket
|
||||
env:
|
||||
- name: S3_ACCESS_KEY_ID
|
||||
value: {{ .Values.accessKey | quote }}
|
||||
- name: S3_SECRET_ACCESS_KEY
|
||||
value: {{ .Values.secretKey | quote }}
|
||||
- name: S3_HOSTNAME
|
||||
value:
|
||||
'{{ include "s3gw.serviceName" . }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}'
|
||||
restartPolicy: Never
|
||||
backoffLimit: 3
|
||||
|
|
@ -1,9 +1,9 @@
|
|||
dependencies:
|
||||
- name: zookeeper
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 11.4.9
|
||||
version: 11.4.10
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.6.0
|
||||
digest: sha256:9375ccc13bbfdc7ccebfa3354f48e578a1cc73ded31638587edd99650d16f29b
|
||||
generated: "2023-07-24T12:26:26.493879811Z"
|
||||
digest: sha256:31af3d70106f13499f925ccf603f986ee1e925cdf22eef0cd7c50fc9fe088f0d
|
||||
generated: "2023-08-04T16:49:34.999596575Z"
|
||||
|
|
|
|||
|
|
@ -4,6 +4,17 @@ annotations:
|
|||
catalog.cattle.io/kube-version: '>=1.19-0'
|
||||
catalog.cattle.io/release-name: kafka
|
||||
category: Infrastructure
|
||||
images: |
|
||||
- name: jmx-exporter
|
||||
image: docker.io/bitnami/jmx-exporter:0.19.0-debian-11-r33
|
||||
- name: kafka-exporter
|
||||
image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r69
|
||||
- name: kafka
|
||||
image: docker.io/bitnami/kafka:3.5.1-debian-11-r11
|
||||
- name: kubectl
|
||||
image: docker.io/bitnami/kubectl:1.25.12-debian-11-r14
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:11-debian-11-r25
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 3.5.1
|
||||
|
|
@ -34,4 +45,4 @@ maintainers:
|
|||
name: kafka
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/kafka
|
||||
version: 23.0.7
|
||||
version: 24.0.3
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -21,4 +21,4 @@ maintainers:
|
|||
name: zookeeper
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/zookeeper
|
||||
version: 11.4.9
|
||||
version: 11.4.10
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
|
||||
| `image.registry` | ZooKeeper image registry | `docker.io` |
|
||||
| `image.repository` | ZooKeeper image repository | `bitnami/zookeeper` |
|
||||
| `image.tag` | ZooKeeper image tag (immutable tags are recommended) | `3.8.2-debian-11-r4` |
|
||||
| `image.tag` | ZooKeeper image tag (immutable tags are recommended) | `3.8.2-debian-11-r7` |
|
||||
| `image.digest` | ZooKeeper image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | ZooKeeper image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
@ -248,7 +248,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
|
||||
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
|
||||
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r13` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r19` |
|
||||
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
|
||||
|
|
|
|||
|
|
@ -79,7 +79,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/zookeeper
|
||||
tag: 3.8.2-debian-11-r4
|
||||
tag: 3.8.2-debian-11-r7
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
@ -663,7 +663,7 @@ volumePermissions:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/os-shell
|
||||
tag: 11-debian-11-r13
|
||||
tag: 11-debian-11-r19
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
|
|
|
|||
|
|
@ -22,19 +22,12 @@ In order to replicate the container startup scripts execute this command:
|
|||
|
||||
{{- else }}
|
||||
|
||||
{{- $replicaCount := int .Values.replicaCount -}}
|
||||
{{- $releaseNamespace := .Release.Namespace -}}
|
||||
{{- $clusterDomain := .Values.clusterDomain -}}
|
||||
{{- $fullname := include "common.names.fullname" . -}}
|
||||
{{- $clientProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.clientProtocol) -}}
|
||||
{{- $externalClientProtocol := include "kafka.listenerType" (dict "protocol" (include "kafka.externalClientProtocol" . )) -}}
|
||||
{{- $saslMechanisms := .Values.auth.sasl.mechanisms -}}
|
||||
{{- $tlsEndpointIdentificationAlgorithm := default "" .Values.auth.tls.endpointIdentificationAlgorithm -}}
|
||||
{{- $tlsPasswordSecret := printf "$(kubectl get secret %s --namespace %s -o jsonpath='{.data.password}' | base64 -d | cut -d , -f 1)" .Values.auth.tls.existingSecret $releaseNamespace -}}
|
||||
{{- $tlsPassword := ternary .Values.auth.tls.password $tlsPasswordSecret (eq .Values.auth.tls.existingSecret "") -}}
|
||||
{{- $servicePort := int .Values.service.ports.client -}}
|
||||
{{- $releaseNamespace := .Release.Namespace }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $servicePort := int .Values.service.ports.client }}
|
||||
|
||||
{{- if and (or (eq .Values.service.type "LoadBalancer") .Values.externalAccess.enabled) (eq $externalClientProtocol "PLAINTEXT") }}
|
||||
{{- if and (or (eq .Values.service.type "LoadBalancer") .Values.externalAccess.enabled) (eq (upper .Values.listeners.external.protocol) "PLAINTEXT") }}
|
||||
---------------------------------------------------------------------------------------------
|
||||
WARNING
|
||||
|
||||
|
|
@ -57,114 +50,95 @@ Kafka can be accessed by consumers via port {{ $servicePort }} on the following
|
|||
Each Kafka broker can be accessed by producers via port {{ $servicePort }} on the following DNS name(s) from within your cluster:
|
||||
|
||||
{{- $brokerList := list }}
|
||||
{{- range $e, $i := until $replicaCount }}
|
||||
{{- $brokerList = append $brokerList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }}
|
||||
{{- range $i := until (int .Values.controller.replicaCount) }}
|
||||
{{- $brokerList = append $brokerList (printf "%s-controller-%d.%s-controller-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }}
|
||||
{{- end }}
|
||||
{{- range $i := until (int .Values.broker.replicaCount) }}
|
||||
{{- $brokerList = append $brokerList (printf "%s-broker-%d.%s-broker-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }}
|
||||
{{- end }}
|
||||
{{ join "\n" $brokerList | nindent 4 }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- $clientSaslEnabled := regexFind "SASL" (upper .Values.listeners.client.protocol) }}
|
||||
{{- $clientSslEnabled := regexFind "SSL" (upper .Values.listeners.client.protocol) }}
|
||||
{{- $clientMTlsEnabled := or (and .Values.listeners.client.sslClientAuth (not (eq .Values.listeners.client.sslClientAuth "none"))) (and (empty .Values.listeners.client.sslClientAuth) (not (eq .Values.tls.sslClientAuth "none"))) }}
|
||||
{{- if or $clientSaslEnabled $clientSslEnabled }}
|
||||
|
||||
You need to configure your Kafka client to access using SASL authentication. To do so, you need to create the 'kafka_jaas.conf' and 'client.properties' configuration files with the content below:
|
||||
The {{ upper .Values.listeners.client.name }} listener for Kafka client connections from within your cluster have been configured with the following security settings:
|
||||
{{- if $clientSaslEnabled }}
|
||||
- SASL authentication
|
||||
{{- end }}
|
||||
{{- if $clientSslEnabled }}
|
||||
- TLS encryption
|
||||
{{- end }}
|
||||
{{- if and $clientSslEnabled $clientMTlsEnabled }}
|
||||
- mTLS authentication
|
||||
{{- end }}
|
||||
|
||||
- kafka_jaas.conf:
|
||||
To connect a client to your Kafka, you need to create the 'client.properties' configuration files with the content below:
|
||||
|
||||
KafkaClient {
|
||||
{{- if $saslMechanisms | regexFind "scram" }}
|
||||
org.apache.kafka.common.security.scram.ScramLoginModule required
|
||||
{{- else }}
|
||||
org.apache.kafka.common.security.plain.PlainLoginModule required
|
||||
{{- end }}
|
||||
username="{{ index .Values.auth.sasl.jaas.clientUsers 0 }}"
|
||||
password="$(kubectl get secret {{ $fullname }}-jaas --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)";
|
||||
};
|
||||
|
||||
- client.properties:
|
||||
|
||||
security.protocol={{ $clientProtocol }}
|
||||
{{- if $saslMechanisms | regexFind "scram-sha-256" }}
|
||||
security.protocol={{ .Values.listeners.client.protocol }}
|
||||
{{- if $clientSaslEnabled }}
|
||||
{{- if regexFind "SCRAM-SHA-256" (upper .Values.sasl.enabledMechanisms) }}
|
||||
sasl.mechanism=SCRAM-SHA-256
|
||||
{{- else if $saslMechanisms | regexFind "scram-sha-512" }}
|
||||
{{- else if regexFind "SCRAM-SHA-512" (upper .Values.sasl.enabledMechanisms) }}
|
||||
sasl.mechanism=SCRAM-SHA-512
|
||||
{{- else }}
|
||||
{{- else if regexFind "PLAIN" (upper .Values.sasl.enabledMechanisms) }}
|
||||
sasl.mechanism=PLAIN
|
||||
{{- end }}
|
||||
{{- if eq $clientProtocol "SASL_SSL" }}
|
||||
ssl.truststore.type={{ upper .Values.auth.tls.type }}
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
{{- $securityModule := ternary "org.apache.kafka.common.security.scram.ScramLoginModule required" "org.apache.kafka.common.security.plain.PlainLoginModule required" (regexMatch "SCRAM" (upper .Values.sasl.enabledMechanisms)) }}
|
||||
sasl.jaas.config={{ $securityModule }} \
|
||||
username="{{ index .Values.sasl.client.users 0 }}" \
|
||||
password="$(kubectl get secret {{ $fullname }}-user-passwords --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)";
|
||||
{{- end }}
|
||||
{{- if $clientSslEnabled }}
|
||||
{{- $clientTlsType := upper .Values.tls.type }}
|
||||
ssl.truststore.type={{ $clientTlsType }}
|
||||
{{- if eq $clientTlsType "JKS" }}
|
||||
ssl.truststore.location=/tmp/kafka.truststore.jks
|
||||
{{- if not (empty $tlsPassword) }}
|
||||
ssl.truststore.password={{ $tlsPassword }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \
|
||||
... \
|
||||
-----END CERTIFICATE-----
|
||||
{{- end }}
|
||||
{{- if eq $tlsEndpointIdentificationAlgorithm "" }}
|
||||
ssl.endpoint.identification.algorithm=
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- else if (include "kafka.client.tlsEncryption" .) }}
|
||||
|
||||
You need to configure your Kafka client to access using TLS authentication. To do so, you need to create the 'client.properties' configuration file with the content below:
|
||||
|
||||
security.protocol={{ $clientProtocol }}
|
||||
ssl.truststore.type={{ upper .Values.auth.tls.type }}
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
ssl.truststore.location=/tmp/kafka.truststore.{{ .Values.auth.tls.type }}
|
||||
{{- if not (empty $tlsPassword) }}
|
||||
ssl.truststore.password={{ $tlsPassword }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
# Uncomment this line if your client truststore is password protected
|
||||
#ssl.truststore.password=
|
||||
{{- else if eq $clientTlsType "PEM" }}
|
||||
ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \
|
||||
... \
|
||||
-----END CERTIFICATE-----
|
||||
{{- end }}
|
||||
{{- if eq .Values.auth.clientProtocol "mtls" }}
|
||||
ssl.keystore.type={{ upper .Values.auth.tls.type }}
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
{{- if and $clientMTlsEnabled }}
|
||||
ssl.keystore.type={{ $clientTlsType }}
|
||||
{{- if eq $clientTlsType "JKS" }}
|
||||
ssl.keystore.location=/tmp/client.keystore.jks
|
||||
{{- if not (empty $tlsPassword) }}
|
||||
ssl.keystore.password={{ $tlsPassword }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
# Uncomment this line if your client truststore is password protected
|
||||
#ssl.keystore.password=
|
||||
{{- else if eq $clientTlsType "PEM" }}
|
||||
ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- \
|
||||
... \
|
||||
-----END CERTIFICATE-----
|
||||
ssl.keystore.key=-----BEGIN ENCRYPTED PRIVATE KEY----- \
|
||||
... \
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq $tlsEndpointIdentificationAlgorithm "" }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.tls.endpointIdentificationAlgorithm "" }}
|
||||
ssl.endpoint.identification.algorithm=
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
To create a pod that you can use as a Kafka client run the following commands:
|
||||
|
||||
kubectl run {{ $fullname }}-client --restart='Never' --image {{ template "kafka.image" . }} --namespace {{ $releaseNamespace }} --command -- sleep infinity
|
||||
{{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- if or $clientSaslEnabled $clientSslEnabled }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} /path/to/client.properties {{ $fullname }}-client:/tmp/client.properties
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} /path/to/kafka_jaas.conf {{ $fullname }}-client:/tmp/kafka_jaas.conf
|
||||
{{- end }}
|
||||
{{- if and (include "kafka.client.tlsEncryption" .) (eq .Values.auth.tls.type "jks") }}
|
||||
{{- if and $clientSslEnabled (eq (upper .Values.tls.type) "JKS") }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} ./kafka.truststore.jks {{ $fullname }}-client:/tmp/kafka.truststore.jks
|
||||
{{- if eq .Values.auth.clientProtocol "mtls" }}
|
||||
{{- if $clientMTlsEnabled }}
|
||||
kubectl cp --namespace {{ $releaseNamespace }} ./client.keystore.jks {{ $fullname }}-client:/tmp/client.keystore.jks
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
kubectl exec --tty -i {{ $fullname }}-client --namespace {{ $releaseNamespace }} -- bash
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
export KAFKA_OPTS="-Djava.security.auth.login.config=/tmp/kafka_jaas.conf"
|
||||
{{- end }}
|
||||
|
||||
PRODUCER:
|
||||
kafka-console-producer.sh \
|
||||
{{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- if or $clientSaslEnabled $clientSslEnabled }}
|
||||
--producer.config /tmp/client.properties \
|
||||
{{- end }}
|
||||
--broker-list {{ join "," $brokerList }} \
|
||||
|
|
@ -172,7 +146,7 @@ To create a pod that you can use as a Kafka client run the following commands:
|
|||
|
||||
CONSUMER:
|
||||
kafka-console-consumer.sh \
|
||||
{{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- if or $clientSaslEnabled $clientSslEnabled }}
|
||||
--consumer.config /tmp/client.properties \
|
||||
{{- end }}
|
||||
--bootstrap-server {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.client }} \
|
||||
|
|
@ -180,132 +154,161 @@ To create a pod that you can use as a Kafka client run the following commands:
|
|||
--from-beginning
|
||||
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
{{- if or (not .Values.kraft.enabled) (not .Values.controller.controllerOnly) .Values.externalAccess.controller.forceExpose }}
|
||||
|
||||
To connect to your Kafka server from outside the cluster, follow the instructions below:
|
||||
|
||||
{{- if eq "NodePort" .Values.externalAccess.service.type }}
|
||||
{{- if .Values.externalAccess.service.domain }}
|
||||
|
||||
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.service.domain }}
|
||||
|
||||
{{- if not .Values.kraft.enabled }}
|
||||
To connect to your Kafka nodes from outside the cluster, follow these instructions:
|
||||
{{- else if and .Values.controller.controllerOnly .Values.externalAccess.controller.forceExpose }}
|
||||
To connect to your Kafka controller-only nodes from outside the cluster, follow these instructions:
|
||||
{{- else }}
|
||||
To connect to your Kafka controller+broker nodes from outside the cluster, follow these instructions:
|
||||
{{- end }}
|
||||
|
||||
{{- if eq "NodePort" .Values.externalAccess.controller.service.type }}
|
||||
{{- if .Values.externalAccess.controller.service.domain }}
|
||||
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.controller.service.domain }}
|
||||
|
||||
{{- else }}
|
||||
Kafka brokers domain: You can get the external node IP from the Kafka configuration file with the following commands (Check the EXTERNAL listener)
|
||||
|
||||
1. Obtain the pod name:
|
||||
|
||||
kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka"
|
||||
kubectl get pods --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka"
|
||||
|
||||
2. Obtain pod configuration:
|
||||
|
||||
kubectl exec -it KAFKA_POD -- cat /opt/bitnami/kafka/config/server.properties | grep advertised.listeners
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
Kafka brokers port: You will have a different node port for each Kafka broker. You can get the list of configured node ports using the command below:
|
||||
|
||||
echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')"
|
||||
echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')"
|
||||
|
||||
{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }}
|
||||
{{- else if eq "LoadBalancer" .Values.externalAccess.controller.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IPs to be available.
|
||||
|
||||
NOTE: It may take a few minutes for the LoadBalancer IPs to be available.
|
||||
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w'
|
||||
Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w'
|
||||
|
||||
Kafka Brokers domain: You will have a different external IP for each Kafka broker. You can get the list of external IPs using the command below:
|
||||
|
||||
echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')"
|
||||
echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')"
|
||||
|
||||
Kafka Brokers port: {{ .Values.externalAccess.service.ports.external }}
|
||||
Kafka Brokers port: {{ .Values.externalAccess.controller.service.ports.external }}
|
||||
|
||||
{{- else if eq "ClusterIP" .Values.externalAccess.service.type }}
|
||||
{{- else if eq "ClusterIP" .Values.externalAccess.controller.service.type }}
|
||||
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.controller.service.domain }}
|
||||
|
||||
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.service.domain }}
|
||||
|
||||
Kafka brokers port: You will have a different port for each Kafka broker starting at {{ .Values.externalAccess.service.ports.external }}
|
||||
Kafka brokers port: You will have a different port for each Kafka broker starting at {{ .Values.externalAccess.controller.service.ports.external }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- if not (eq $clientProtocol $externalClientProtocol) }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
|
||||
You need to configure your Kafka client to access using SASL authentication. To do so, you need to create the 'kafka_jaas.conf' and 'client.properties' configuration files with the content below:
|
||||
|
||||
- kafka_jaas.conf:
|
||||
|
||||
KafkaClient {
|
||||
{{- if $saslMechanisms | regexFind "scram" }}
|
||||
org.apache.kafka.common.security.scram.ScramLoginModule required
|
||||
{{- else }}
|
||||
org.apache.kafka.common.security.plain.PlainLoginModule required
|
||||
{{- end }}
|
||||
username="{{ index .Values.auth.sasl.jaas.clientUsers 0 }}"
|
||||
password="$(kubectl get secret {{ $fullname }}-jaas --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)";
|
||||
};
|
||||
|
||||
- client.properties:
|
||||
{{- $brokerReplicaCount := int .Values.broker.replicaCount -}}
|
||||
{{- if gt $brokerReplicaCount 0 }}
|
||||
To connect to your Kafka broker nodes from outside the cluster, follow these instructions:
|
||||
|
||||
security.protocol={{ $externalClientProtocol }}
|
||||
{{- if $saslMechanisms | regexFind "scram-sha-256" }}
|
||||
{{- if eq "NodePort" .Values.externalAccess.broker.service.type }}
|
||||
{{- if .Values.externalAccess.broker.service.domain }}
|
||||
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.broker.service.domain }}
|
||||
|
||||
{{- else }}
|
||||
Kafka brokers domain: You can get the external node IP from the Kafka configuration file with the following commands (Check the EXTERNAL listener)
|
||||
|
||||
1. Obtain the pod name:
|
||||
|
||||
kubectl get pods --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka"
|
||||
|
||||
2. Obtain pod configuration:
|
||||
|
||||
kubectl exec -it KAFKA_POD -- cat /opt/bitnami/kafka/config/server.properties | grep advertised.listeners
|
||||
|
||||
{{- end }}
|
||||
Kafka brokers port: You will have a different node port for each Kafka broker. You can get the list of configured node ports using the command below:
|
||||
|
||||
echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')"
|
||||
|
||||
{{- else if eq "LoadBalancer" .Values.externalAccess.broker.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IPs to be available.
