diff --git a/assets/aquarist-labs/s3gw-0.19.0.tgz b/assets/aquarist-labs/s3gw-0.19.0.tgz new file mode 100644 index 000000000..df8b6e358 Binary files /dev/null and b/assets/aquarist-labs/s3gw-0.19.0.tgz differ diff --git a/assets/bitnami/kafka-24.0.3.tgz b/assets/bitnami/kafka-24.0.3.tgz new file mode 100644 index 000000000..3e0515ca5 Binary files /dev/null and b/assets/bitnami/kafka-24.0.3.tgz differ diff --git a/assets/bitnami/mariadb-13.0.1.tgz b/assets/bitnami/mariadb-13.0.1.tgz new file mode 100644 index 000000000..ed51da815 Binary files /dev/null and b/assets/bitnami/mariadb-13.0.1.tgz differ diff --git a/assets/bitnami/mysql-9.10.10.tgz b/assets/bitnami/mysql-9.10.10.tgz new file mode 100644 index 000000000..d6e9de92e Binary files /dev/null and b/assets/bitnami/mysql-9.10.10.tgz differ diff --git a/assets/bitnami/wordpress-17.0.4.tgz b/assets/bitnami/wordpress-17.0.4.tgz new file mode 100644 index 000000000..37238f8d7 Binary files /dev/null and b/assets/bitnami/wordpress-17.0.4.tgz differ diff --git a/assets/external-secrets/external-secrets-0.9.2.tgz b/assets/external-secrets/external-secrets-0.9.2.tgz new file mode 100644 index 000000000..066b3ff77 Binary files /dev/null and b/assets/external-secrets/external-secrets-0.9.2.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.63.10.tgz b/assets/jfrog/artifactory-ha-107.63.10.tgz new file mode 100644 index 000000000..eb5b456d4 Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.63.10.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.63.10.tgz b/assets/jfrog/artifactory-jcr-107.63.10.tgz new file mode 100644 index 000000000..a5af541cd Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.63.10.tgz differ diff --git a/assets/kuma/kuma-2.3.2.tgz b/assets/kuma/kuma-2.3.2.tgz new file mode 100644 index 000000000..07c79f569 Binary files /dev/null and b/assets/kuma/kuma-2.3.2.tgz differ diff --git a/assets/loft/loft-3.2.1.tgz b/assets/loft/loft-3.2.1.tgz new file mode 100644 index 000000000..48014eb50 Binary files /dev/null and b/assets/loft/loft-3.2.1.tgz differ diff --git a/assets/percona/pxc-operator-1.13.1.tgz b/assets/percona/pxc-operator-1.13.1.tgz new file mode 100644 index 000000000..2d077f6aa Binary files /dev/null and b/assets/percona/pxc-operator-1.13.1.tgz differ diff --git a/assets/redpanda/redpanda-5.0.8.tgz b/assets/redpanda/redpanda-5.0.8.tgz new file mode 100644 index 000000000..3a5558975 Binary files /dev/null and b/assets/redpanda/redpanda-5.0.8.tgz differ diff --git a/assets/speedscale/speedscale-operator-1.3.25.tgz b/assets/speedscale/speedscale-operator-1.3.25.tgz new file mode 100644 index 000000000..a5dd3e838 Binary files /dev/null and b/assets/speedscale/speedscale-operator-1.3.25.tgz differ diff --git a/assets/sysdig/sysdig-1.16.6.tgz b/assets/sysdig/sysdig-1.16.6.tgz new file mode 100644 index 000000000..38d9bc1b4 Binary files /dev/null and b/assets/sysdig/sysdig-1.16.6.tgz differ diff --git a/charts/aquarist-labs/s3gw/.helmignore b/charts/aquarist-labs/s3gw/.helmignore new file mode 100644 index 000000000..2b29f2764 --- /dev/null +++ b/charts/aquarist-labs/s3gw/.helmignore @@ -0,0 +1 @@ +tests diff --git a/charts/aquarist-labs/s3gw/Chart.yaml b/charts/aquarist-labs/s3gw/Chart.yaml index 1b790bc9b..82a1ab37c 100644 --- a/charts/aquarist-labs/s3gw/Chart.yaml +++ b/charts/aquarist-labs/s3gw/Chart.yaml @@ -35,4 +35,4 @@ sources: - https://github.com/aquarist-labs/s3gw-cosi-driver - https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar type: application -version: 0.18.0 +version: 0.19.0 diff --git a/charts/aquarist-labs/s3gw/README.md b/charts/aquarist-labs/s3gw/README.md index 33fc51ad3..e89bf0381 100644 --- a/charts/aquarist-labs/s3gw/README.md +++ b/charts/aquarist-labs/s3gw/README.md @@ -16,7 +16,7 @@ To install s3gw using Helm add the chart to your Helm repository and then run `helm install`: ```bash -helm add repo s3gw https://aquarist-labs.github.io/s3gw-charts/ +helm repo add s3gw https://aquarist-labs.github.io/s3gw-charts/ helm \ --namespace s3gw-system \ install s3gw \ diff --git a/charts/aquarist-labs/s3gw/ci/full-install-values.yaml b/charts/aquarist-labs/s3gw/ci/full-install-values.yaml new file mode 100644 index 000000000..8d036e543 --- /dev/null +++ b/charts/aquarist-labs/s3gw/ci/full-install-values.yaml @@ -0,0 +1,12 @@ +--- +publicDomain: s3.example.com +ui: + enabled: true + publicDomain: s3-ui.example.com +ingress: + enabled: true +storageClass: + name: local + create: true + local: true + localPath: /tmp/local-storage diff --git a/charts/aquarist-labs/s3gw/ci/minimal-values.yaml b/charts/aquarist-labs/s3gw/ci/minimal-values.yaml new file mode 100644 index 000000000..89eefe25b --- /dev/null +++ b/charts/aquarist-labs/s3gw/ci/minimal-values.yaml @@ -0,0 +1,11 @@ +--- +publicDomain: s3.example.com +ui: + enabled: false +ingress: + enabled: false +storageClass: + name: local + create: true + local: true + localPath: /tmp/local-storage diff --git a/charts/aquarist-labs/s3gw/templates/chart-validation.yaml b/charts/aquarist-labs/s3gw/templates/chart-validation.yaml index 31fd797d3..a22001994 100644 --- a/charts/aquarist-labs/s3gw/templates/chart-validation.yaml +++ b/charts/aquarist-labs/s3gw/templates/chart-validation.yaml @@ -2,12 +2,12 @@ {{- fail "Please provide a value for `.Values.publicDomain`." }} {{- end }} -{{- if (and .Values.ui.enabled (empty .Values.ui.publicDomain)) }} +{{- if (and .Values.ingress.enabled (and .Values.ui.enabled (empty .Values.ui.publicDomain))) }} {{- fail "Please provide a value for `.Values.ui.publicDomain`." }} {{- end }} {{- if (and .Values.useExistingSecret (empty .Values.defaultUserCredentialsSecret)) }} -{{- fail "Please provide a secret name for `.Values.defaultUserCredentialSecret`" }} +{{- fail "Please provide a secret name for `.Values.defaultUserCredentialsSecret`" }} {{- end }} {{- if .Values.useCertManager }} diff --git a/charts/aquarist-labs/s3gw/templates/cosi-driver-secret.yaml b/charts/aquarist-labs/s3gw/templates/cosi-driver-secret.yaml index 758599f41..666689ff9 100644 --- a/charts/aquarist-labs/s3gw/templates/cosi-driver-secret.yaml +++ b/charts/aquarist-labs/s3gw/templates/cosi-driver-secret.yaml @@ -11,6 +11,6 @@ type: Opaque stringData: DRIVERNAME: {{ include "s3gw-cosi.driverName" . }} ENDPOINT: {{ include "s3gw-cosi.endpoint" . }} - ACCESSKEY: {{ .Values.accessKey }} - SECRETKEY: {{ .Values.secretKey }} + ACCESSKEY: {{ include "s3gw.defaultAccessKey" . }} + SECRETKEY: {{ include "s3gw.defaultSecretKey" . }} {{- end }} diff --git a/charts/aquarist-labs/s3gw/templates/tests/smoke-bucket-create.yaml b/charts/aquarist-labs/s3gw/templates/tests/smoke-bucket-create.yaml deleted file mode 100644 index a999cb37e..000000000 --- a/charts/aquarist-labs/s3gw/templates/tests/smoke-bucket-create.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: 'smoke-{{ .Release.Name }}-bucket-create' - namespace: '{{ .Release.Namespace }}' - annotations: - helm.sh/hook: test -spec: - template: - spec: - containers: - - name: create-bucket - image: opensuse/tumbleweed:latest - command: - - /bin/sh - - -exc - - zypper -n install --no-recommends libs3-tools; - - s3 -u -t 50 create testbucket; - - s3 -u -t 50 list | grep testbucket - env: - - name: S3_ACCESS_KEY_ID - value: {{ .Values.accessKey | quote }} - - name: S3_SECRET_ACCESS_KEY - value: {{ .Values.secretKey | quote }} - - name: S3_HOSTNAME - value: - '{{ include "s3gw.serviceName" . }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' - restartPolicy: Never - backoffLimit: 3 diff --git a/charts/bitnami/kafka/Chart.lock b/charts/bitnami/kafka/Chart.lock index aef9914f9..15a51b960 100644 --- a/charts/bitnami/kafka/Chart.lock +++ b/charts/bitnami/kafka/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: zookeeper repository: oci://registry-1.docker.io/bitnamicharts - version: 11.4.9 + version: 11.4.10 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.6.0 -digest: sha256:9375ccc13bbfdc7ccebfa3354f48e578a1cc73ded31638587edd99650d16f29b -generated: "2023-07-24T12:26:26.493879811Z" +digest: sha256:31af3d70106f13499f925ccf603f986ee1e925cdf22eef0cd7c50fc9fe088f0d +generated: "2023-08-04T16:49:34.999596575Z" diff --git a/charts/bitnami/kafka/Chart.yaml b/charts/bitnami/kafka/Chart.yaml index 3cc9e6d07..d3798f6b0 100644 --- a/charts/bitnami/kafka/Chart.yaml +++ b/charts/bitnami/kafka/Chart.yaml @@ -4,6 +4,17 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: kafka category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.19.0-debian-11-r33 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r69 + - name: kafka + image: docker.io/bitnami/kafka:3.5.1-debian-11-r11 + - name: kubectl + image: docker.io/bitnami/kubectl:1.25.12-debian-11-r14 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r25 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.5.1 @@ -34,4 +45,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 23.0.7 +version: 24.0.3 diff --git a/charts/bitnami/kafka/README.md b/charts/bitnami/kafka/README.md index 453827dee..77fc2537c 100644 --- a/charts/bitnami/kafka/README.md +++ b/charts/bitnami/kafka/README.md @@ -78,232 +78,358 @@ The command removes all the Kubernetes components associated with the chart and ### Kafka parameters -| Name | Description | Value | -| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `image.registry` | Kafka image registry | `docker.io` | -| `image.repository` | Kafka image repository | `bitnami/kafka` | -| `image.tag` | Kafka image tag (immutable tags are recommended) | `3.5.1-debian-11-r1` | -| `image.digest` | Kafka image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Kafka image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | -| `config` | Configuration file for Kafka. Auto-generated based on other parameters when not specified | `""` | -| `existingConfigmap` | ConfigMap with Kafka Configuration | `""` | -| `log4j` | An optional log4j.properties file to overwrite the default of the Kafka brokers | `""` | -| `existingLog4jConfigMap` | The name of an existing ConfigMap containing a log4j.properties file | `""` | -| `heapOpts` | Kafka Java Heap size | `-Xmx1024m -Xms1024m` | -| `deleteTopicEnable` | Switch to enable topic deletion or not | `false` | -| `autoCreateTopicsEnable` | Switch to enable auto creation of topics. Enabling auto creation of topics not recommended for production or similar environments | `true` | -| `logFlushIntervalMessages` | The number of messages to accept before forcing a flush of data to disk | `_10000` | -| `logFlushIntervalMs` | The maximum amount of time a message can sit in a log before we force a flush | `1000` | -| `logRetentionBytes` | A size-based retention policy for logs | `_1073741824` | -| `logRetentionCheckIntervalMs` | The interval at which log segments are checked to see if they can be deleted | `300000` | -| `logRetentionHours` | The minimum age of a log file to be eligible for deletion due to age | `168` | -| `logSegmentBytes` | The maximum size of a log segment file. When this size is reached a new log segment will be created | `_1073741824` | -| `logsDirs` | A comma separated list of directories in which kafka's log data is kept | `/bitnami/kafka/data` | -| `maxMessageBytes` | The largest record batch size allowed by Kafka | `_1000012` | -| `defaultReplicationFactor` | Default replication factors for automatically created topics | `1` | -| `offsetsTopicReplicationFactor` | The replication factor for the offsets topic | `1` | -| `transactionStateLogReplicationFactor` | The replication factor for the transaction topic | `1` | -| `transactionStateLogMinIsr` | Overridden min.insync.replicas config for the transaction topic | `1` | -| `numIoThreads` | The number of threads doing disk I/O | `8` | -| `numNetworkThreads` | The number of threads handling network requests | `3` | -| `numPartitions` | The default number of log partitions per topic | `1` | -| `numRecoveryThreadsPerDataDir` | The number of threads per data directory to be used for log recovery at startup and flushing at shutdown | `1` | -| `socketReceiveBufferBytes` | The receive buffer (SO_RCVBUF) used by the socket server | `102400` | -| `socketRequestMaxBytes` | The maximum size of a request that the socket server will accept (protection against OOM) | `_104857600` | -| `socketSendBufferBytes` | The send buffer (SO_SNDBUF) used by the socket server | `102400` | -| `zookeeperConnectionTimeoutMs` | Timeout in ms for connecting to ZooKeeper | `6000` | -| `zookeeperChrootPath` | Path which puts data under some path in the global ZooKeeper namespace | `""` | -| `authorizerClassName` | The Authorizer is configured by setting authorizer.class.name=kafka.security.authorizer.AclAuthorizer in server.properties | `""` | -| `allowEveryoneIfNoAclFound` | By default, if a resource has no associated ACLs, then no one is allowed to access that resource except super users | `true` | -| `superUsers` | You can add super users in server.properties | `User:admin` | -| `auth.clientProtocol` | Authentication protocol for communications with clients. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` | `plaintext` | -| `auth.externalClientProtocol` | Authentication protocol for communications with external clients. Defaults to value of `auth.clientProtocol`. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` | `""` | -| `auth.interBrokerProtocol` | Authentication protocol for inter-broker communications. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` | `plaintext` | -| `auth.controllerProtocol` | Controller protocol. It is used with Kraft mode only. | `plaintext` | -| `auth.sasl.mechanisms` | SASL mechanisms when either `auth.interBrokerProtocol`, `auth.clientProtocol` or `auth.externalClientProtocol` are `sasl`. Allowed types: `plain`, `scram-sha-256`, `scram-sha-512` | `plain,scram-sha-256,scram-sha-512` | -| `auth.sasl.interBrokerMechanism` | SASL mechanism for inter broker communication. | `plain` | -| `auth.sasl.jaas.clientUsers` | Kafka client user list | `["user"]` | -| `auth.sasl.jaas.clientPasswords` | Kafka client passwords. This is mandatory if more than one user is specified in clientUsers | `[]` | -| `auth.sasl.jaas.interBrokerUser` | Kafka inter broker communication user for SASL authentication | `admin` | -| `auth.sasl.jaas.interBrokerPassword` | Kafka inter broker communication password for SASL authentication | `""` | -| `auth.sasl.jaas.zookeeperUser` | Kafka ZooKeeper user for SASL authentication | `""` | -| `auth.sasl.jaas.zookeeperPassword` | Kafka ZooKeeper password for SASL authentication | `""` | -| `auth.sasl.jaas.existingSecret` | Name of the existing secret containing credentials for clientUsers, interBrokerUser and zookeeperUser | `""` | -| `auth.tls.type` | Format to use for TLS certificates. Allowed types: `jks` and `pem` | `jks` | -| `auth.tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | -| `auth.tls.existingSecrets` | Array existing secrets containing the TLS certificates for the Kafka brokers | `[]` | -| `auth.tls.autoGenerated` | Generate automatically self-signed TLS certificates for Kafka brokers. Currently only supported if `auth.tls.type` is `pem` | `false` | -| `auth.tls.password` | Password to access the JKS files or PEM key when they are password-protected. | `""` | -| `auth.tls.existingSecret` | Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`) | `""` | -| `auth.tls.jksTruststoreSecret` | Name of the existing secret containing your truststore if truststore not existing or different from the ones in the `auth.tls.existingSecrets` | `""` | -| `auth.tls.jksKeystoreSAN` | The secret key from the `auth.tls.existingSecrets` containing the keystore with a SAN certificate | `""` | -| `auth.tls.jksTruststore` | The secret key from the `auth.tls.existingSecrets` or `auth.tls.jksTruststoreSecret` containing the truststore | `""` | -| `auth.tls.endpointIdentificationAlgorithm` | The endpoint identification algorithm to validate server hostname using server certificate | `https` | -| `auth.zookeeper.tls.enabled` | Enable TLS for Zookeeper client connections. | `false` | -| `auth.zookeeper.tls.type` | Format to use for TLS certificates. Allowed types: `jks` and `pem`. | `jks` | -| `auth.zookeeper.tls.verifyHostname` | Hostname validation. | `true` | -| `auth.zookeeper.tls.existingSecret` | Name of the existing secret containing the TLS certificates for ZooKeeper client communications. | `""` | -| `auth.zookeeper.tls.existingSecretKeystoreKey` | The secret key from the auth.zookeeper.tls.existingSecret containing the Keystore. | `zookeeper.keystore.jks` | -| `auth.zookeeper.tls.existingSecretTruststoreKey` | The secret key from the auth.zookeeper.tls.existingSecret containing the Truststore. | `zookeeper.truststore.jks` | -| `auth.zookeeper.tls.passwordsSecret` | Existing secret containing Keystore and Truststore passwords. | `""` | -| `auth.zookeeper.tls.passwordsSecretKeystoreKey` | The secret key from the auth.zookeeper.tls.passwordsSecret containing the password for the Keystore. | `keystore-password` | -| `auth.zookeeper.tls.passwordsSecretTruststoreKey` | The secret key from the auth.zookeeper.tls.passwordsSecret containing the password for the Truststore. | `truststore-password` | -| `listeners` | The address(es) the socket server listens on. Auto-calculated it's set to an empty array | `[]` | -| `advertisedListeners` | The address(es) (hostname:port) the broker will advertise to producers and consumers. Auto-calculated it's set to an empty array | `[]` | -| `listenerSecurityProtocolMap` | The protocol->listener mapping. Auto-calculated it's set to nil | `""` | -| `allowPlaintextListener` | Allow to use the PLAINTEXT listener | `true` | -| `interBrokerListenerName` | The listener that the brokers should communicate on | `INTERNAL` | -| `command` | Override Kafka container command | `["/scripts/setup.sh"]` | -| `args` | Override Kafka container arguments | `[]` | -| `extraEnvVars` | Extra environment variables to add to Kafka pods | `[]` | -| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | -| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| Name | Description | Value | +| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `image.registry` | Kafka image registry | `docker.io` | +| `image.repository` | Kafka image repository | `bitnami/kafka` | +| `image.tag` | Kafka image tag (immutable tags are recommended) | `3.5.1-debian-11-r11` | +| `image.digest` | Kafka image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Kafka image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `extraInit` | Additional content for the kafka init script, rendered as a template. | `""` | +| `config` | Configuration file for Kafka, rendered as a template. Auto-generated based on chart values when not specified. | `""` | +| `existingConfigmap` | ConfigMap with Kafka Configuration | `""` | +| `extraConfig` | Additional configuration to be appended at the end of the generated Kafka configuration file. | `""` | +| `log4j` | An optional log4j.properties file to overwrite the default of the Kafka brokers | `""` | +| `existingLog4jConfigMap` | The name of an existing ConfigMap containing a log4j.properties file | `""` | +| `heapOpts` | Kafka Java Heap size | `-Xmx1024m -Xms1024m` | +| `interBrokerProtocolVersion` | Override the setting 'inter.broker.protocol.version' during the ZK migration. | `""` | +| `listeners.client.name` | Name for the Kafka client listener | `CLIENT` | +| `listeners.client.containerPort` | Port for the Kafka client listener | `9092` | +| `listeners.client.protocol` | Security protocol for the Kafka client listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' | `SASL_PLAINTEXT` | +| `listeners.client.sslClientAuth` | Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' | `""` | +| `listeners.controller.name` | Name for the Kafka controller listener | `CONTROLLER` | +| `listeners.controller.containerPort` | Port for the Kafka controller listener | `9093` | +| `listeners.controller.protocol` | Security protocol for the Kafka controller listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' | `SASL_PLAINTEXT` | +| `listeners.controller.sslClientAuth` | Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' | `""` | +| `listeners.interbroker.name` | Name