|
||||
|
||||
Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w'
|
||||
|
||||
Kafka Brokers domain: You will have a different external IP for each Kafka broker. You can get the list of external IPs using the command below:
|
||||
|
||||
echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')"
|
||||
|
||||
Kafka Brokers port: {{ .Values.externalAccess.broker.service.ports.external }}
|
||||
|
||||
{{- else if eq "ClusterIP" .Values.externalAccess.broker.service.type }}
|
||||
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.broker.service.domain }}
|
||||
|
||||
Kafka brokers port: You will have a different port for each Kafka broker starting at {{ .Values.externalAccess.broker.service.ports.external }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if or $clientSaslEnabled $clientSslEnabled }}
|
||||
{{- $externalSaslEnabled := regexFind "SASL" (upper .Values.listeners.external.protocol) }}
|
||||
{{- $externalSslEnabled := regexFind "SSL" (upper .Values.listeners.external.protocol) }}
|
||||
{{- $externalMTlsEnabled := or (and .Values.listeners.external.sslClientAuth (not (eq .Values.listeners.external.sslClientAuth "none"))) (and (empty .Values.listeners.external.sslClientAuth) (not (eq .Values.tls.sslClientAuth "none"))) }}
|
||||
|
||||
The {{ upper .Values.listeners.external.name }} listener for Kafka client connections from within your cluster have been configured with the following settings:
|
||||
{{- if $externalSaslEnabled }}
|
||||
- SASL authentication
|
||||
{{- end }}
|
||||
{{- if $externalSslEnabled }}
|
||||
- TLS encryption
|
||||
{{- end }}
|
||||
{{- if and $externalSslEnabled $externalMTlsEnabled }}
|
||||
- mTLS authentication
|
||||
{{- end }}
|
||||
|
||||
To connect a client to your Kafka, you need to create the 'client.properties' configuration files with the content below:
|
||||
|
||||
security.protocol={{ .Values.listeners.external.protocol }}
|
||||
{{- if $externalSaslEnabled }}
|
||||
{{- if regexFind "SCRAM-SHA-256" (upper .Values.sasl.enabledMechanisms) }}
|
||||
sasl.mechanism=SCRAM-SHA-256
|
||||
{{- else if $saslMechanisms | regexFind "scram-sha-512" }}
|
||||
{{- else if regexFind "SCRAM-SHA-512" (upper .Values.sasl.enabledMechanisms) }}
|
||||
sasl.mechanism=SCRAM-SHA-512
|
||||
{{- else }}
|
||||
sasl.mechanism=PLAIN
|
||||
{{- end }}
|
||||
{{- if eq $externalClientProtocol "SASL_SSL" }}
|
||||
ssl.truststore.type={{ upper .Values.auth.tls.type }}
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
{{- $securityModule := ternary "org.apache.kafka.common.security.scram.ScramLoginModule required" "org.apache.kafka.common.security.plain.PlainLoginModule required" (regexMatch "SCRAM" (upper .Values.sasl.enabledMechanisms)) }}
|
||||
sasl.jaas.config={{ $securityModule }} \
|
||||
username="{{ index .Values.sasl.client.users 0 }}" \
|
||||
password="$(kubectl get secret {{ $fullname }}-user-passwords --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)";
|
||||
{{- end }}
|
||||
{{- if $externalSslEnabled }}
|
||||
{{- $clientTlsType := upper .Values.tls.type }}
|
||||
ssl.truststore.type={{ $clientTlsType }}
|
||||
{{- if eq $clientTlsType "JKS" }}
|
||||
ssl.truststore.location=/tmp/kafka.truststore.jks
|
||||
{{- if not (empty $tlsPassword) }}
|
||||
ssl.truststore.password={{ $tlsPassword }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \
|
||||
... \
|
||||
-----END CERTIFICATE-----
|
||||
{{- end }}
|
||||
{{- if eq $tlsEndpointIdentificationAlgorithm "" }}
|
||||
ssl.endpoint.identification.algorithm=
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- else if (include "kafka.externalClient.tlsEncryption" .) }}
|
||||
|
||||
You need to configure your Kafka client to access using TLS authentication. To do so, you need to create the 'client.properties' configuration file with the content below:
|
||||
|
||||
security.protocol={{ $externalClientProtocol }}
|
||||
ssl.truststore.type={{ upper .Values.auth.tls.type }}
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
ssl.truststore.location=/tmp/kafka.truststore.{{ .Values.auth.tls.type }}
|
||||
{{- if not (empty $tlsPassword) }}
|
||||
ssl.truststore.password={{ $tlsPassword }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
# Uncomment this line if your client truststore is password protected
|
||||
#ssl.truststore.password=
|
||||
{{- else if eq $clientTlsType "PEM" }}
|
||||
ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \
|
||||
... \
|
||||
-----END CERTIFICATE-----
|
||||
{{- end }}
|
||||
{{- if eq .Values.auth.externalClientProtocol "mtls" }}
|
||||
ssl.keystore.type={{ upper .Values.auth.tls.type }}
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
{{- if and $externalMTlsEnabled }}
|
||||
ssl.keystore.type={{ $clientTlsType }}
|
||||
{{- if eq $clientTlsType "JKS" }}
|
||||
ssl.keystore.location=/tmp/client.keystore.jks
|
||||
{{- if not (empty $tlsPassword) }}
|
||||
ssl.keystore.password={{ $tlsPassword }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
# Uncomment this line if your client truststore is password protected
|
||||
#ssl.keystore.password=
|
||||
{{- else if eq $clientTlsType "PEM" }}
|
||||
ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- \
|
||||
... \
|
||||
-----END CERTIFICATE-----
|
||||
ssl.keystore.key=-----BEGIN ENCRYPTED PRIVATE KEY----- \
|
||||
... \
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq $tlsEndpointIdentificationAlgorithm "" }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.tls.endpointIdentificationAlgorithm "" }}
|
||||
ssl.endpoint.identification.algorithm=
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,50 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.broker.replicaCount }}
|
||||
{{- if and (include "kafka.broker.createConfigmap" .) (gt $replicaCount 0) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-broker-configuration" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- if or .Values.config .Values.broker.config }}
|
||||
server.properties: {{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.broker.config .Values.config) "context" $ ) | nindent 4 }}
|
||||
{{- else }}
|
||||
server.properties: |-
|
||||
# Listeners configuration
|
||||
listeners={{ include "kafka.listeners" ( dict "isController" false "context" $ ) }}
|
||||
listener.security.protocol.map={{ include "kafka.securityProtocolMap" . }}
|
||||
advertised.listeners={{ include "kafka.advertisedListeners" . }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
{{- if not .Values.broker.zookeeperMigrationMode }}
|
||||
# KRaft node role
|
||||
process.roles=broker
|
||||
{{- end -}}
|
||||
{{- include "kafka.kraftConfig" . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }}
|
||||
# Zookeeper configuration
|
||||
{{- include "kafka.zookeeperConfig" . | nindent 4 }}
|
||||
{{- if .Values.broker.zookeeperMigrationMode }}
|
||||
zookeeper.metadata.migration.enable=true
|
||||
inter.broker.protocol.version={{ default (regexFind "^[0-9].[0-9]+" .Chart.AppVersion) .Values.interBrokerProtocolVersion }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- include "kafka.commonConfig" . | nindent 4 }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.extraConfig "context" $ ) | nindent 4 }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.broker.extraConfig "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -3,15 +3,16 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.replicaCount }}
|
||||
{{- if and .Values.pdb.create (gt $replicaCount 1) }}
|
||||
{{- $replicaCount := int .Values.broker.replicaCount }}
|
||||
{{- if and .Values.broker.pdb.create (gt $replicaCount 0) }}
|
||||
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
|
|
@ -19,13 +20,14 @@ metadata:
|
|||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.pdb.minAvailable }}
|
||||
minAvailable: {{ .Values.pdb.minAvailable }}
|
||||
{{- if .Values.broker.pdb.minAvailable }}
|
||||
minAvailable: {{ .Values.broker.pdb.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if .Values.pdb.maxUnavailable }}
|
||||
maxUnavailable: {{ .Values.pdb.maxUnavailable }}
|
||||
{{- if .Values.broker.pdb.maxUnavailable }}
|
||||
maxUnavailable: {{ .Values.broker.pdb.maxUnavailable }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,452 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.broker.replicaCount }}
|
||||
{{- if gt $replicaCount 0 }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ printf "%s-broker" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podManagementPolicy: {{ .Values.broker.podManagementPolicy }}
|
||||
replicas: {{ .Values.broker.replicaCount }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
serviceName: {{ printf "%s-broker-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.broker.updateStrategy "context" $ ) | nindent 4 }}
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "common.labels.standard" . | nindent 8 }}
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.broker.podLabels }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.broker.podLabels "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if (include "kafka.broker.createConfigmap" .) }}
|
||||
checksum/configuration: {{ include (print $.Template.BasePath "/broker/configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createSaslSecret" .) }}
|
||||
checksum/passwords-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createTlsSecret" .) }}
|
||||
checksum/tls-secret: {{ include (print $.Template.BasePath "/tls-secret.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.metrics.jmx.createConfigmap" .) }}
|
||||
checksum/jmx-configuration: {{ include (print $.Template.BasePath "/metrics/jmx-configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.broker.podAnnotations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include "kafka.imagePullSecrets" . | nindent 6 }}
|
||||
{{- if .Values.broker.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.broker.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.broker.hostNetwork }}
|
||||
hostIPC: {{ .Values.broker.hostIPC }}
|
||||
{{- if .Values.broker.schedulerName }}
|
||||
schedulerName: {{ .Values.broker.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.broker.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.broker.podAffinityPreset "component" "kafka" "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.broker.podAntiAffinityPreset "component" "kafka" "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.broker.nodeAffinityPreset.type "key" .Values.broker.nodeAffinityPreset.key "values" .Values.broker.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.broker.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.broker.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.broker.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.priorityClassName }}
|
||||
priorityClassName: {{ .Values.broker.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.runtimeClassName }}
|
||||
runtimeClassName: {{ .Values.controller.runtimeClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.broker.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "kafka.serviceAccountName" . }}
|
||||
initContainers:
|
||||
{{- if and .Values.volumePermissions.enabled .Values.broker.persistence.enabled }}
|
||||
- name: volume-permissions
|
||||
image: {{ include "kafka.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
mkdir -p "{{ .Values.broker.persistence.mountPath }}" "{{ .Values.broker.logPersistence.mountPath }}"
|
||||
chown -R {{ .Values.broker.containerSecurityContext.runAsUser }}:{{ .Values.broker.podSecurityContext.fsGroup }} "{{ .Values.broker.persistence.mountPath }}" "{{ .Values.broker.logPersistence.mountPath }}"
|
||||
find "{{ .Values.broker.persistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.broker.containerSecurityContext.runAsUser }}:{{ .Values.broker.podSecurityContext.fsGroup }}
|
||||
find "{{ .Values.broker.logPersistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.broker.containerSecurityContext.runAsUser }}:{{ .Values.broker.podSecurityContext.fsGroup }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.broker.persistence.mountPath }}
|
||||
- name: logs
|
||||
mountPath: {{ .Values.broker.logPersistence.mountPath }}
|
||||
{{- end }}
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
|
||||
{{- include "kafka.autoDiscoveryInitContainer" ( dict "role" "broker" "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- include "kafka.prepareKafkaInitContainer" ( dict "role" "broker" "context" $) | nindent 8 }}
|
||||
{{- if .Values.broker.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.broker.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: kafka
|
||||
image: {{ include "kafka.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.broker.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.broker.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.broker.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.broker.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.broker.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.broker.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: KAFKA_HEAP_OPTS
|
||||
value: {{ coalesce .Values.broker.heapOpts .Values.heapOpts | quote }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
- name: KAFKA_KRAFT_CLUSTER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-kraft-cluster-id" (include "common.names.fullname" .) }}
|
||||
key: kraft-cluster-id
|
||||
{{- if .Values.broker.zookeeperMigrationMode }}
|
||||
- name: KAFKA_SKIP_KRAFT_STORAGE_INIT
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and (include "kafka.saslEnabled" .) (or (regexFind "SCRAM" (upper .Values.sasl.enabledMechanisms)) (regexFind "SCRAM" (upper .Values.sasl.controllerMechanism)) (regexFind "SCRAM" (upper .Values.sasl.interBrokerMechanism))) }}
|
||||
{{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }}
|
||||
- name: KAFKA_ZOOKEEPER_BOOTSTRAP_SCRAM_USERS
|
||||
value: "true"
|
||||
{{- else }}
|
||||
- name: KAFKA_KRAFT_BOOTSTRAP_SCRAM_USERS
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- if and (include "kafka.client.saslEnabled" . ) .Values.sasl.client.users }}
|
||||
- name: KAFKA_CLIENT_USERS
|
||||
value: {{ join "," .Values.sasl.client.users | quote }}
|
||||
- name: KAFKA_CLIENT_PASSWORDS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: client-passwords
|
||||
{{- end }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }}
|
||||
- name: KAFKA_INTER_BROKER_USER
|
||||
value: {{ .Values.sasl.interbroker.user | quote }}
|
||||
- name: KAFKA_INTER_BROKER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: inter-broker-password
|
||||
{{- end }}
|
||||
{{- if and .Values.kraft.enabled (regexFind "SASL" (upper .Values.listeners.controller.protocol)) }}
|
||||
- name: KAFKA_CONTROLLER_USER
|
||||
value: {{ .Values.sasl.controller.user | quote }}
|
||||
- name: KAFKA_CONTROLLER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: controller-password
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: JMX_PORT
|
||||
value: {{ .Values.metrics.jmx.kafkaJmxPort | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.broker.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.broker.extraEnvVarsCM .Values.extraEnvVarsCM .Values.broker.extraEnvVarsSecret .Values.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.broker.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.broker.extraEnvVarsCM "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.broker.extraEnvVarsSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: client
|
||||
containerPort: {{ .Values.listeners.client.containerPort }}
|
||||
- name: interbroker
|
||||
containerPort: {{ .Values.listeners.interbroker.containerPort }}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
- name: external
|
||||
containerPort: {{ .Values.listeners.external.containerPort }}
|
||||
{{- end }}
|
||||
{{- if .Values.listeners.extraListeners }}
|
||||
{{- include "kafka.extraListeners.containerPorts" . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.extraContainerPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.broker.extraContainerPorts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.broker.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.broker.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.broker.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.broker.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: "client"
|
||||
{{- end }}
|
||||
{{- if .Values.broker.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.broker.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.broker.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.broker.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: "client"
|
||||
{{- end }}
|
||||
{{- if .Values.broker.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.broker.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.broker.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.broker.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: "client"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.broker.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.resources }}
|
||||
resources: {{- toYaml .Values.broker.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.broker.persistence.mountPath }}
|
||||
- name: logs
|
||||
mountPath: {{ .Values.broker.logPersistence.mountPath }}
|
||||
- name: kafka-config
|
||||
mountPath: /opt/bitnami/kafka/config/server.properties
|
||||
subPath: server.properties
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
mountPath: /opt/bitnami/kafka/config/log4j.properties
|
||||
subPath: log4j.properties
|
||||
{{- end }}
|
||||
{{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }}
|
||||
- name: kafka-shared-certs
|
||||
mountPath: /opt/bitnami/kafka/config/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.broker.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: jmx-exporter
|
||||
image: {{ include "kafka.metrics.jmx.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.jmx.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else }}
|
||||
command:
|
||||
- java
|
||||
args:
|
||||
- -XX:MaxRAMPercentage=100
|
||||
- -XshowSettings:vm
|
||||
- -jar
|
||||
- jmx_prometheus_httpserver.jar
|
||||
- "5556"
|
||||
- /etc/jmx-kafka/jmx-kafka-prometheus.yml
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.metrics.jmx.containerPorts.metrics }}
|
||||
{{- if .Values.metrics.jmx.resources }}
|
||||
resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: jmx-config
|
||||
mountPath: /etc/jmx-kafka
|
||||
{{- end }}
|
||||
{{- if .Values.broker.sidecars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.broker.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.sidecars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: kafka-configmaps
|
||||
configMap:
|
||||
name: {{ include "kafka.broker.configmapName" . }}
|
||||
- name: kafka-config
|
||||
emptyDir: {}
|
||||
- name: tmp
|
||||
emptyDir: {}
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: {{ include "common.names.fullname" . }}-scripts
|
||||
defaultMode: 0755
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
|
||||
- name: kafka-autodiscovery-shared
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
configMap:
|
||||
name: {{ include "kafka.log4j.configMapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: jmx-config
|
||||
configMap:
|
||||
name: {{ include "kafka.metrics.jmx.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }}
|
||||
- name: kafka-shared-certs
|
||||
emptyDir: {}
|
||||
{{- if and (include "kafka.sslEnabled" .) (or .Values.tls.existingSecret .Values.tls.autoGenerated) }}
|
||||
- name: kafka-certs
|
||||
projected:
|
||||
defaultMode: 256
|
||||
sources:
|
||||
- secret:
|
||||
name: {{ include "kafka.tlsSecretName" . }}
|
||||
{{- if .Values.tls.jksTruststoreSecret }}
|
||||
- secret:
|
||||
name: {{ .Values.tls.jksTruststoreSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }}
|
||||
- name: kafka-zookeeper-cert
|
||||
secret:
|
||||
secretName: {{ .Values.tls.zookeeper.existingSecret }}
|
||||
defaultMode: 256
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.broker.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.broker.persistence.enabled }}
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else if .Values.broker.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.broker.persistence.existingClaim .) }}
|
||||
{{- end }}
|
||||
{{- if not .Values.broker.logPersistence.enabled }}
|
||||
- name: logs
|
||||
emptyDir: {}
|
||||
{{- else if .Values.broker.logPersistence.existingClaim }}
|
||||
- name: logs
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.broker.logPersistence.existingClaim .) }}
|
||||
{{- end }}
|
||||
{{- if or (and .Values.broker.persistence.enabled (not .Values.broker.persistence.existingClaim)) (and .Values.broker.logPersistence.enabled (not .Values.broker.logPersistence.existingClaim)) }}
|
||||
volumeClaimTemplates:
|
||||
{{- if and .Values.broker.persistence.enabled (not .Values.broker.persistence.existingClaim) }}
|
||||
- metadata:
|
||||
name: data
|
||||
{{- if .Values.broker.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.broker.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.broker.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.broker.persistence.size | quote }}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.broker.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- if .Values.broker.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- if and .Values.broker.logPersistence.enabled (not .Values.broker.logPersistence.existingClaim) }}
|
||||
- metadata:
|
||||
name: logs
|
||||
{{- if .Values.broker.logPersistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.logPersistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.broker.logPersistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.broker.logPersistence.size | quote }}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.broker.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- if .Values.broker.logPersistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.broker.logPersistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $replicaCount := .Values.broker.replicaCount | int }}
|
||||
{{- range $i := until $replicaCount }}
|
||||
{{- $targetPod := printf "%s-broker-%d" (printf "%s" $fullname) $i }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-%d-external" (include "common.names.fullname" $) $i | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ include "common.names.namespace" $ | quote }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
pod: {{ $targetPod }}
|
||||
{{- if $.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.externalAccess.broker.service.labels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.broker.service.labels "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or $.Values.externalAccess.broker.service.annotations $.Values.commonAnnotations $.Values.externalAccess.broker.service.loadBalancerAnnotations }}
|
||||
annotations:
|
||||
{{- if and (not (empty $.Values.externalAccess.broker.service.loadBalancerAnnotations)) (eq (len $.Values.externalAccess.broker.service.loadBalancerAnnotations) $replicaCount) }}
|
||||
{{ include "common.tplvalues.render" ( dict "value" (index $.Values.externalAccess.broker.service.loadBalancerAnnotations $i) "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.externalAccess.broker.service.annotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.broker.service.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ $.Values.externalAccess.broker.service.type }}
|
||||
{{- if eq $.Values.externalAccess.broker.service.type "LoadBalancer" }}
|
||||
{{- if and (not (empty $.Values.externalAccess.broker.service.loadBalancerIPs)) (eq (len $.Values.externalAccess.broker.service.loadBalancerIPs) $replicaCount) }}
|
||||
loadBalancerIP: {{ index $.Values.externalAccess.broker.service.loadBalancerIPs $i }}
|
||||
{{- end }}
|
||||
{{- if $.Values.externalAccess.broker.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges: {{- toYaml $.Values.externalAccess.broker.service.loadBalancerSourceRanges | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
publishNotReadyAddresses: {{ $.Values.externalAccess.broker.service.publishNotReadyAddresses }}
|
||||
ports:
|
||||
- name: tcp-kafka
|
||||
port: {{ $.Values.externalAccess.broker.service.ports.external }}
|
||||
{{- if le (add $i 1) (len $.Values.externalAccess.broker.service.nodePorts) }}
|
||||
nodePort: {{ index $.Values.externalAccess.broker.service.nodePorts $i }}
|
||||
{{- else }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
targetPort: external
|
||||
{{- if $.Values.externalAccess.broker.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" $.Values.externalAccess.broker.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if and (eq $.Values.externalAccess.broker.service.type "NodePort") (le (add $i 1) (len $.Values.externalAccess.broker.service.externalIPs)) }}
|
||||
externalIPs: [{{ index $.Values.externalAccess.broker.service.externalIPs $i | quote }}]
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" $ | nindent 4 }}
|
||||
app.kubernetes.io/part-of: kafka
|
||||
app.kubernetes.io/component: broker
|
||||
statefulset.kubernetes.io/pod-name: {{ $targetPod }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.broker.replicaCount }}
|
||||
{{- if gt $replicaCount 0 }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-broker-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.service.headless.broker.labels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.broker.labels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.service.headless.broker.annotations .Values.commonAnnotations }}
|
||||
annotations:
|
||||
{{- if .Values.service.headless.broker.annotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.service.headless.broker.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: tcp-interbroker
|
||||
port: {{ .Values.service.ports.interbroker }}
|
||||
protocol: TCP
|
||||
targetPort: interbroker
|
||||
- name: tcp-client
|
||||
port: {{ .Values.service.ports.client }}
|
||||
protocol: TCP
|
||||
targetPort: client
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: broker
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- end }}
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "kafka.createConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-configuration" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
server.properties: |-
|
||||
{{ .Values.config | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.controller.replicaCount }}
|
||||
{{- if and .Values.kraft.enabled (include "kafka.controller.createConfigmap" .) (gt $replicaCount 0)}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-controller-configuration" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- if or .Values.config .Values.controller.config }}
|
||||
server.properties: {{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.controller.config .Values.config) "context" $ ) | nindent 4 }}
|
||||
{{- else }}
|
||||
server.properties: |-
|
||||
# Listeners configuration
|
||||
listeners={{ include "kafka.listeners" ( dict "isController" true "context" $ ) }}
|
||||
{{- if not .Values.controller.controllerOnly }}
|
||||
advertised.listeners={{ include "kafka.advertisedListeners" . }}
|
||||
{{- end }}
|
||||
listener.security.protocol.map={{ include "kafka.securityProtocolMap" . }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
# KRaft process roles
|
||||
process.roles={{ ternary "controller" "controller,broker" .Values.controller.controllerOnly }}
|
||||
{{- include "kafka.kraftConfig" . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }}
|
||||
# Zookeeper configuration
|
||||
zookeeper.metadata.migration.enable=true
|
||||
inter.broker.protocol.version=3.4
|
||||
inter.broker.protocol.version={{ default (regexFind "^[0-9].[0-9]+" .Chart.AppVersion) .Values.interBrokerProtocolVersion }}
|
||||
{{- include "kafka.zookeeperConfig" . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- include "kafka.commonConfig" . | nindent 4 }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.extraConfig "context" $ ) | nindent 4 }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.controller.extraConfig "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.controller.replicaCount }}
|
||||
{{- if and .Values.controller.pdb.create .Values.kraft.enabled (gt $replicaCount 0) }}
|
||||
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ printf "%s-controller" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.controller.pdb.minAvailable }}
|
||||
minAvailable: {{ .Values.controller.pdb.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.pdb.maxUnavailable }}
|
||||
maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: controller-only
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,445 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.controller.replicaCount }}
|
||||
{{- if and .Values.kraft.enabled (gt $replicaCount 0) }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ printf "%s-controller" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podManagementPolicy: {{ .Values.controller.podManagementPolicy }}
|
||||
replicas: {{ .Values.controller.replicaCount }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
serviceName: {{ printf "%s-controller-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.controller.updateStrategy "context" $ ) | nindent 4 }}
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "common.labels.standard" . | nindent 8 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.controller.podLabels }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.controller.podLabels "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if (include "kafka.controller.createConfigmap" .) }}
|
||||
checksum/configuration: {{ include (print $.Template.BasePath "/controller-eligible/configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createSaslSecret" .) }}
|
||||
checksum/passwords-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createTlsSecret" .) }}
|
||||
checksum/tls-secret: {{ include (print $.Template.BasePath "/tls-secret.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.metrics.jmx.createConfigmap" .) }}
|
||||
checksum/jmx-configuration: {{ include (print $.Template.BasePath "/metrics/jmx-configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.controller.podAnnotations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include "kafka.imagePullSecrets" . | nindent 6 }}
|
||||
{{- if .Values.controller.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controller.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.controller.hostNetwork }}
|
||||
hostIPC: {{ .Values.controller.hostIPC }}
|
||||
{{- if .Values.controller.schedulerName }}
|
||||
schedulerName: {{ .Values.controller.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controller.podAffinityPreset "component" "kafka" "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controller.podAntiAffinityPreset "component" "kafka" "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.controller.nodeAffinityPreset.type "key" .Values.controller.nodeAffinityPreset.key "values" .Values.controller.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controller.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.priorityClassName }}
|
||||
priorityClassName: {{ .Values.controller.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.runtimeClassName }}
|
||||
runtimeClassName: {{ .Values.controller.runtimeClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.controller.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "kafka.serviceAccountName" . }}
|
||||
initContainers:
|
||||
{{- if and .Values.volumePermissions.enabled .Values.controller.persistence.enabled }}
|
||||
- name: volume-permissions
|
||||
image: {{ include "kafka.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
mkdir -p "{{ .Values.controller.persistence.mountPath }}" "{{ .Values.controller.logPersistence.mountPath }}"
|
||||
chown -R {{ .Values.controller.containerSecurityContext.runAsUser }}:{{ .Values.controller.podSecurityContext.fsGroup }} "{{ .Values.controller.persistence.mountPath }}" "{{ .Values.controller.logPersistence.mountPath }}"
|
||||
find "{{ .Values.controller.persistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.controller.containerSecurityContext.runAsUser }}:{{ .Values.controller.podSecurityContext.fsGroup }}
|
||||
find "{{ .Values.controller.logPersistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.controller.containerSecurityContext.runAsUser }}:{{ .Values.controller.podSecurityContext.fsGroup }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.controller.persistence.mountPath }}
|
||||
- name: logs
|
||||
mountPath: {{ .Values.controller.logPersistence.mountPath }}
|
||||
{{- end }}
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (or .Values.externalAccess.controller.forceExpose (not .Values.controller.controllerOnly))}}
|
||||
{{- include "kafka.autoDiscoveryInitContainer" ( dict "role" "controller" "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- include "kafka.prepareKafkaInitContainer" ( dict "role" "controller" "context" $) | nindent 8 }}
|
||||
{{- if .Values.controller.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.controller.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: kafka
|
||||
image: {{ include "kafka.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.controller.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.controller.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.controller.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.controller.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.controller.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: KAFKA_HEAP_OPTS
|
||||
value: {{ coalesce .Values.controller.heapOpts .Values.heapOpts | quote }}
|
||||
- name: KAFKA_KRAFT_CLUSTER_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-kraft-cluster-id" (include "common.names.fullname" .) }}
|
||||
key: kraft-cluster-id
|
||||
{{- if and (include "kafka.saslEnabled" .) (or (regexFind "SCRAM" (upper .Values.sasl.enabledMechanisms)) (regexFind "SCRAM" (upper .Values.sasl.controllerMechanism)) (regexFind "SCRAM" (upper .Values.sasl.interBrokerMechanism))) }}
|
||||
- name: KAFKA_KRAFT_BOOTSTRAP_SCRAM_USERS
|
||||
value: "true"
|
||||
{{- if and (include "kafka.client.saslEnabled" . ) .Values.sasl.client.users }}
|
||||
- name: KAFKA_CLIENT_USERS
|
||||
value: {{ join "," .Values.sasl.client.users | quote }}
|
||||
- name: KAFKA_CLIENT_PASSWORDS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: client-passwords
|
||||
{{- end }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }}
|
||||
- name: KAFKA_INTER_BROKER_USER
|
||||
value: {{ .Values.sasl.interbroker.user | quote }}
|
||||
- name: KAFKA_INTER_BROKER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: inter-broker-password
|
||||
{{- end }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.controller.protocol) }}
|
||||
- name: KAFKA_CONTROLLER_USER
|
||||
value: {{ .Values.sasl.controller.user | quote }}
|
||||
- name: KAFKA_CONTROLLER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: controller-password
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: JMX_PORT
|
||||
value: {{ .Values.metrics.jmx.kafkaJmxPort | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.controller.extraEnvVarsCM .Values.extraEnvVarsCM .Values.controller.extraEnvVarsSecret .Values.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.controller.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVarsCM "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVarsSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: controller
|
||||
containerPort: {{ .Values.listeners.controller.containerPort }}
|
||||
{{- if not .Values.controller.controllerOnly }}
|
||||
- name: client
|
||||
containerPort: {{ .Values.listeners.client.containerPort }}
|
||||
- name: interbroker
|
||||
containerPort: {{ .Values.listeners.interbroker.containerPort }}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
- name: external
|
||||
containerPort: {{ .Values.listeners.external.containerPort }}
|
||||
{{- end }}
|
||||
{{- if .Values.listeners.extraListeners }}
|
||||
{{- include "kafka.extraListeners.containerPorts" . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraContainerPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraContainerPorts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.controller.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.controller.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.controller.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.controller.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: "controller"
|
||||
{{- end }}
|
||||
{{- if .Values.controller.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.controller.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.controller.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.controller.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: "controller"
|
||||
{{- end }}
|
||||
{{- if .Values.controller.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.controller.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.controller.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.controller.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: "controller"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controller.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.resources }}
|
||||
resources: {{- toYaml .Values.controller.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.controller.persistence.mountPath }}
|
||||
- name: logs
|
||||
mountPath: {{ .Values.controller.logPersistence.mountPath }}
|
||||
- name: kafka-config
|
||||
mountPath: /opt/bitnami/kafka/config/server.properties
|
||||
subPath: server.properties
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
mountPath: /opt/bitnami/kafka/config/log4j.properties
|
||||
subPath: log4j.properties
|
||||
{{- end }}
|
||||
{{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }}
|
||||
- name: kafka-shared-certs
|
||||
mountPath: /opt/bitnami/kafka/config/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: jmx-exporter
|
||||
image: {{ include "kafka.metrics.jmx.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.jmx.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else }}
|
||||
command:
|
||||
- java
|
||||
args:
|
||||
- -XX:MaxRAMPercentage=100
|
||||
- -XshowSettings:vm
|
||||
- -jar
|
||||
- jmx_prometheus_httpserver.jar
|
||||
- "5556"
|
||||
- /etc/jmx-kafka/jmx-kafka-prometheus.yml
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.metrics.jmx.containerPorts.metrics }}
|
||||
{{- if .Values.metrics.jmx.resources }}
|
||||
resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: jmx-config
|
||||
mountPath: /etc/jmx-kafka
|
||||
{{- end }}
|
||||
{{- if .Values.controller.sidecars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.controller.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.sidecars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: kafka-configmaps
|
||||
configMap:
|
||||
name: {{ include "kafka.controller.configmapName" . }}
|
||||
- name: kafka-config
|
||||
emptyDir: {}
|
||||
- name: tmp
|
||||
emptyDir: {}
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: {{ include "common.names.fullname" . }}-scripts
|
||||
defaultMode: 0755
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
|
||||
- name: kafka-autodiscovery-shared
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
configMap:
|
||||
name: {{ include "kafka.log4j.configMapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: jmx-config
|
||||
configMap:
|
||||
name: {{ include "kafka.metrics.jmx.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }}
|
||||
- name: kafka-shared-certs
|
||||
emptyDir: {}
|
||||
{{- if and (include "kafka.sslEnabled" .) (or .Values.tls.existingSecret .Values.tls.autoGenerated) }}
|
||||
- name: kafka-certs
|
||||
projected:
|
||||
defaultMode: 256
|
||||
sources:
|
||||
- secret:
|
||||
name: {{ include "kafka.tlsSecretName" . }}
|
||||
{{- if .Values.tls.jksTruststoreSecret }}
|
||||
- secret:
|
||||
name: {{ .Values.tls.jksTruststoreSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }}
|
||||
- name: kafka-zookeeper-cert
|
||||
secret:
|
||||
secretName: {{ .Values.tls.zookeeper.existingSecret }}
|
||||
defaultMode: 256
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.controller.persistence.enabled }}
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else if .Values.controller.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.controller.persistence.existingClaim .) }}
|
||||
{{- end }}
|
||||
{{- if not .Values.controller.logPersistence.enabled }}
|
||||
- name: logs
|
||||
emptyDir: {}
|
||||
{{- else if .Values.controller.logPersistence.existingClaim }}
|
||||
- name: logs
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.controller.logPersistence.existingClaim .) }}
|
||||
{{- end }}
|
||||
{{- if or (and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim)) (and .Values.controller.logPersistence.enabled (not .Values.controller.logPersistence.existingClaim)) }}
|
||||
volumeClaimTemplates:
|
||||
{{- if and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim) }}
|
||||
- metadata:
|
||||
name: data
|
||||
{{- if .Values.controller.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.controller.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.controller.persistence.size | quote }}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.controller.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- if .Values.controller.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- if and .Values.controller.logPersistence.enabled (not .Values.controller.logPersistence.existingClaim) }}
|
||||
- metadata:
|
||||
name: logs
|
||||
{{- if .Values.controller.logPersistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.logPersistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.controller.logPersistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.controller.logPersistence.size | quote }}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.controller.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- if .Values.controller.logPersistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.logPersistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.kraft.enabled .Values.externalAccess.enabled }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- if or .Values.externalAccess.controller.forceExpose (not .Values.controller.controllerOnly)}}
|
||||
{{- $replicaCount := .Values.controller.replicaCount | int }}
|
||||
{{- range $i := until $replicaCount }}
|
||||
{{- $targetPod := printf "%s-controller-%d" $fullname $i }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-controller-%d-external" $fullname $i | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ include "common.names.namespace" $ | quote }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
pod: {{ $targetPod }}
|
||||
{{- if $.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.externalAccess.controller.service.labels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.controller.service.labels "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or $.Values.externalAccess.controller.service.annotations $.Values.commonAnnotations $.Values.externalAccess.controller.service.loadBalancerAnnotations }}
|
||||
annotations:
|
||||
{{- if and (not (empty $.Values.externalAccess.controller.service.loadBalancerAnnotations)) (eq (len $.Values.externalAccess.controller.service.loadBalancerAnnotations) $replicaCount) }}
|
||||