for the Kafka inter-broker listener | `INTERNAL` | +| `listeners.interbroker.containerPort` | Port for the Kafka inter-broker listener | `9094` | +| `listeners.interbroker.protocol` | Security protocol for the Kafka inter-broker listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' | `SASL_PLAINTEXT` | +| `listeners.interbroker.sslClientAuth` | Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' | `""` | +| `listeners.external.containerPort` | Port for the Kafka external listener | `9095` | +| `listeners.external.protocol` | Security protocol for the Kafka external listener. . Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' | `SASL_PLAINTEXT` | +| `listeners.external.name` | Name for the Kafka external listener | `EXTERNAL` | +| `listeners.external.sslClientAuth` | Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.sslClientAuth for this listener. Allowed values are 'none', 'requested' and 'required' | `""` | +| `listeners.extraListeners` | Array of listener objects to be appended to already existing listeners | `[]` | +| `listeners.overrideListeners` | Overrides the Kafka 'listeners' configuration setting. | `""` | +| `listeners.advertisedListeners` | Overrides the Kafka 'advertised.listener' configuration setting. | `""` | +| `listeners.securityProtocolMap` | Overrides the Kafka 'security.protocol.map' configuration setting. | `""` | -### Statefulset parameters +### Kafka SASL parameters -| Name | Description | Value | -| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | -| `replicaCount` | Number of Kafka nodes | `1` | -| `minId` | Minimal node.id or broker.id values, nodes increment their value respectively | `0` | -| `brokerRackAssignment` | Set Broker Assignment for multi tenant environment Allowed values: `aws-az` | `""` | -| `containerPorts.client` | Kafka client container port | `9092` | -| `containerPorts.controller` | Kafka Controller listener port. It is used if "kraft.enabled: true" | `9093` | -| `containerPorts.internal` | Kafka inter-broker container port | `9094` | -| `containerPorts.external` | Kafka external container port | `9095` | -| `livenessProbe.enabled` | Enable livenessProbe on Kafka containers | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe on Kafka containers | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe on Kafka containers | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `lifecycleHooks` | lifecycleHooks for the Kafka container to automate configuration before or after startup | `{}` | -| `resources.limits` | The resources limits for the container | `{}` | -| `resources.requests` | The requested resources for the container | `{}` | -| `podSecurityContext.enabled` | Enable security context for the pods | `true` | -| `podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | -| `containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | -| `containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | -| `containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as nonprivilege | `false` | -| `hostAliases` | Kafka pods host aliases | `[]` | -| `hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | -| `hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | -| `podLabels` | Extra labels for Kafka pods | `{}` | -| `podAnnotations` | Extra annotations for Kafka pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `terminationGracePeriodSeconds` | Seconds the pod needs to gracefully terminate | `""` | -| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel | `Parallel` | -| `priorityClassName` | Name of the existing priority class to be used by kafka pods | `""` | -| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `updateStrategy.type` | Kafka statefulset strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | Kafka statefulset rolling update configuration parameters | `{}` | -| `extraVolumes` | Optionally specify extra list of additional volumes for the Kafka pod(s) | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka container(s) | `