{{ include "common.tplvalues.render" ( dict "value" (index $.Values.externalAccess.controller.service.loadBalancerAnnotations $i) "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.externalAccess.controller.service.annotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.controller.service.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ $.Values.externalAccess.controller.service.type }}
|
||||
{{- if eq $.Values.externalAccess.controller.service.type "LoadBalancer" }}
|
||||
{{- if and (not (empty $.Values.externalAccess.controller.service.loadBalancerIPs)) (eq (len $.Values.externalAccess.controller.service.loadBalancerIPs) $replicaCount) }}
|
||||
loadBalancerIP: {{ index $.Values.externalAccess.controller.service.loadBalancerIPs $i }}
|
||||
{{- end }}
|
||||
{{- if $.Values.externalAccess.controller.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges: {{- toYaml $.Values.externalAccess.controller.service.loadBalancerSourceRanges | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
publishNotReadyAddresses: {{ $.Values.externalAccess.controller.service.publishNotReadyAddresses }}
|
||||
ports:
|
||||
- name: tcp-kafka
|
||||
port: {{ $.Values.externalAccess.controller.service.ports.external }}
|
||||
{{- if le (add $i 1) (len $.Values.externalAccess.controller.service.nodePorts) }}
|
||||
nodePort: {{ index $.Values.externalAccess.controller.service.nodePorts $i }}
|
||||
{{- else }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
targetPort: external
|
||||
{{- if $.Values.externalAccess.controller.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" $.Values.externalAccess.controller.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if and (eq $.Values.externalAccess.controller.service.type "NodePort") (le (add $i 1) (len $.Values.externalAccess.controller.service.externalIPs)) }}
|
||||
externalIPs: [{{ index $.Values.externalAccess.controller.service.externalIPs $i | quote }}]
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" $ | nindent 4 }}
|
||||
app.kubernetes.io/part-of: kafka
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
statefulset.kubernetes.io/pod-name: {{ $targetPod }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.controller.replicaCount }}
|
||||
{{- if and .Values.kraft.enabled (gt $replicaCount 0) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-controller-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.service.headless.controller.labels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.controller.labels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.service.headless.controller.annotations .Values.commonAnnotations }}
|
||||
annotations:
|
||||
{{- if .Values.service.headless.controller.annotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.service.headless.controller.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
{{- if or (not .Values.kraft.enabled) (not .Values.controller.controllerOnly) }}
|
||||
- name: tcp-interbroker
|
||||
port: {{ .Values.service.ports.interbroker }}
|
||||
protocol: TCP
|
||||
targetPort: interbroker
|
||||
- name: tcp-client
|
||||
port: {{ .Values.service.ports.client }}
|
||||
protocol: TCP
|
||||
targetPort: client
|
||||
{{- end }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
- name: tcp-controller
|
||||
protocol: TCP
|
||||
port: {{ .Values.service.ports.controller }}
|
||||
targetPort: controller
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller-eligible
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- end }}
|
||||
|
|
@ -1,100 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
|
||||
{{- $port := print .Values.service.ports.client }}
|
||||
{{- $host := list }}
|
||||
{{- $bootstrapServers := list }}
|
||||
{{- range $i, $e := until (int .Values.replicaCount) }}
|
||||
{{- $broker := printf "%s-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }}
|
||||
{{- $host = append $host $broker }}
|
||||
{{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $broker $port) }}
|
||||
{{- end }}
|
||||
{{- $clientUsers := .Values.auth.sasl.jaas.clientUsers }}
|
||||
{{- $clientPasswords := .Values.auth.sasl.jaas.clientPasswords }}
|
||||
{{- if not $clientPasswords }}
|
||||
{{- $clientPasswords = list }}
|
||||
{{- range $clientUsers }}
|
||||
{{- $clientPasswords = append $clientPasswords (randAlphaNum 10) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createJaasSecret" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-jaas" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
client-passwords: {{ join "," $clientPasswords | b64enc | quote }}
|
||||
system-user-password: {{ index $clientPasswords 0 | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- $zookeeperUser := .Values.auth.sasl.jaas.zookeeperUser }}
|
||||
{{- if and .Values.zookeeper.auth.client.enabled $zookeeperUser }}
|
||||
{{- $zookeeperPassword := .Values.auth.sasl.jaas.zookeeperPassword }}
|
||||
zookeeper-password: {{ default (randAlphaNum 10) $zookeeperPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.interBroker.saslAuthentication" .) }}
|
||||
{{- $interBrokerPassword := .Values.auth.sasl.jaas.interBrokerPassword }}
|
||||
inter-broker-password: {{ default (randAlphaNum 10) $interBrokerPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceBindings.enabled }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- range $i, $e := until (len $clientUsers) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" $ }}-svcbind-user-{{ $i }}
|
||||
namespace: {{ $.Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
{{- if $.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/kafka
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "kafka" | b64enc | quote }}
|
||||
username: {{ index $clientUsers $i | b64enc | quote }}
|
||||
password: {{ index $clientPasswords $i | b64enc | quote }}
|
||||
host: {{ join "," $host | b64enc | quote }}
|
||||
port: {{ print $port | b64enc | quote }}
|
||||
bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-svcbind
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/kafka
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "kafka" | b64enc | quote }}
|
||||
host: {{ join "," $host | b64enc | quote }}
|
||||
port: {{ print $port | b64enc | quote }}
|
||||
bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -3,13 +3,14 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "kafka.log4j.createConfigMap" .) }}
|
||||
{{- if and .Values.log4j (not .Values.existingLog4jConfigMap) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "kafka.log4j.configMapName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
name: {{- printf "%s-log4j-configuration" (include "common.names.fullname" .) -}}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
|
|
@ -19,4 +20,4 @@ metadata:
|
|||
data:
|
||||
log4j.properties: |-
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.log4j "context" $ ) | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -4,8 +4,7 @@ SPDX-License-Identifier: APACHE-2.0
|
|||
*/}}
|
||||
|
||||
{{- if .Values.metrics.kafka.enabled }}
|
||||
{{- $replicaCount := int .Values.replicaCount -}}
|
||||
{{- $releaseNamespace := .Release.Namespace -}}
|
||||
{{- $releaseNamespace := include "common.names.namespace" . -}}
|
||||
{{- $clusterDomain := .Values.clusterDomain -}}
|
||||
{{- $fullname := include "common.names.fullname" . -}}
|
||||
{{- $servicePort := int .Values.service.ports.client -}}
|
||||
|
|
@ -13,7 +12,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "kafka.metrics.kafka.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: cluster-metrics
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -97,16 +96,19 @@ spec:
|
|||
- -ce
|
||||
- |
|
||||
kafka_exporter \
|
||||
{{- range $i, $e := until $replicaCount }}
|
||||
--kafka.server={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \
|
||||
{{- range $i := until (int .Values.controller.replicaCount) }}
|
||||
--kafka.server={{ $fullname }}-controller-{{ $i }}.{{ $fullname }}-controller-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- range $i := until (int .Values.broker.replicaCount) }}
|
||||
--kafka.server={{ $fullname }}-broker-{{ $i }}.{{ $fullname }}-broker-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \
|
||||
{{- end }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }}
|
||||
--sasl.enabled \
|
||||
--sasl.username=$SASL_USERNAME \
|
||||
--sasl.password=$SASL_USER_PASSWORD \
|
||||
--sasl.mechanism={{ include "kafka.metrics.kafka.saslMechanism" . }} \
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- if regexFind "SSL" (upper .Values.listeners.client.protocol) }}
|
||||
--tls.enabled \
|
||||
{{- if .Values.metrics.kafka.certificatesSecret }}
|
||||
--tls.key-file=/opt/bitnami/kafka-exporter/certs/{{ .Values.metrics.kafka.tlsKey }} \
|
||||
|
|
@ -123,17 +125,16 @@ spec:
|
|||
{{- end }}
|
||||
--web.listen-address=:{{ .Values.metrics.kafka.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- $clientUsers := .Values.auth.sasl.jaas.clientUsers }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }}
|
||||
env:
|
||||
- name: SASL_USERNAME
|
||||
value: {{ index $clientUsers 0 | quote }}
|
||||
value: {{ index .Values.sasl.client.users 0 | quote }}
|
||||
- name: SASL_USER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.jaasSecretName" . }}
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: system-user-password
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.metrics.kafka.containerPorts.metrics }}
|
||||
|
|
@ -144,7 +145,7 @@ spec:
|
|||
{{- if .Values.metrics.kafka.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if and (include "kafka.client.tlsEncryption" .) .Values.metrics.kafka.certificatesSecret }}
|
||||
{{- if and (regexFind "SSL" (upper .Values.listeners.client.protocol)) .Values.metrics.kafka.certificatesSecret }}
|
||||
- name: kafka-exporter-certificates
|
||||
mountPath: /opt/bitnami/kafka-exporter/certs/
|
||||
readOnly: true
|
||||
|
|
@ -161,7 +162,7 @@ spec:
|
|||
{{- if .Values.metrics.kafka.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and (include "kafka.client.tlsEncryption" .) .Values.metrics.kafka.certificatesSecret }}
|
||||
{{- if and (regexFind "SSL" (upper .Values.listeners.client.protocol)) .Values.metrics.kafka.certificatesSecret }}
|
||||
- name: kafka-exporter-certificates
|
||||
secret:
|
||||
secretName: {{ .Values.metrics.kafka.certificatesSecret }}
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: v1
|
|||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-jmx-configuration" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
{{- if .Values.metrics.serviceMonitor.namespace }}
|
||||
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
{{- end }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
|
|
@ -54,5 +54,5 @@ spec:
|
|||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
- {{ include "common.names.namespace" . }}
|
||||
{{- end }}
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-jmx-metrics" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: v1
|
|||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ template "kafka.metrics.kafka.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: cluster-metrics
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
{{- if .Values.metrics.serviceMonitor.namespace }}
|
||||
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
{{- end }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: cluster-metrics
|
||||
|
|
@ -54,5 +54,5 @@ spec:
|
|||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
- {{ include "common.names.namespace" . }}
|
||||
{{- end }}
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: cluster-metrics
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -8,7 +8,7 @@ kind: NetworkPolicy
|
|||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
|
|
@ -8,7 +8,7 @@ kind: NetworkPolicy
|
|||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ printf "%s-ingress" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
|
|
@ -25,7 +25,7 @@ spec:
|
|||
ingress:
|
||||
# Allow client connections
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.client }}
|
||||
- port: {{ .Values.listeners.client.containerPort }}
|
||||
{{- if not .Values.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
|
|
@ -37,7 +37,7 @@ spec:
|
|||
{{- end }}
|
||||
# Allow communication inter-broker
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.internal }}
|
||||
- port: {{ .Values.listeners.interbroker.containerPort }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
|
|
@ -45,7 +45,7 @@ spec:
|
|||
# Allow External connection
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.external }}
|
||||
- port: {{ .Values.listeners.external.containerPort }}
|
||||
{{- if .Values.networkPolicy.externalAccess.from }}
|
||||
from: {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.externalAccess.from "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
@ -4,12 +4,11 @@ SPDX-License-Identifier: APACHE-2.0
|
|||
*/}}
|
||||
|
||||
{{- if .Values.provisioning.enabled }}
|
||||
{{- $replicaCount := int .Values.replicaCount }}
|
||||
kind: Job
|
||||
apiVersion: batch/v1
|
||||
metadata:
|
||||
name: {{ printf "%s-provisioning" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka-provisioning
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -107,8 +106,8 @@ spec:
|
|||
if [ ! -f "$CLIENT_CONF" ]; then
|
||||
touch $CLIENT_CONF
|
||||
|
||||
kafka_common_conf_set "$CLIENT_CONF" security.protocol {{ include "kafka.listenerType" ( dict "protocol" .Values.auth.clientProtocol ) | quote }}
|
||||
{{- if (include "kafka.client.tlsEncryption" .) }}
|
||||
kafka_common_conf_set "$CLIENT_CONF" security.protocol {{ .Values.listeners.client.protocol | quote }}
|
||||
{{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }}
|
||||
kafka_common_conf_set "$CLIENT_CONF" ssl.keystore.type {{ upper .Values.provisioning.auth.tls.type | quote }}
|
||||
kafka_common_conf_set "$CLIENT_CONF" ssl.truststore.type {{ upper .Values.provisioning.auth.tls.type | quote }}
|
||||
! is_empty_value "$KAFKA_CLIENT_KEY_PASSWORD" && kafka_common_conf_set "$CLIENT_CONF" ssl.key.password "$KAFKA_CLIENT_KEY_PASSWORD"
|
||||
|
|
@ -131,14 +130,14 @@ spec:
|
|||
! is_empty_value "$KAFKA_CLIENT_TRUSTSTORE_PASSWORD" && kafka_common_conf_set "$CLIENT_CONF" ssl.truststore.password "$KAFKA_CLIENT_TRUSTSTORE_PASSWORD"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- if contains "plain" .Values.auth.sasl.mechanisms }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }}
|
||||
{{- if regexFind "PLAIN" ( upper .Values.sasl.enabledMechanisms) }}
|
||||
kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism PLAIN
|
||||
kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";"
|
||||
{{- else if contains "scram-sha-256" .Values.auth.sasl.mechanisms }}
|
||||
{{- else if regexFind "SCRAM-SHA-256" ( upper .Values.sasl.enabledMechanisms) }}
|
||||
kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism SCRAM-SHA-256
|
||||
kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";"
|
||||
{{- else if contains "scram-sha-512" .Values.auth.sasl.mechanisms }}
|
||||
{{- else if regexFind "SCRAM-SHA-512" ( upper .Values.sasl.enabledMechanisms) }}
|
||||
kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism SCRAM-SHA-512
|
||||
kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";"
|
||||
{{- end }}
|
||||
|
|
@ -154,8 +153,8 @@ spec:
|
|||
--create \
|
||||
--if-not-exists \
|
||||
--bootstrap-server ${KAFKA_SERVICE} \
|
||||
--replication-factor {{ $topic.replicationFactor | default $.Values.provisioning.replicationFactor }} \
|
||||
--partitions {{ $topic.partitions | default $.Values.provisioning.numPartitions }} \
|
||||
--replication-factor {{ $topic.replicationFactor | default .context.Values.provisioning.replicationFactor }} \
|
||||
--partitions {{ $topic.partitions | default .context.Values.provisioning.numPartitions }} \
|
||||
{{- range $name, $value := $topic.config }}
|
||||
--config {{ $name }}={{ $value }} \
|
||||
{{- end }}
|
||||
|
|
@ -185,7 +184,7 @@ spec:
|
|||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
{{- if (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }}
|
||||
- name: KAFKA_CLIENT_KEY_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
|
|
@ -204,14 +203,13 @@ spec:
|
|||
{{- end }}
|
||||
- name: KAFKA_SERVICE
|
||||
value: {{ printf "%s:%d" (include "common.names.fullname" .) (.Values.service.ports.client | int64) }}
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
{{- $clientUsers := .Values.auth.sasl.jaas.clientUsers }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }}
|
||||
- name: SASL_USERNAME
|
||||
value: {{ index $clientUsers 0 | quote }}
|
||||
value: {{ index .Values.sasl.client.users 0 | quote }}
|
||||
- name: SASL_USER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.jaasSecretName" . }}
|
||||
name: {{ include "kafka.saslSecretName" . }}
|
||||
key: system-user-password
|
||||
{{- end }}
|
||||
{{- if .Values.provisioning.extraEnvVars }}
|
||||
|
|
@ -234,10 +232,10 @@ spec:
|
|||
volumeMounts:
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
mountPath: {{ .Values.persistence.mountPath }}/config/log4j.properties
|
||||
mountPath: /opt/bitnami/kafka/config/log4j.properties
|
||||
subPath: log4j.properties
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }}
|
||||
{{- if not (empty .Values.provisioning.auth.tls.certificatesSecret) }}
|
||||
- name: kafka-client-certs
|
||||
mountPath: /certs
|
||||
|
|
@ -255,8 +253,8 @@ spec:
|
|||
- name: log4j-config
|
||||
configMap:
|
||||
name: {{ include "kafka.log4j.configMapName" . }}
|
||||
{{ end }}
|
||||
{{- if (include "kafka.client.tlsEncryption" .) }}
|
||||
{{- end }}
|
||||
{{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }}
|
||||
{{- if not (empty .Values.provisioning.auth.tls.certificatesSecret) }}
|
||||
- name: kafka-client-certs
|
||||
secret:
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: v1
|
|||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ template "kafka.provisioning.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
|
|
@ -3,12 +3,12 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.provisioning.enabled (include "kafka.client.tlsEncryption" .) (not .Values.provisioning.auth.tls.passwordsSecret) }}
|
||||
{{- if and .Values.provisioning.enabled (regexFind "SSL" (upper .Values.listeners.client.protocol)) (not .Values.provisioning.auth.tls.passwordsSecret) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ template "kafka.client.passwordsSecretName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
|
|
@ -3,12 +3,12 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.rbac.create -}}
|
||||
{{- if .Values.rbac.create }}
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -26,4 +26,4 @@ rules:
|
|||
- get
|
||||
- list
|
||||
- watch
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
|||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -24,5 +24,5 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "kafka.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "common.names.namespace" . }}
|
||||
{{- end }}
|
||||
|
|
@ -8,7 +8,7 @@ apiVersion: v1
|
|||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ template "kafka.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -3,11 +3,14 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $releaseNamespace := include "common.names.namespace" . }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-scripts" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
name: {{ printf "%s-scripts" $fullname }}
|
||||
namespace: {{ $releaseNamespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
|
|
@ -16,21 +19,11 @@ metadata:
|
|||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $releaseNamespace := .Release.Namespace }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $interBrokerPort := .Values.service.ports.internal }}
|
||||
{{- $clientPort := .Values.service.ports.client }}
|
||||
{{- $jksTruststoreSecret := .Values.auth.tls.jksTruststoreSecret -}}
|
||||
{{- $jksTruststore := .Values.auth.tls.jksTruststore -}}
|
||||
{{- $jksKeystoreSAN := .Values.auth.tls.jksKeystoreSAN -}}
|
||||
{{- if .Values.externalAccess.autoDiscovery.enabled }}
|
||||
auto-discovery.sh: |-
|
||||
#!/bin/bash
|
||||
|
||||
SVC_NAME="${MY_POD_NAME}-external"
|
||||
|
||||
{{- if eq .Values.externalAccess.service.type "LoadBalancer" }}
|
||||
AUTODISCOVERY_SERVICE_TYPE="${AUTODISCOVERY_SERVICE_TYPE:-}"
|
||||
# Auxiliary functions
|
||||
retry_while() {
|
||||
local -r cmd="${1:?cmd is missing}"
|
||||
|
|
@ -62,11 +55,6 @@ data:
|
|||
local service=${2:?service is missing}
|
||||
[[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]]
|
||||
}
|
||||
# Wait until LoadBalancer IP is ready
|
||||
retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1
|
||||
# Obtain LoadBalancer external IP
|
||||
k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE"
|
||||
{{- else if eq .Values.externalAccess.service.type "NodePort" }}
|
||||
k8s_svc_node_port() {
|
||||
local namespace=${1:?namespace is missing}
|
||||
local service=${2:?service is missing}
|
||||
|
|
@ -74,165 +62,293 @@ data:
|
|||
local node_port="$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.spec.ports[$index].nodePort}")"
|
||||
echo "$node_port"
|
||||
}
|
||||
k8s_svc_node_port "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE"
|
||||
{{- end }}
|
||||
|
||||
if [[ "$AUTODISCOVERY_SERVICE_TYPE" = "LoadBalancer" ]]; then
|
||||
# Wait until LoadBalancer IP is ready
|
||||
retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1
|
||||
# Obtain LoadBalancer external IP
|
||||
k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "/shared/external-host.txt"
|
||||
elif [[ "$AUTODISCOVERY_SERVICE_TYPE" = "NodePort" ]]; then
|
||||
k8s_svc_node_port "{{ $releaseNamespace }}" "$SVC_NAME" | tee "/shared/external-port.txt"
|
||||
else
|
||||
echo "Unsupported autodiscovery service type: '$AUTODISCOVERY_SERVICE_TYPE'"
|
||||
exit 1
|
||||
fi
|
||||
{{- end }}
|
||||
setup.sh: |-
|
||||
kafka-init.sh: |-
|
||||
#!/bin/bash
|
||||
|
||||
ID="${MY_POD_NAME#"{{ $fullname }}-"}"
|
||||
# If process.roles is not set at all, it is assumed to be in ZooKeeper mode.
|
||||
# https://kafka.apache.org/documentation/#kraft_role
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
if [[ -f "{{ .Values.logsDirs | splitList "," | first }}/meta.properties" ]]; then
|
||||
if [[ $KAFKA_CFG_PROCESS_ROLES == "" ]]; then
|
||||
export KAFKA_CFG_BROKER_ID="$(grep "broker.id" "{{ .Values.logsDirs | splitList "," | first }}/meta.properties" | awk -F '=' '{print $2}')"
|
||||
else
|
||||
export KAFKA_CFG_NODE_ID="$(grep "node.id" "{{ .Values.logsDirs | splitList "," | first }}/meta.properties" | awk -F '=' '{print $2}')"
|
||||
fi
|
||||
else
|
||||
if [[ $KAFKA_CFG_PROCESS_ROLES == "" ]]; then
|
||||
export KAFKA_CFG_BROKER_ID="$((ID + {{ .Values.minId }}))"
|
||||
else
|
||||
export KAFKA_CFG_NODE_ID="$((ID + {{ .Values.minId }}))"
|
||||
fi
|
||||
fi
|
||||
error(){
|
||||
local message="${1:?missing message}"
|
||||
echo "ERROR: ${message}"
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [[ $KAFKA_CFG_PROCESS_ROLES == *"controller"* && -z $KAFKA_CFG_CONTROLLER_QUORUM_VOTERS ]]; then
|
||||
node_id={{ .Values.minId }}
|
||||
pod_id=0
|
||||
while :
|
||||
do
|
||||
VOTERS="${VOTERS}$node_id@{{ include "common.names.fullname" . }}-$pod_id.{{ include "common.names.fullname" . }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.controller }}"
|
||||
node_id=$(( $node_id + 1 ))
|
||||
pod_id=$(( $pod_id + 1 ))
|
||||
if [[ $pod_id -ge {{ .Values.replicaCount }} ]]; then
|
||||
break
|
||||
else
|
||||
VOTERS="$VOTERS,"
|
||||
fi
|
||||
retry_while() {
|
||||
local -r cmd="${1:?cmd is missing}"
|
||||
local -r retries="${2:-12}"
|
||||
local -r sleep_time="${3:-5}"
|
||||
local return_value=1
|
||||
|
||||
read -r -a command <<< "$cmd"
|
||||
for ((i = 1 ; i <= retries ; i+=1 )); do
|
||||
"${command[@]}" && return_value=0 && break
|
||||
sleep "$sleep_time"
|
||||
done
|
||||
export KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=$VOTERS
|
||||
fi
|
||||
{{- if eq .Values.brokerRackAssignment "aws-az" }}
|
||||
export KAFKA_CFG_BROKER_RACK=$(curl "http://169.254.169.254/latest/meta-data/placement/availability-zone-id")
|
||||
{{- end }}
|
||||
return $return_value
|
||||
}
|
||||
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
# Configure external ip and port
|
||||
{{- if eq .Values.externalAccess.service.type "LoadBalancer" }}
|
||||
{{- if .Values.externalAccess.autoDiscovery.enabled }}
|
||||
export EXTERNAL_ACCESS_HOST="$(<${SHARED_FILE})"
|
||||
{{- else }}
|
||||
export EXTERNAL_ACCESS_HOST=$(echo '{{ .Values.externalAccess.service.loadBalancerNames | default .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))")
|
||||
{{- end }}
|
||||
export EXTERNAL_ACCESS_PORT={{ .Values.externalAccess.service.ports.external }}
|
||||
{{- else if eq .Values.externalAccess.service.type "NodePort" }}
|
||||
{{- if .Values.externalAccess.service.domain }}
|
||||
export EXTERNAL_ACCESS_HOST={{ .Values.externalAccess.service.domain }}
|
||||
{{- else if and .Values.externalAccess.service.usePodIPs .Values.externalAccess.autoDiscovery.enabled }}
|
||||
export EXTERNAL_ACCESS_HOST="${MY_POD_IP}"
|
||||
{{- else if or .Values.externalAccess.service.useHostIPs .Values.externalAccess.autoDiscovery.enabled }}
|
||||
export EXTERNAL_ACCESS_HOST="${HOST_IP}"
|
||||
{{- else if and .Values.externalAccess.service.externalIPs (not .Values.externalAccess.autoDiscovery.enabled) }}
|
||||
export EXTERNAL_ACCESS_HOST=$(echo '{{ .Values.externalAccess.service.externalIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))")
|
||||
{{- else }}
|
||||
export EXTERNAL_ACCESS_HOST=$(curl -s https://ipinfo.io/ip)
|
||||
{{- end }}
|
||||
{{- if .Values.externalAccess.autoDiscovery.enabled }}
|
||||
export EXTERNAL_ACCESS_PORT="$(<${SHARED_FILE})"
|
||||
{{- else if and .Values.externalAccess.service.externalIPs (empty .Values.externalAccess.service.nodePorts)}}
|
||||
export EXTERNAL_ACCESS_PORT="{{ .Values.externalAccess.service.ports.external }}"
|
||||
{{- else }}
|
||||
export EXTERNAL_ACCESS_PORT=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))")
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
export EXTERNAL_ACCESS_HOST={{ .Values.externalAccess.service.domain }}
|
||||
export EXTERNAL_ACCESS_PORT="$((ID + {{ .Values.externalAccess.service.ports.external }}))"
|
||||
{{- end }}
|
||||
replace_in_file() {
|
||||
local filename="${1:?filename is required}"
|
||||
local match_regex="${2:?match regex is required}"
|
||||
local substitute_regex="${3:?substitute regex is required}"
|
||||
local posix_regex=${4:-true}
|
||||
|
||||
# Configure Kafka advertised listeners
|
||||
{{- if .Values.advertisedListeners }}
|
||||
export KAFKA_CFG_ADVERTISED_LISTENERS={{ join "," .Values.advertisedListeners }}
|
||||
{{- else }}
|
||||
export KAFKA_CFG_ADVERTISED_LISTENERS="INTERNAL://${MY_POD_NAME}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $interBrokerPort }},CLIENT://${MY_POD_NAME}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $clientPort }},EXTERNAL://${EXTERNAL_ACCESS_HOST}:${EXTERNAL_ACCESS_PORT}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
local result
|
||||
|
||||
{{- if (include "kafka.tlsEncryption" .) }}
|
||||
mkdir -p /opt/bitnami/kafka/config/certs
|
||||
{{- if eq .Values.auth.tls.type "jks" }}
|
||||
{{- if not (empty .Values.auth.tls.existingSecrets) }}
|
||||
JKS_TRUSTSTORE={{ printf "/%s/%s" (ternary "certs-${ID}" "truststore" (empty $jksTruststoreSecret)) (default "kafka.truststore.jks" $jksTruststore) | quote }}
|
||||
JKS_KEYSTORE={{ printf "/certs-${ID}/%s" (default "kafka.keystore.jks" $jksKeystoreSAN) | quote }}
|
||||
{{- else }}
|
||||
JKS_TRUSTSTORE={{ printf "/%s/%s" (ternary "certs" "truststore" (empty $jksTruststoreSecret)) (default "kafka.truststore.jks" $jksTruststore) | quote }}
|
||||
JKS_KEYSTORE={{ printf "/certs/%s" (default "kafka-${ID}.keystore.jks" $jksKeystoreSAN) | quote }}
|
||||
{{- end }}
|
||||
if [[ -f "$JKS_TRUSTSTORE" ]] && [[ -f "$JKS_KEYSTORE" ]]; then
|
||||
cp "$JKS_TRUSTSTORE" "/opt/bitnami/kafka/config/certs/kafka.truststore.jks"
|
||||
cp "$JKS_KEYSTORE" "/opt/bitnami/kafka/config/certs/kafka.keystore.jks"
|
||||
else
|
||||
echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled."
|
||||
exit 1
|
||||
fi
|
||||
export KAFKA_TLS_TRUSTSTORE_FILE="/opt/bitnami/kafka/config/certs/kafka.truststore.jks"
|
||||
# We should avoid using 'sed in-place' substitutions
|
||||
# 1) They are not compatible with files mounted from ConfigMap(s)
|
||||
# 2) We found incompatibility issues with Debian10 and "in-place" substitutions
|
||||
local -r del=$'\001' # Use a non-printable character as a 'sed' delimiter to avoid issues
|
||||
if [[ $posix_regex = true ]]; then
|
||||
result="$(sed -E "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")"
|
||||
else
|
||||
result="$(sed "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")"
|
||||
fi
|
||||
echo "$result" > "$filename"
|
||||
}
|
||||
|
||||
{{- else if eq .Values.auth.tls.type "pem" }}
|
||||
kafka_conf_set() {
|
||||
local file="${1:?missing file}"
|
||||
local key="${2:?missing key}"
|
||||
local value="${3:?missing value}"
|
||||
|
||||
{{- if or (not (empty .Values.auth.tls.existingSecrets)) .Values.auth.tls.autoGenerated }}
|
||||
PEM_CA="/certs-${ID}/ca.crt"
|
||||
PEM_CERT="/certs-${ID}/tls.crt"
|
||||
PEM_KEY="/certs-${ID}/tls.key"
|
||||
{{- else }}
|
||||
PEM_CA="/certs/kafka.truststore.pem"
|
||||
PEM_CERT="/certs/kafka-${ID}.keystore.pem"
|
||||
PEM_KEY="/certs/kafka-${ID}.keystore.key"
|
||||
{{- end }}
|
||||
if [[ -f "$PEM_CERT" ]] && [[ -f "$PEM_KEY" ]]; then
|
||||
CERT_DIR="/opt/bitnami/kafka/config/certs"
|
||||
PEM_CA_LOCATION="${CERT_DIR}/kafka.truststore.pem"
|
||||
PEM_CERT_LOCATION="${CERT_DIR}/kafka.keystore.pem"
|
||||
{{- if .Values.auth.tls.pemChainIncluded }}
|
||||
cat $PEM_CERT | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f ${CERT_DIR}/xx
|
||||
FIND_CA_RESULT=$(find ${CERT_DIR} -not -name 'xx00' -name 'xx*')
|
||||
if [[ $(echo $FIND_CA_RESULT | wc -l) < 1 ]]; then
|
||||
echo "auth.tls.pemChainIncluded was set, but PEM chain only contained 1 cert"
|
||||
exit 1
|
||||
fi
|
||||
echo $FIND_CA_RESULT | sort | xargs cat >> "$PEM_CA_LOCATION"
|
||||
cat ${CERT_DIR}/xx00 > "$PEM_CERT_LOCATION"
|
||||
# Check if the value was set before
|
||||
if grep -q "^[#\\s]*$key\s*=.*" "$file"; then
|
||||
# Update the existing key
|
||||
replace_in_file "$file" "^[#\\s]*${key}\s*=.*" "${key}=${value}" false
|
||||
else
|
||||
# Add a new key
|
||||
printf '\n%s=%s' "$key" "$value" >>"$file"
|
||||
fi
|
||||
}
|
||||
|
||||
replace_placeholder() {
|
||||
local placeholder="${1:?missing placeholder value}"
|
||||
local password="${2:?missing password value}"
|
||||
sed -i "s/$placeholder/$password/g" "$KAFKA_CONFIG_FILE"
|
||||
}
|
||||
|
||||
configure_external_access() {
|
||||
# Configure external hostname
|
||||
if [[ -f "/shared/external-host.txt" ]]; then
|
||||
host=$(cat "/shared/external-host.txt")
|
||||
elif [[ -n "${EXTERNAL_ACCESS_HOST:-}" ]]; then
|
||||
host="$EXTERNAL_ACCESS_HOST"
|
||||
elif [[ -n "${EXTERNAL_ACCESS_HOSTS_LIST:-}" ]]; then
|
||||
read -r -a hosts <<<"$(tr ',' ' ' <<<"${EXTERNAL_ACCESS_HOSTS_LIST}")"
|
||||
host="${hosts[$POD_ID]}"
|
||||
elif [[ "$EXTERNAL_ACCESS_HOST_USE_PUBLIC_IP" =~ ^(yes|true)$ ]]; then
|
||||
host=$(curl -s https://ipinfo.io/ip)
|
||||
else
|
||||
error "External access hostname not provided"
|
||||
fi
|
||||
|
||||
# Configure external port
|
||||
if [[ -f "/shared/external-port.txt" ]]; then
|
||||
port=$(cat "/shared/external-port.txt")
|
||||
elif [[ -n "${EXTERNAL_ACCESS_PORT:-}" ]]; then
|
||||
if [[ "${EXTERNAL_ACCESS_PORT_AUTOINCREMENT:-}" =~ ^(yes|true)$ ]]; then
|
||||
port="$((EXTERNAL_ACCESS_PORT + POD_ID))"
|
||||
else
|
||||
port="$EXTERNAL_ACCESS_PORT"
|
||||
fi
|
||||
elif [[ -n "${EXTERNAL_ACCESS_PORTS_LIST:-}" ]]; then
|
||||
read -r -a ports <<<"$(tr ',' ' ' <<<"${EXTERNAL_ACCESS_PORTS_LIST}")"
|
||||
port="${ports[$POD_ID]}"
|
||||
else
|
||||
error "External access port not provided"
|
||||
fi
|
||||
# Configure Kafka advertised listeners
|
||||
sed -i -E "s|^(advertised\.listeners=\S+)$|\1,{{ upper .Values.listeners.external.name }}://${host}:${port}|" "$KAFKA_CONFIG_FILE"
|
||||
}
|
||||
{{- if (include "kafka.sslEnabled" .) }}
|
||||
configure_kafka_tls() {
|
||||
# Remove previously existing keystores
|
||||
rm -f /certs/kafka.keystore.jks /certs/kafka.truststore.jks
|
||||
if [[ "${KAFKA_TLS_TYPE}" = "PEM" ]]; then
|
||||
# Copy PEM certificate and key
|
||||
if [[ -f "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.crt" && "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.key" ]]; then
|
||||
cp "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.crt" /certs/tls.crt
|
||||
# Copy the PEM key ensuring the key used PEM format with PKCS#8
|
||||
openssl pkcs8 -topk8 -nocrypt -in "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.key" > /certs/tls.key
|
||||
elif [[ -f /mounted-certs/kafka.crt && -f /mounted-certs/kafka.key ]]; then
|
||||
cp "/mounted-certs/kafka.crt" /certs/tls.crt
|
||||
# Copy the PEM key ensuring the key used PEM format with PKCS#8
|
||||
openssl pkcs8 -topk8 -nocrypt -in "/mounted-certs/kafka.key" > /certs/tls.key
|
||||
else
|
||||
error "PEM key and cert files not found"
|
||||
fi
|
||||
|
||||
{{- if not .Values.tls.pemChainIncluded }}
|
||||
# Copy CA certificate
|
||||
if [[ -f /mounted-certs/kafka-ca.crt ]]; then
|
||||
cp /mounted-certs/kafka-ca.crt /certs/ca.crt
|
||||
else
|
||||
error "CA certificate file not found"
|
||||
fi
|
||||
{{- else }}
|
||||
if [[ -f "$PEM_CA" ]]; then
|
||||
cp "$PEM_CA" "$PEM_CA_LOCATION"
|
||||
cp "$PEM_CERT" "$PEM_CERT_LOCATION"
|
||||
else
|
||||
echo "PEM_CA not provided, and auth.tls.pemChainIncluded was not true. One of these values must be set when using PEM type for TLS."
|
||||
exit 1
|
||||
fi
|
||||
# Extract CA certificate from PEM cert
|
||||
cat /certs/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx
|
||||
FIND_CA_RESULT=$(find /certs -not -name 'xx00' -name 'xx*')
|
||||
if [[ $(echo $FIND_CA_RESULT | wc -l) < 1 ]]; then
|
||||
error "auth.tls.pemChainIncluded was set, but PEM chain only contained 1 cert"
|
||||
fi
|
||||
echo $FIND_CA_RESULT | sort | xargs cat >> /certs/ca.crt
|
||||
cat /certs/xx00 > /certs/tls.crt
|
||||
find /certs -name "xx*" -exec rm {} \;
|
||||
{{- end }}
|
||||
|
||||
# Ensure the key used PEM format with PKCS#8
|
||||
openssl pkcs8 -topk8 -nocrypt -in "$PEM_KEY" > "/opt/bitnami/kafka/config/certs/kafka.keystore.key"
|
||||
# Create JKS keystore from PEM cert and key
|
||||
openssl pkcs12 -export -in "/certs/tls.crt" \
|
||||
-passout pass:"${KAFKA_TLS_KEYSTORE_PASSWORD}" \
|
||||
-inkey "/certs/tls.key" \
|
||||
-out "/certs/kafka.keystore.p12"
|
||||
keytool -importkeystore -srckeystore "/certs/kafka.keystore.p12" \
|
||||
-srcstoretype PKCS12 \
|
||||
-srcstorepass "${KAFKA_TLS_KEYSTORE_PASSWORD}" \
|
||||
-deststorepass "${KAFKA_TLS_KEYSTORE_PASSWORD}" \
|
||||
-destkeystore "/certs/kafka.keystore.jks" \
|
||||
-noprompt
|
||||
# Create JKS truststore from CA cert
|
||||
keytool -keystore /certs/kafka.truststore.jks -alias CARoot -import -file /certs/ca.crt -storepass "${KAFKA_TLS_TRUSTSTORE_PASSWORD}" -noprompt
|
||||
# Remove extra files
|
||||
rm -f "/certs/kafka.keystore.p12" "/certs/tls.crt" "/certs/tls.key" "/certs/ca.crt"
|
||||
elif [[ "${KAFKA_TLS_TYPE}" = "JKS" ]]; then
|
||||
if [[ -f "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.keystore.jks" ]]; then
|
||||
cp "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.keystore.jks" /certs/kafka.keystore.jks
|
||||
elif [[ -f /mounted-certs/kafka.keystore.jks ]]; then
|
||||
cp /mounted-certs/kafka.keystore.jks /certs/kafka.keystore.jks
|
||||
else
|
||||
error "Keystore file not found"
|
||||
fi
|
||||
|
||||
if [[ -f {{ printf "/mounted-certs/%s" ( default "kafka.truststore.jks" .Values.tls.jksTruststoreKey) | quote }} ]]; then
|
||||
cp {{ printf "/mounted-certs/%s" ( default "kafka.truststore.jks" .Values.tls.jksTruststoreKey) | quote }} /certs/kafka.truststore.jks
|
||||
else
|
||||
error "Truststore file not found"
|
||||
fi
|
||||
else
|
||||
error "Invalid type ${KAFKA_TLS_TYPE}"
|
||||
fi
|
||||
|
||||
# Configure TLS password settings in Kafka configuration
|
||||
[[ -n "${KAFKA_TLS_KEYSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "ssl.keystore.password" "$KAFKA_TLS_KEYSTORE_PASSWORD"
|
||||
[[ -n "${KAFKA_TLS_TRUSTSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "ssl.truststore.password" "$KAFKA_TLS_TRUSTSTORE_PASSWORD"
|
||||
[[ -n "${KAFKA_TLS_PEM_KEY_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "ssl.key.password" "$KAFKA_TLS_PEM_KEY_PASSWORD"
|
||||
# Avoid errors caused by previous checks
|
||||
true
|
||||
}
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }}
|
||||
configure_zookeeper_tls() {
|
||||
# Remove previously existing keystores
|
||||
rm -f /certs/zookeeper.keystore.jks /certs/zookeeper.truststore.jks
|
||||
ZOOKEEPER_TRUSTSTORE={{ printf "/zookeeper-certs/%s" .Values.tls.zookeeper.existingSecretTruststoreKey | quote }}
|
||||
ZOOKEEPER_KEYSTORE={{ printf "/zookeeper-certs/%s" .Values.tls.zookeeper.existingSecretKeystoreKey | quote }}
|
||||
if [[ -f "$ZOOKEEPER_KEYSTORE" ]]; then
|
||||
cp "$ZOOKEEPER_KEYSTORE" "/certs/zookeeper.keystore.jks"
|
||||
else
|
||||
error "Zookeeper keystore file not found"
|
||||
fi
|
||||
if [[ -f "$ZOOKEEPER_TRUSTSTORE" ]]; then
|
||||
cp "$ZOOKEEPER_TRUSTSTORE" "/certs/zookeeper.truststore.jks"
|
||||
else
|
||||
error "Zookeeper keystore file not found"
|
||||
fi
|
||||
[[ -n "${KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "zookeeper.ssl.keystore.password" "${KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD}"
|
||||
[[ -n "${KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "zookeeper.ssl.truststore.password" "${KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD}"
|
||||
# Avoid errors caused by previous checks
|
||||
true
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
{{- if (include "kafka.saslEnabled" .) }}
|
||||
configure_kafka_sasl() {
|
||||
|
||||
# Replace placeholders with passwords
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }}
|
||||
replace_placeholder "interbroker-password-placeholder" "$KAFKA_INTER_BROKER_PASSWORD"
|
||||
{{- end -}}
|
||||
{{- if and .Values.kraft.enabled (regexFind "SASL" (upper .Values.listeners.controller.protocol)) }}
|
||||
replace_placeholder "controller-password-placeholder" "$KAFKA_CONTROLLER_PASSWORD"
|
||||
{{- end }}
|
||||
{{- if (include "kafka.client.saslEnabled" .)}}
|
||||
read -r -a passwords <<<"$(tr ',;' ' ' <<<"${KAFKA_CLIENT_PASSWORDS:-}")"
|
||||
for ((i = 0; i < ${#passwords[@]}; i++)); do
|
||||
replace_placeholder "password-placeholder-${i}" "${passwords[i]}"
|
||||
done
|
||||
{{- end }}
|
||||
{{- if .Values.sasl.zookeeper.user }}
|
||||
replace_placeholder "zookeeper-password-placeholder" "$KAFKA_ZOOKEEPER_PASSWORD"
|
||||
{{- end }}
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.externalAccess.autoDiscovery.enabled }}
|
||||
# Wait for autodiscovery to finish
|
||||
if [[ "${EXTERNAL_ACCESS_ENABLED:-false}" =~ ^(yes|true)$ ]]; then
|
||||
retry_while "test -f /shared/external-host.txt -o -f /shared/external-port.txt" || error "Timed out waiting for autodiscovery init-container"
|
||||
fi
|
||||
{{- end }}
|
||||
|
||||
export KAFKA_CONFIG_FILE=/config/server.properties
|
||||
cp /configmaps/server.properties $KAFKA_CONFIG_FILE
|
||||
|
||||
# Get pod ID and role, last and second last fields in the pod name respectively
|
||||
POD_ID=$(echo "$MY_POD_NAME" | rev | cut -d'-' -f 1 | rev)
|
||||
POD_ROLE=$(echo "$MY_POD_NAME" | rev | cut -d'-' -f 2 | rev)
|
||||
|
||||
# Configure node.id and/or broker.id
|
||||
if [[ -f "/bitnami/kafka/data/meta.properties" ]]; then
|
||||
if grep -q "broker.id" /bitnami/kafka/data/meta.properties; then
|
||||
ID="$(grep "broker.id" /bitnami/kafka/data/meta.properties | awk -F '=' '{print $2}')"
|
||||
{{- if or (not .Values.broker.zookeeperMigrationMode) (and (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers)) }}
|
||||
kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID"
|
||||
{{- else }}
|
||||
kafka_conf_set "$KAFKA_CONFIG_FILE" "broker.id" "$ID"
|
||||
{{- end }}
|
||||
else
|
||||
ID="$(grep "node.id" /bitnami/kafka/data/meta.properties | awk -F '=' '{print $2}')"
|
||||
kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID"
|
||||
fi
|
||||
else
|
||||
echo "Couldn't find the expected PEM files! They are mandatory when encryption via TLS is enabled."
|
||||
exit 1
|
||||
ID=$((POD_ID + KAFKA_MIN_ID))
|
||||
{{- if .Values.kraft.enabled }}
|
||||
kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID"
|
||||
{{- end }}
|
||||
{{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }}
|
||||
kafka_conf_set "$KAFKA_CONFIG_FILE" "broker.id" "$ID"
|
||||
{{- end }}
|
||||
fi
|
||||
export KAFKA_TLS_TRUSTSTORE_FILE="/opt/bitnami/kafka/config/certs/kafka.truststore.pem"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
# Configure zookeeper client
|
||||
{{- if and (not (empty .Values.auth.zookeeper.tls.existingSecret)) .Values.auth.zookeeper.tls.enabled }}
|
||||
JKS_TRUSTSTORE={{ printf "/kafka-zookeeper-cert/%s" (.Values.auth.zookeeper.tls.existingSecretTruststoreKey) | quote }}
|
||||
JKS_KEYSTORE={{ printf "/kafka-zookeeper-cert/%s" (.Values.auth.zookeeper.tls.existingSecretKeystoreKey) | quote }}
|
||||
if [[ -f "$JKS_TRUSTSTORE" ]] && [[ -f "$JKS_KEYSTORE" ]]; then
|
||||
CERT_DIR="/opt/bitnami/kafka/config/certs"
|
||||
TRUSTSTORE_LOCATION="${CERT_DIR}/zookeeper.truststore.jks"
|
||||
cp "$JKS_TRUSTSTORE" "$TRUSTSTORE_LOCATION"
|
||||
cp "$JKS_KEYSTORE" "${CERT_DIR}/zookeeper.keystore.jks"
|
||||
export KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_FILE="${TRUSTSTORE_LOCATION}"
|
||||
{{- if not .Values.listeners.advertisedListeners }}
|
||||
replace_placeholder "advertised-address-placeholder" "${MY_POD_NAME}.{{ $fullname }}-${POD_ROLE}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}"
|
||||
if [[ "${EXTERNAL_ACCESS_ENABLED:-false}" =~ ^(yes|true)$ ]]; then
|
||||
configure_external_access
|
||||
fi
|
||||
{{- end }}
|
||||
{{- if (include "kafka.sslEnabled" .) }}
|
||||
configure_kafka_tls
|
||||
{{- end }}
|
||||
{{- if (include "kafka.saslEnabled" .) }}
|
||||
configure_kafka_sasl
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }}
|
||||
configure_zookeeper_tls
|
||||
{{- end }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.extraInit "context" $ ) | nindent 4 }}
|
||||
|
||||
exec /entrypoint.sh /run.sh
|
||||
|
|
|
|||
|
|
@ -0,0 +1,133 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "kafka.createSaslSecret" .) }}
|
||||
{{- $secretName := printf "%s-user-passwords" (include "common.names.fullname" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if (include "kafka.client.saslEnabled" .) }}
|
||||
{{- $secretValue := "" }}
|
||||
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .) $secretName).data }}
|
||||
{{- if and $secretData (hasKey $secretData "client-passwords")}}
|
||||
{{- $secretValue = index $secretData "client-passwords" }}
|
||||
{{- end }}
|
||||
{{- if or (empty $secretValue) (not (eq (len .Values.sasl.client.users) (len (splitList "," (b64dec $secretValue))))) }}
|
||||
{{- $clientPasswords := .Values.sasl.client.passwords }}
|
||||
{{- if empty $clientPasswords }}
|
||||
{{- $clientPasswords = list }}
|
||||
{{- range .Values.sasl.client.users }}
|
||||
{{- $clientPasswords = append $clientPasswords (randAlphaNum 10) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $secretValue = join "," $clientPasswords | toString | b64enc }}
|
||||
{{- end }}
|
||||
client-passwords: {{ $secretValue | quote }}
|
||||
system-user-password: {{ index (splitList "," (b64dec $secretValue)) 0 | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if or .Values.sasl.zookeeper.user .Values.zookeeper.auth.client.enabled }}
|
||||
zookeeper-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zookeeper-password" "providedValues" (list "sasl.zookeeper.password" "zookeeper.auth.client.clientPassword") "failOnNew" false "context" $) }}
|
||||
{{- end }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }}
|
||||
inter-broker-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "inter-broker-password" "providedValues" (list "sasl.interbroker.password") "failOnNew" false "context" $) }}
|
||||
{{- end }}
|
||||
{{- if regexFind "SASL" (upper .Values.listeners.controller.protocol) }}
|
||||
controller-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "controller-password" "providedValues" (list "sasl.controller.password") "failOnNew" false "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceBindings.enabled }}
|
||||
|
||||
{{- if (include "kafka.client.saslEnabled" .) }}
|
||||
{{- $host := list }}
|
||||
{{- $port := .Values.service.ports.client }}
|
||||
{{- $bootstrapServers := list }}
|
||||
{{- if not .Values.controller.controllerOnly }}
|
||||
{{- range $i, $e := until (int .Values.controller.replicaCount) }}
|
||||
{{- $controller := printf "%s-controller-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }}
|
||||
{{- $host = append $host $controller }}
|
||||
{{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $controller .Values.service.ports.client) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $i, $e := until (int .Values.broker.replicaCount) }}
|
||||
{{- $broker := printf "%s-broker-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }}
|
||||
{{- $host = append $host $broker }}
|
||||
{{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $broker .Values.service.ports.client) }}
|
||||
{{- end }}
|
||||
{{- range $i, $e := until (len .Values.sasl.client.users) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" $ }}-svcbind-user-{{ $i }}
|
||||
namespace: {{ $.Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
{{- if $.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/kafka
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "kafka" | b64enc | quote }}
|
||||
username: {{ index .Values.sasl.client.users $i | b64enc | quote }}
|
||||
password: {{ index .Values.sasl.client.passwords $i | b64enc | quote }}
|
||||
host: {{ join "," $host | b64enc | quote }}
|
||||
port: {{ print $port | b64enc | quote }}
|
||||
bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-svcbind
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/kafka
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "kafka" | b64enc | quote }}
|
||||
host: {{ join "," $host | b64enc | quote }}
|
||||
port: {{ print $port | b64enc | quote }}
|
||||
bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-kraft-cluster-id" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
kraft-cluster-id: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-kraft-cluster-id" (include "common.names.fullname" .)) "key" "kraft-cluster-id" "providedValues" (list "kraft.clusterId") "length" 22 "context" $) }}
|
||||
{{- end }}
|
||||
|
|
@ -1,644 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $replicaCount := int .Values.replicaCount }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $releaseNamespace := .Release.Namespace }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $interBrokerProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.interBrokerProtocol) -}}
|
||||
{{- $clientProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.clientProtocol) -}}
|
||||
{{- $controllerProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.controllerProtocol) -}}
|
||||
{{- $externalClientProtocol := include "kafka.listenerType" (dict "protocol" (include "kafka.externalClientProtocol" . )) -}}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podManagementPolicy: {{ .Values.podManagementPolicy }}
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "common.labels.standard" . | nindent 8 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.podLabels }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if (include "kafka.createConfigmap" .) }}
|
||||
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createJaasSecret" .) }}
|
||||
checksum/jaas-secret: {{ include (print $.Template.BasePath "/jaas-secret.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createTlsSecret" .) }}
|
||||
checksum/tls-secret: {{ include (print $.Template.BasePath "/tls-secrets.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.metrics.jmx.createConfigmap" .) }}
|
||||
checksum/jmx-configuration: {{ include (print $.Template.BasePath "/jmx-configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include "kafka.imagePullSecrets" . | nindent 6 }}
|
||||
{{- if .Values.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.hostNetwork }}
|
||||
hostIPC: {{ .Values.hostIPC }}
|
||||
{{- if .Values.schedulerName }}
|
||||
schedulerName: {{ .Values.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "kafka" "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "kafka" "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: {{ .Values.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "kafka.serviceAccountName" . }}
|
||||
{{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.initContainers }}
|
||||
initContainers:
|
||||
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
|
||||
- name: volume-permissions
|
||||
image: {{ include "kafka.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
mkdir -p "{{ .Values.persistence.mountPath }}" "{{ .Values.logPersistence.mountPath }}"
|
||||
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} "{{ .Values.persistence.mountPath }}" "{{ .Values.logPersistence.mountPath }}"
|
||||
find "{{ .Values.persistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}
|
||||
find "{{ .Values.logPersistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.persistence.mountPath }}
|
||||
- name: logs
|
||||
mountPath: {{ .Values.logPersistence.mountPath }}
|
||||
{{- end }}
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
|
||||
- name: auto-discovery
|
||||
image: {{ include "kafka.externalAccess.autoDiscovery.image" . }}
|
||||
imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }}
|
||||
command:
|
||||
- /scripts/auto-discovery.sh
|
||||
env:
|
||||
- name: MY_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: SHARED_FILE
|
||||
value: "/shared/info.txt"
|
||||
{{- if .Values.externalAccess.autoDiscovery.resources }}
|
||||
resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: shared
|
||||
mountPath: /shared
|
||||
- name: logs
|
||||
mountPath: {{ .Values.logPersistence.mountPath }}
|
||||
- name: scripts
|
||||
mountPath: /scripts/auto-discovery.sh
|
||||
subPath: auto-discovery.sh
|
||||
{{- end }}
|
||||
{{- if .Values.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: kafka
|
||||
image: {{ include "kafka.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: MY_POD_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: MY_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: KAFKA_CFG_ZOOKEEPER_CONNECT
|
||||
{{- if .Values.zookeeper.enabled }}
|
||||
value: {{ printf "%s%s" (include "kafka.zookeeper.fullname" .) (tpl .Values.zookeeperChrootPath .) | quote }}
|
||||
{{- else }}
|
||||
value: {{ include "common.tplvalues.render" (dict "value" (printf "%s%s" (join "," .Values.externalZookeeper.servers) (tpl .Values.zookeeperChrootPath .)) "context" $) }}
|
||||
{{- end }}
|
||||
- name: KAFKA_INTER_BROKER_LISTENER_NAME
|
||||
value: {{ .Values.interBrokerListenerName | quote }}
|
||||
- name: KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP
|
||||
{{- $securityProtocolMap := list }}
|
||||
{{- if .Values.listenerSecurityProtocolMap }}
|
||||
{{- $securityProtocolMap = append $securityProtocolMap .Values.listenerSecurityProtocolMap }}
|
||||
{{- else }}
|
||||
{{- $securityProtocolMap = append $securityProtocolMap (printf "INTERNAL:%s,CLIENT:%s" $interBrokerProtocol $clientProtocol) }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
{{- $securityProtocolMap = append $securityProtocolMap (printf "CONTROLLER:%s" $controllerProtocol) }}
|
||||
{{- end}}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
{{- $securityProtocolMap = append $securityProtocolMap (printf "EXTERNAL:%s" $externalClientProtocol) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
value: {{ join "," $securityProtocolMap | quote }}
|
||||
{{- if or ($clientProtocol | regexFind "SASL") ($externalClientProtocol | regexFind "SASL") ($interBrokerProtocol | regexFind "SASL") .Values.auth.sasl.jaas.zookeeperUser }}
|
||||
- name: KAFKA_CFG_SASL_ENABLED_MECHANISMS
|
||||
value: {{ upper .Values.auth.sasl.mechanisms | quote }}
|
||||
- name: KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL
|
||||
value: {{ upper .Values.auth.sasl.interBrokerMechanism | quote }}
|
||||
{{- end }}
|
||||
- name: KAFKA_CFG_LISTENERS
|
||||
{{- $listeners := list }}
|
||||
{{- if .Values.listeners }}
|
||||
{{- $listeners = .Values.listeners }}
|
||||
{{- else }}
|
||||
{{- $listeners = append $listeners (printf "INTERNAL://:%d,CLIENT://:%d" (int .Values.containerPorts.internal) (int .Values.containerPorts.client)) }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
{{- $listeners = append $listeners (printf "CONTROLLER://:%d" (int .Values.containerPorts.controller)) }}
|
||||
{{- end}}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
{{- $listeners = append $listeners (printf "EXTERNAL://:%d" (int .Values.containerPorts.external)) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
value: {{ join "," $listeners | quote }}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
{{- if .Values.externalAccess.autoDiscovery.enabled }}
|
||||
- name: SHARED_FILE
|
||||
value: "/shared/info.txt"
|
||||
{{- end }}
|
||||
{{- if eq .Values.externalAccess.service.type "NodePort" }}
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: KAFKA_CFG_ADVERTISED_LISTENERS
|
||||
{{- if .Values.advertisedListeners }}
|
||||
value: {{ join "," .Values.advertisedListeners }}
|
||||
{{- else }}
|
||||
value: "INTERNAL://$(MY_POD_NAME).{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.internal }},CLIENT://$(MY_POD_NAME).{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.client }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: ALLOW_PLAINTEXT_LISTENER
|
||||
value: {{ ternary "yes" "no" .Values.allowPlaintextListener | quote }}
|
||||
{{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.interBroker.saslAuthentication" .) }}
|
||||
- name: KAFKA_OPTS
|
||||
value: "-Djava.security.auth.login.config=/opt/bitnami/kafka/config/kafka_jaas.conf"
|
||||
{{- if (include "kafka.client.saslAuthentication" .) }}
|
||||
- name: KAFKA_CLIENT_USERS
|
||||
value: {{ join "," .Values.auth.sasl.jaas.clientUsers | quote }}
|
||||
- name: KAFKA_CLIENT_PASSWORDS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.jaasSecretName" . }}
|
||||
key: client-passwords
|
||||
{{- end }}
|
||||
{{- if (include "kafka.interBroker.saslAuthentication" .) }}
|
||||
- name: KAFKA_INTER_BROKER_USER
|
||||
value: {{ .Values.auth.sasl.jaas.interBrokerUser | quote }}
|
||||
- name: KAFKA_INTER_BROKER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.jaasSecretName" . }}
|
||||
key: inter-broker-password
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.zookeeper.auth.client.enabled .Values.auth.sasl.jaas.zookeeperUser }}
|
||||
- name: KAFKA_ZOOKEEPER_USER
|
||||
value: {{ .Values.auth.sasl.jaas.zookeeperUser | quote }}
|
||||
- name: KAFKA_ZOOKEEPER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "kafka.jaasSecretName" . }}
|
||||
key: zookeeper-password
|
||||
{{- end }}
|
||||
- name: KAFKA_ZOOKEEPER_PROTOCOL
|
||||
value: {{ include "kafka.zookeeper.protocol" . }}
|
||||
{{- if .Values.auth.zookeeper.tls.enabled }}
|
||||
- name: KAFKA_ZOOKEEPER_TLS_TYPE
|
||||
value: {{ upper .Values.auth.zookeeper.tls.type | quote }}
|
||||
- name: KAFKA_ZOOKEEPER_TLS_VERIFY_HOSTNAME
|
||||
value: {{ .Values.auth.zookeeper.tls.verifyHostname | quote }}
|
||||
{{- if .Values.auth.zookeeper.tls.passwordsSecret }}
|
||||
- name: KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.auth.zookeeper.tls.passwordsSecret }}
|
||||
key: {{ .Values.auth.zookeeper.tls.passwordsSecretKeystoreKey | quote }}
|
||||
- name: KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.auth.zookeeper.tls.passwordsSecret }}
|
||||
key: {{ .Values.auth.zookeeper.tls.passwordsSecretTruststoreKey | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.tlsEncryption" .) }}
|
||||
- name: KAFKA_TLS_TYPE
|
||||
value: {{ upper .Values.auth.tls.type | quote }}
|
||||
- name: KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM
|
||||
value: {{ default "" .Values.auth.tls.endpointIdentificationAlgorithm | quote }}
|
||||
- name: KAFKA_TLS_CLIENT_AUTH
|
||||
value: {{ ternary "required" "none" (or (eq (include "kafka.externalClientProtocol" . ) "mtls") (eq .Values.auth.clientProtocol "mtls")) | quote }}
|
||||
- name: KAFKA_CERTIFICATE_PASSWORD
|
||||
{{- if .Values.auth.tls.existingSecret }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.auth.tls.existingSecret }}
|
||||
key: password
|
||||
{{- else }}
|
||||
value: {{ default "" .Values.auth.tls.password | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: JMX_PORT
|
||||
value: "5555"
|
||||
{{- end }}
|
||||
- name: KAFKA_VOLUME_DIR
|
||||
value: {{ .Values.persistence.mountPath | quote }}
|
||||
- name: KAFKA_LOG_DIR
|
||||
value: {{ .Values.logPersistence.mountPath | quote }}
|
||||
- name: KAFKA_CFG_DELETE_TOPIC_ENABLE
|
||||
value: {{ .Values.deleteTopicEnable | quote }}
|
||||
- name: KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE
|
||||
value: {{ .Values.autoCreateTopicsEnable | quote }}
|
||||
- name: KAFKA_HEAP_OPTS
|
||||
value: {{ .Values.heapOpts | quote }}
|
||||
- name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MESSAGES
|
||||
value: {{ .Values.logFlushIntervalMessages | replace "_" "" | quote }}
|
||||
- name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MS
|
||||
value: {{ .Values.logFlushIntervalMs | quote }}
|
||||
- name: KAFKA_CFG_LOG_RETENTION_BYTES
|
||||
value: {{ .Values.logRetentionBytes | replace "_" "" | quote }}
|
||||
- name: KAFKA_CFG_LOG_RETENTION_CHECK_INTERVAL_MS
|
||||
value: {{ .Values.logRetentionCheckIntervalMs | quote }}
|
||||
- name: KAFKA_CFG_LOG_RETENTION_HOURS
|
||||
value: {{ .Values.logRetentionHours | quote }}
|
||||
- name: KAFKA_CFG_MESSAGE_MAX_BYTES
|
||||
value: {{ .Values.maxMessageBytes | replace "_" "" | quote }}
|
||||
- name: KAFKA_CFG_LOG_SEGMENT_BYTES
|
||||
value: {{ .Values.logSegmentBytes | replace "_" "" | quote }}
|
||||
- name: KAFKA_CFG_LOG_DIRS
|
||||
value: {{ .Values.logsDirs | quote }}
|
||||
- name: KAFKA_CFG_DEFAULT_REPLICATION_FACTOR
|
||||
value: {{ .Values.defaultReplicationFactor | quote }}
|
||||
- name: KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR
|
||||
value: {{ .Values.offsetsTopicReplicationFactor | quote }}
|
||||
- name: KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
|
||||
value: {{ .Values.transactionStateLogReplicationFactor | quote }}
|
||||
- name: KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR
|
||||
value: {{ .Values.transactionStateLogMinIsr | quote }}
|
||||
- name: KAFKA_CFG_NUM_IO_THREADS
|
||||
value: {{ .Values.numIoThreads | quote }}
|
||||
- name: KAFKA_CFG_NUM_NETWORK_THREADS
|
||||
value: {{ .Values.numNetworkThreads | quote }}
|
||||
- name: KAFKA_CFG_NUM_PARTITIONS
|
||||
value: {{ .Values.numPartitions | quote }}
|
||||
- name: KAFKA_CFG_NUM_RECOVERY_THREADS_PER_DATA_DIR
|
||||
value: {{ .Values.numRecoveryThreadsPerDataDir | quote }}
|
||||
- name: KAFKA_CFG_SOCKET_RECEIVE_BUFFER_BYTES
|
||||
value: {{ .Values.socketReceiveBufferBytes | quote }}
|
||||
- name: KAFKA_CFG_SOCKET_REQUEST_MAX_BYTES
|
||||
value: {{ .Values.socketRequestMaxBytes | replace "_" "" | quote }}
|
||||
- name: KAFKA_CFG_SOCKET_SEND_BUFFER_BYTES
|
||||
value: {{ .Values.socketSendBufferBytes | quote }}
|
||||
- name: KAFKA_CFG_ZOOKEEPER_CONNECTION_TIMEOUT_MS
|
||||
value: {{ .Values.zookeeperConnectionTimeoutMs | quote }}
|
||||
- name: KAFKA_CFG_AUTHORIZER_CLASS_NAME
|
||||
value: {{ .Values.authorizerClassName | quote }}
|
||||
- name: KAFKA_CFG_ALLOW_EVERYONE_IF_NO_ACL_FOUND
|
||||
value: {{ .Values.allowEveryoneIfNoAclFound | quote }}
|
||||
- name: KAFKA_CFG_SUPER_USERS
|
||||
value: {{ .Values.superUsers | quote }}
|
||||
- name: KAFKA_ENABLE_KRAFT
|
||||
value: {{ ternary "true" "false" .Values.kraft.enabled | quote }}
|
||||
{{- if .Values.kraft.enabled }}
|
||||
- name: KAFKA_KRAFT_CLUSTER_ID
|
||||
value: {{ .Values.kraft.clusterId | quote }}
|
||||
- name: KAFKA_CFG_PROCESS_ROLES
|
||||
value: {{ .Values.kraft.processRoles | quote }}
|
||||
- name: KAFKA_CFG_CONTROLLER_LISTENER_NAMES
|
||||
value: {{ .Values.kraft.controllerListenerNames | quote }}
|
||||
{{- if .Values.kraft.controllerQuorumVoters }}
|
||||
- name: KAFKA_CFG_CONTROLLER_QUORUM_VOTERS
|
||||
value: {{ .Values.kraft.controllerQuorumVoters}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: kafka-client
|
||||
containerPort: {{ .Values.containerPorts.client }}
|
||||
- name: kafka-internal
|
||||
containerPort: {{ .Values.containerPorts.internal }}
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
- name: kafka-external
|
||||
containerPort: {{ .Values.containerPorts.external }}
|
||||
{{- end }}
|
||||
{{- if and .Values.kraft.enabled (contains "controller" .Values.kraft.processRoles) }}
|
||||
- name: kafka-ctlr
|
||||
containerPort: {{ .Values.containerPorts.controller }}
|
||||
{{- end }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: kafka-client
|
||||
{{- end }}
|
||||
{{- if .Values.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: kafka-client
|
||||
{{- end }}
|
||||
{{- if .Values.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: kafka-client
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.resources }}
|
||||
resources: {{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.persistence.mountPath }}
|
||||
- name: logs
|
||||
mountPath: {{ .Values.logPersistence.mountPath }}
|
||||
{{- if or .Values.config .Values.existingConfigmap }}
|
||||
- name: kafka-config
|
||||
mountPath: {{ .Values.persistence.mountPath }}/config/server.properties
|
||||
subPath: server.properties
|
||||
{{- end }}
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
mountPath: {{ .Values.persistence.mountPath }}/config/log4j.properties
|
||||
subPath: log4j.properties
|
||||
{{- end }}
|
||||
- name: scripts
|
||||
mountPath: /scripts/setup.sh
|
||||
subPath: setup.sh
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
|
||||
- name: shared
|
||||
mountPath: /shared
|
||||
{{- end }}
|
||||
{{- if (include "kafka.tlsEncryption" .) }}
|
||||
{{- if not (empty .Values.auth.tls.existingSecrets) }}
|
||||
{{- range $index, $_ := .Values.auth.tls.existingSecrets }}
|
||||
- name: kafka-certs-{{ $index }}
|
||||
mountPath: /certs-{{ $index }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- else if .Values.auth.tls.autoGenerated }}
|
||||
{{- range $index := until $replicaCount }}
|
||||
- name: kafka-certs-{{ $index }}
|
||||
mountPath: /certs-{{ $index }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.auth.zookeeper.tls.enabled .Values.auth.zookeeper.tls.existingSecret }}
|
||||
- name: kafka-zookeeper-cert
|
||||
mountPath: /kafka-zookeeper-cert
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.jksTruststoreSecret }}
|
||||
- name: kafka-truststore
|
||||
mountPath: /truststore
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: jmx-exporter
|
||||
image: {{ include "kafka.metrics.jmx.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.jmx.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else }}
|
||||
command:
|
||||
- java
|
||||
args:
|
||||
- -XX:MaxRAMPercentage=100
|
||||
- -XshowSettings:vm
|
||||
- -jar
|
||||
- jmx_prometheus_httpserver.jar
|
||||
- "5556"
|
||||
- /etc/jmx-kafka/jmx-kafka-prometheus.yml
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.metrics.jmx.containerPorts.metrics }}
|
||||
{{- if .Values.metrics.jmx.resources }}
|
||||
resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: jmx-config
|
||||
mountPath: /etc/jmx-kafka
|
||||
{{- end }}
|
||||
{{- if .Values.sidecars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if or .Values.config .Values.existingConfigmap }}
|
||||
- name: kafka-config
|
||||
configMap:
|
||||
name: {{ include "kafka.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
|
||||
- name: log4j-config
|
||||
configMap:
|
||||
name: {{ include "kafka.log4j.configMapName" . }}
|
||||
{{ end }}
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: {{ include "common.names.fullname" . }}-scripts
|
||||
defaultMode: 0755
|
||||
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
|
||||
- name: shared
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: jmx-config
|
||||
configMap:
|
||||
name: {{ include "kafka.metrics.jmx.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if (include "kafka.tlsEncryption" .) }}
|
||||
{{- if not (empty .Values.auth.tls.existingSecrets) }}
|
||||
{{- range $index, $secret := .Values.auth.tls.existingSecrets }}
|
||||
- name: kafka-certs-{{ $index }}
|
||||
secret:
|
||||
secretName: {{ tpl $secret $ }}
|
||||
defaultMode: 256
|
||||
{{- end }}
|
||||
{{- else if .Values.auth.tls.autoGenerated }}
|
||||
{{- range $index := until $replicaCount }}
|
||||
- name: kafka-certs-{{ $index }}
|
||||
secret:
|
||||
secretName: {{ printf "%s-%d-tls" (include "common.names.fullname" $) $index }}
|
||||
defaultMode: 256
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.auth.zookeeper.tls.enabled .Values.auth.zookeeper.tls.existingSecret }}
|
||||
- name: kafka-zookeeper-cert
|
||||
secret:
|
||||
secretName: {{ .Values.auth.zookeeper.tls.existingSecret }}
|
||||
defaultMode: 256
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.jksTruststoreSecret }}
|
||||
- name: kafka-truststore
|
||||
secret:
|
||||
secretName: {{ .Values.auth.tls.jksTruststoreSecret }}
|
||||
defaultMode: 256
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.persistence.enabled }}
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else if .Values.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }}
|
||||
{{- end }}
|
||||
{{- if not .Values.logPersistence.enabled }}
|
||||
- name: logs
|
||||
emptyDir: {}
|
||||
{{- else if .Values.logPersistence.existingClaim }}
|
||||
- name: logs
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.logPersistence.existingClaim .) }}
|
||||
{{- end }}
|
||||
{{- if or (and .Values.persistence.enabled (not .Values.persistence.existingClaim)) (and .Values.logPersistence.enabled (not .Values.logPersistence.existingClaim)) }}
|
||||
volumeClaimTemplates:
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
|
||||
- metadata:
|
||||
name: data
|
||||
{{- if .Values.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.size | quote }}
|
||||
{{ include "kafka.storageClass" . | nindent 8 }}
|
||||
{{- if .Values.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- if and .Values.logPersistence.enabled (not .Values.logPersistence.existingClaim) }}
|
||||
- metadata:
|
||||
name: logs
|
||||
{{- if .Values.logPersistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.logPersistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.logPersistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.logPersistence.size | quote }}
|
||||
{{ include "kafka.storageClass" . | nindent 8 }}
|
||||
{{- if .Values.logPersistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.logPersistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
{{- $fullName := include "common.names.fullname" . }}
|
||||
{{- $replicaCount := .Values.replicaCount | int }}
|
||||
{{- $root := . }}
|
||||
|
||||
{{- range $i, $e := until $replicaCount }}
|
||||
{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }}
|
||||
{{- $_ := set $ "targetPod" $targetPod }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-%d-external" (include "common.names.fullname" $) $i | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ $root.Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
pod: {{ $targetPod }}
|
||||
{{- if $root.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $root.Values.externalAccess.service.labels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.service.labels "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations $root.Values.externalAccess.service.loadBalancerAnnotations }}
|
||||
annotations:
|
||||
{{- if and (not (empty $root.Values.externalAccess.service.loadBalancerAnnotations)) (eq (len $root.Values.externalAccess.service.loadBalancerAnnotations) $replicaCount) }}
|
||||
{{ include "common.tplvalues.render" ( dict "value" (index $root.Values.externalAccess.service.loadBalancerAnnotations $i) "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $root.Values.externalAccess.service.annotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.service.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $root.Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ $root.Values.externalAccess.service.type }}
|
||||
{{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }}
|
||||
{{- if and (not (empty $root.Values.externalAccess.service.loadBalancerIPs)) (eq (len $root.Values.externalAccess.service.loadBalancerIPs) $replicaCount) }}
|
||||
loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }}
|
||||
{{- end }}
|
||||
{{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
publishNotReadyAddresses: {{ $root.Values.externalAccess.service.publishNotReadyAddresses }}
|
||||
ports:
|
||||
- name: tcp-kafka
|
||||
port: {{ $root.Values.externalAccess.service.ports.external }}
|
||||
{{- if le (add $i 1) (len $root.Values.externalAccess.service.nodePorts) }}
|
||||
nodePort: {{ index $root.Values.externalAccess.service.nodePorts $i }}
|
||||
{{- else }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
targetPort: kafka-external
|
||||
{{- if $root.Values.externalAccess.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if and (eq $root.Values.externalAccess.service.type "NodePort") (le (add $i 1) (len $root.Values.externalAccess.service.externalIPs)) }}
|
||||
externalIPs: [{{ index $root.Values.externalAccess.service.externalIPs $i | quote }}]
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" $ | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
statefulset.kubernetes.io/pod-name: {{ $targetPod }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.service.headless.labels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.labels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.service.headless.annotations .Values.commonAnnotations }}
|
||||
annotations:
|
||||
{{- if .Values.service.headless.annotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.service.headless.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
publishNotReadyAddresses: {{ .Values.service.headless.publishNotReadyAddresses }}
|
||||
ports:
|
||||
- name: tcp-client
|
||||
port: {{ .Values.service.ports.client }}
|
||||
protocol: TCP
|
||||
targetPort: kafka-client
|
||||
- name: tcp-internal
|
||||
port: {{ .Values.service.ports.internal }}
|
||||
protocol: TCP
|
||||
targetPort: kafka-internal
|
||||
{{- if and .Values.kraft.enabled (contains "controller" .Values.kraft.processRoles) }}
|
||||
- name: tcp-controller
|
||||
protocol: TCP
|
||||
port: {{ .Values.service.ports.controller }}
|
||||
targetPort: kafka-ctlr
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
|
|
@ -7,7 +7,7 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
{{- if .Values.commonLabels }}
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
- name: tcp-client
|
||||
port: {{ .Values.service.ports.client }}
|
||||
protocol: TCP
|
||||
targetPort: kafka-client
|
||||
targetPort: client
|
||||
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.client)) }}
|
||||
nodePort: {{ .Values.service.nodePorts.client }}
|
||||
{{- else if eq .Values.service.type "ClusterIP" }}
|
||||
|
|
@ -56,7 +56,7 @@ spec:
|
|||
- name: tcp-external
|
||||
port: {{ .Values.service.ports.external }}
|
||||
protocol: TCP
|
||||
targetPort: kafka-external
|
||||
targetPort: external
|
||||
{{- if (not (empty .Values.service.nodePorts.external)) }}
|
||||
nodePort: {{ .Values.service.nodePorts.external }}
|
||||
{{- end }}
|
||||
|
|
@ -65,4 +65,7 @@ spec:
|
|||
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: kafka
|
||||
app.kubernetes.io/part-of: kafka
|
||||
{{- if and .Values.kraft.enabled .Values.controller.controllerOnly }}
|
||||
app.kubernetes.io/component: broker
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,91 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "kafka.createTlsSecret" .) }}
|
||||
{{- $releaseNamespace := include "common.names.namespace" . }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $secretName := printf "%s-tls" (include "common.names.fullname" .) }}
|
||||
{{- $altNames := list (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s" $fullname $releaseNamespace) $fullname }}
|
||||
{{- $replicaCount := int .Values.broker.replicaCount }}
|
||||
{{- range $i := until $replicaCount }}
|
||||
{{- $replicaHost := printf "%s-broker-%d.%s-broker-headless" $fullname $i $fullname }}
|
||||
{{- $altNames = append $altNames (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) }}
|
||||
{{- $altNames = append $altNames (printf "%s.%s" $replicaHost $releaseNamespace) }}
|
||||
{{- $altNames = append $altNames $replicaHost }}
|
||||
{{- end }}
|
||||
{{- $replicaCount := int .Values.controller.replicaCount }}
|
||||
{{- range $i := until $replicaCount }}
|
||||
{{- $replicaHost := printf "%s-controller-%d.%s-controller-headless" $fullname $i $fullname }}
|
||||
{{- $altNames = append $altNames (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) }}
|
||||
{{- $altNames = append $altNames (printf "%s.%s" $replicaHost $releaseNamespace) }}
|
||||
{{- $altNames = append $altNames $replicaHost }}
|
||||
{{- end }}
|
||||
{{- $ca := genCA "kafka-ca" 365 }}
|
||||
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
kafka.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "kafka.crt" "defaultValue" $cert.Cert "context" $) }}
|
||||
kafka.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "kafka.key" "defaultValue" $cert.Key "context" $) }}
|
||||
kafka-ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "kafka-ca.crt" "defaultValue" $ca.Cert "context" $) }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- if (include "kafka.createTlsPasswordsSecret" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-tls-passwords" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{ .Values.tls.passwordsSecretKeystoreKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-tls-passwords" (include "common.names.fullname" .)) "key" .Values.tls.passwordsSecretKeystoreKey "providedValues" (list "tls.keystorePassword") "context" $) }}
|
||||
{{ .Values.tls.passwordsSecretTruststoreKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-tls-passwords" (include "common.names.fullname" .)) "key" .Values.tls.passwordsSecretTruststoreKey "providedValues" (list "tls.truststorePassword") "context" $) }}
|
||||
{{- if .Values.tls.keyPassword }}
|
||||
{{ default "key-password" .Values.tls.passwordsSecretPemPasswordKey }}: {{ .Values.tls.keyPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- if (include "kafka.zookeeper.createTlsPasswordsSecret" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-zookeeper-tls-passwords" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if .Values.tls.zookeeper.keystorePassword }}
|
||||
{{ .Values.tls.zookeeper.passwordsSecretKeystoreKey }}: {{ .Values.tls.zookeeper.keystorePassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.zookeeper.truststorePassword }}
|
||||
{{ .Values.tls.zookeeper.passwordsSecretTruststoreKey }}: {{ .Values.tls.zookeeper.truststorePassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "kafka.createTlsSecret" .) }}
|
||||
{{- $replicaCount := int .Values.replicaCount }}
|
||||
{{- $releaseNamespace := .Release.Namespace }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $ca := genCA "kafka-ca" 365 }}
|
||||
{{- range $i := until $replicaCount }}
|
||||
{{- $secretName := printf "%s-%d-tls" (include "common.names.fullname" $) $i }}
|
||||
{{- $replicaHost := printf "%s-%d.%s-headless" $fullname $i $fullname }}
|
||||
{{- $altNames := list (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s" $replicaHost $releaseNamespace) (printf "%s.%s" $fullname $releaseNamespace) $replicaHost $fullname }}
|
||||
{{- $cert := genSignedCert $replicaHost nil $altNames 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-%d-tls" (include "common.names.fullname" $) $i }}
|
||||
namespace: {{ $.Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
{{- if $.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
|
||||
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
|
||||
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -30,4 +30,4 @@ maintainers:
|
|||
name: mariadb
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/mariadb
|
||||
version: 13.0.0
|
||||
version: 13.0.1
|
||||
|
|
|
|||
|
|
@ -462,6 +462,10 @@ helm upgrade my-release oci://registry-1.docker.io/bitnamicharts/mariadb --set a
|
|||
|
||||
| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes.
|
||||
|
||||
### To 13.0.0
|
||||
|
||||
This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade.
|
||||
|
||||
### To 11.0.0
|
||||
|
||||
This major release bumps default MariaDB branch to 10.6. Follow the [official instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/) from upgrading between 10.5 and 10.6.
|
||||
|
|
@ -557,4 +561,4 @@ Unless required by applicable law or agreed to in writing, software
|
|||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
limitations under the License.
|
||||
|
|
|
|||
|
|
@ -306,7 +306,7 @@ spec:
|
|||
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
|
||||
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
|
||||
fi
|
||||
DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
|
||||
MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
|
|
|
|||
|
|
@ -289,7 +289,7 @@ spec:
|
|||
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
|
||||
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
|
||||
fi
|
||||
DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.secondary }} {{ . }} {{- end }}
|
||||
MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
|
|
|
|||
|
|
@ -29,4 +29,4 @@ maintainers:
|
|||
name: mysql
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/mysql
|
||||
version: 9.10.9
|
||||
version: 9.10.10
|
||||
|
|
|
|||
|
|
@ -296,7 +296,7 @@ spec:
|
|||
if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then
|
||||
password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE")
|
||||
fi
|
||||
DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
|
||||
MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
|
|
|
|||
|
|
@ -280,7 +280,7 @@ spec:
|
|||
if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then
|
||||
password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE")
|
||||
fi
|
||||
DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.secondary }} {{ . }} {{- end }}
|
||||
MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
|
|
|
|||
|
|
@ -4,6 +4,13 @@ annotations:
|
|||
catalog.cattle.io/kube-version: '>=1.19-0'
|
||||
catalog.cattle.io/release-name: wordpress
|
||||
category: CMS
|
||||
images: |
|
||||
- name: apache-exporter
|
||||
image: docker.io/bitnami/apache-exporter:1.0.1-debian-11-r5
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:11-debian-11-r25
|
||||
- name: wordpress
|
||||
image: docker.io/bitnami/wordpress:6.2.2-debian-11-r78
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 6.2.2
|
||||
|
|
@ -40,4 +47,4 @@ maintainers:
|
|||
name: wordpress
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/wordpress
|
||||
version: 17.0.1
|
||||
version: 17.0.4
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `image.registry` | WordPress image registry | `docker.io` |
|
||||
| `image.repository` | WordPress image repository | `bitnami/wordpress` |
|
||||
| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r75` |
|
||||
| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r78` |
|
||||
| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | WordPress image pull secrets | `[]` |
|
||||
|
|
@ -281,7 +281,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` |
|
||||
| `metrics.image.registry` | Apache exporter image registry | `docker.io` |
|
||||
| `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` |
|
||||
| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.13.4-debian-11-r60` |
|
||||
| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `1.0.1-debian-11-r5` |
|
||||
| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` |
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/wordpress
|
||||
tag: 6.2.2-debian-11-r75
|
||||
tag: 6.2.2-debian-11-r78
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
@ -860,7 +860,7 @@ metrics:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/apache-exporter
|
||||
tag: 0.13.4-debian-11-r60
|
||||
tag: 1.0.1-debian-11-r5
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ annotations:
|
|||
catalog.cattle.io/kube-version: '>= 1.19.0-0'
|
||||
catalog.cattle.io/release-name: external-secrets
|
||||
apiVersion: v2
|
||||
appVersion: v0.9.1
|
||||
appVersion: v0.9.2
|
||||
description: External secret management for Kubernetes
|
||||
home: https://github.com/external-secrets/external-secrets
|
||||
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
|
||||
|
|
@ -17,4 +17,4 @@ maintainers:
|
|||
name: mcavoyk
|
||||
name: external-secrets
|
||||
type: application
|
||||
version: 0.9.1
|
||||
version: 0.9.2
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
External secret management for Kubernetes
|
||||
|
||||
|
|
@ -61,6 +61,8 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
|
||||
| certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
|
||||
| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
||||
| certController.readinessProbe.address | string | `""` | Address for readiness probe |
|
||||
| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
|
||||
| certController.replicaCount | int | `1` | |
|
||||
| certController.requeueInterval | string | `"5m"` | |
|
||||
| certController.resources | object | `{}` | |
|
||||
|
|
@ -115,6 +117,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| priorityClassName | string | `""` | Pod priority class name. |
|
||||
| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
|
||||
| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
|
||||
| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
|
||||
| prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
|
||||
| prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
|
||||
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
||||
|
|
|
|||
|
|
@ -54,6 +54,8 @@ spec:
|
|||
- --service-namespace={{ .Release.Namespace }}
|
||||
- --secret-name={{ include "external-secrets.fullname" . }}-webhook
|
||||
- --secret-namespace={{ .Release.Namespace }}
|
||||
- --metrics-addr=:{{ .Values.certController.prometheus.service.port }}
|
||||
- --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}
|
||||
{{ if not .Values.crds.createClusterSecretStore -}}
|
||||
- --crd-names=externalsecrets.external-secrets.io
|
||||
- --crd-names=secretstores.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: acraccesstokens.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: clusterexternalsecrets.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: clustersecretstores.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
@ -2574,6 +2574,33 @@ spec:
|
|||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
userPass:
|
||||
description: UserPass authenticates with Vault by passing username/password pair
|
||||
properties:
|
||||
path:
|
||||
default: user
|
||||
description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
|
||||
properties:
|
||||
key:
|
||||
description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
||||
type: string
|
||||
name:
|
||||
description: The name of the Secret resource being referred to.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
username:
|
||||
description: Username is a user name used to authenticate using the UserPass Vault authentication method
|
||||
type: string
|
||||
required:
|
||||
- path
|
||||
- username
|
||||
type: object
|
||||
type: object
|
||||
caBundle:
|
||||
description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: ecrauthorizationtokens.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: externalsecrets.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: fakes.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: gcraccesstokens.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: passwords.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: pushsecrets.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: secretstores.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
@ -2574,6 +2574,33 @@ spec:
|
|||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
userPass:
|
||||
description: UserPass authenticates with Vault by passing username/password pair
|
||||
properties:
|
||||
path:
|
||||
default: user
|
||||
description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
|
||||
properties:
|
||||
key:
|
||||
description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
||||
type: string
|
||||
name:
|
||||
description: The name of the Secret resource being referred to.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
username:
|
||||
description: Username is a user name used to authenticate using the UserPass Vault authentication method
|
||||
type: string
|
||||
required:
|
||||
- path
|
||||
- username
|
||||
type: object
|
||||
type: object
|
||||
caBundle:
|
||||
description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: vaultdynamicsecrets.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
@ -356,6 +356,33 @@ spec:
|
|||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
userPass:
|
||||
description: UserPass authenticates with Vault by passing username/password pair
|
||||
properties:
|
||||
path:
|
||||
default: user
|
||||
description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
|
||||
properties:
|
||||
key:
|
||||
description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
||||
type: string
|
||||
name:
|
||||
description: The name of the Secret resource being referred to.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
username:
|
||||
description: Username is a user name used to authenticate using the UserPass Vault authentication method
|
||||
type: string
|
||||
required:
|
||||
- path
|
||||
- username
|
||||
type: object
|
||||
type: object
|
||||
caBundle:
|
||||
description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
|
||||
|
|
|
|||
|
|
@ -65,6 +65,9 @@ spec:
|
|||
{{- if not .Values.processClusterExternalSecret }}
|
||||
- --enable-cluster-external-secret-reconciler=false
|
||||
{{- end }}
|
||||
{{- if not .Values.processPushSecret }}
|
||||
- --enable-push-secret-reconciler=false
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controllerClass }}
|
||||
- --controller-class={{ .Values.controllerClass }}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ metadata:
|
|||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
|
||||
external-secrets.io/component : webhook
|
||||
external-secrets.io/component: webhook
|
||||
spec:
|
||||
{{- if .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-cert-controller
|
||||
app.kubernetes.io/version: v0.9.1
|
||||
helm.sh/chart: external-secrets-0.9.1
|
||||
app.kubernetes.io/version: v0.9.2
|
||||
helm.sh/chart: external-secrets-0.9.2
|
||||
name: RELEASE-NAME-external-secrets-cert-controller
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
|
|
@ -33,7 +33,9 @@ should match snapshot of default values:
|
|||
- --service-namespace=NAMESPACE
|
||||
- --secret-name=RELEASE-NAME-external-secrets-webhook
|
||||
- --secret-namespace=NAMESPACE
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.1
|
||||
- --metrics-addr=:8080
|
||||
- --healthz-addr=:8081
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.2
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: cert-controller
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets
|
||||
app.kubernetes.io/version: v0.9.1
|
||||
helm.sh/chart: external-secrets-0.9.1
|
||||
app.kubernetes.io/version: v0.9.2
|
||||
helm.sh/chart: external-secrets-0.9.2
|
||||
name: RELEASE-NAME-external-secrets
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
|
|
@ -28,7 +28,7 @@ should match snapshot of default values:
|
|||
containers:
|
||||
- args:
|
||||
- --concurrent=1
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.1
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.2
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: external-secrets
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ should match snapshot of default values:
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
name: secretstores.external-secrets.io
|
||||
spec:
|
||||
conversion:
|
||||
|
|
@ -2579,6 +2579,33 @@ should match snapshot of default values:
|
|||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
userPass:
|
||||
description: UserPass authenticates with Vault by passing username/password pair
|
||||
properties:
|
||||
path:
|
||||
default: user
|
||||
description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"'
|
||||
type: string
|
||||
secretRef:
|
||||
description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
|
||||
properties:
|
||||
key:
|
||||
description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
||||
type: string
|
||||
name:
|
||||
description: The name of the Secret resource being referred to.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
|
||||
type: string
|
||||
type: object
|
||||
username:
|
||||
description: Username is a user name used to authenticate using the UserPass Vault authentication method
|
||||
type: string
|
||||
required:
|
||||
- path
|
||||
- username
|
||||
type: object
|
||||
type: object
|
||||
caBundle:
|
||||
description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-webhook
|
||||
app.kubernetes.io/version: v0.9.1
|
||||
helm.sh/chart: external-secrets-0.9.1
|
||||
app.kubernetes.io/version: v0.9.2
|
||||
helm.sh/chart: external-secrets-0.9.2
|
||||
name: RELEASE-NAME-external-secrets-webhook
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
|
|
@ -34,7 +34,7 @@ should match snapshot of default values:
|
|||
- --check-interval=5m
|
||||
- --metrics-addr=:8080
|
||||
- --healthz-addr=:8081
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.1
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.2
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: webhook
|
||||
ports:
|
||||
|
|
@ -78,8 +78,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-webhook
|
||||
app.kubernetes.io/version: v0.9.1
|
||||
app.kubernetes.io/version: v0.9.2
|
||||
external-secrets.io/component: webhook
|
||||
helm.sh/chart: external-secrets-0.9.1
|
||||
helm.sh/chart: external-secrets-0.9.2
|
||||
name: RELEASE-NAME-external-secrets-webhook
|
||||
namespace: NAMESPACE
|
||||
|
|
|
|||
|
|
@ -47,3 +47,17 @@ tests:
|
|||
- equal:
|
||||
path: spec.template.spec.hostNetwork
|
||||
value: true
|
||||
- it: should override readinessProbe port
|
||||
set:
|
||||
certController.readinessProbe.port: 8082
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].args[7]
|
||||
value: "--healthz-addr=:8082"
|
||||
- it: should override metrics port
|
||||
set:
|
||||
certController.prometheus.service.port: 8888
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].args[6]
|
||||
value: "--metrics-addr=:8888"
|
||||
|
|
|
|||
|
|
@ -59,6 +59,9 @@ processClusterExternalSecret: true
|
|||
# -- if true, the operator will process cluster store. Else, it will ignore them.
|
||||
processClusterStore: true
|
||||
|
||||
# -- if true, the operator will process push secret. Else, it will ignore them.
|
||||
processPushSecret: true
|
||||
|
||||
# -- Specifies whether an external secret operator deployment be created.
|
||||
createOperator: true
|
||||
|
||||
|
|
@ -433,6 +436,12 @@ certController:
|
|||
# -- Additional service annotations
|
||||
annotations: {}
|
||||
|
||||
readinessProbe:
|
||||
# -- Address for readiness probe
|
||||
address: ""
|
||||
# -- ReadinessProbe port for kubelet
|
||||
port: 8081
|
||||
|
||||
## -- Extra environment variables to add to container.
|
||||
extraEnv: []
|
||||
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue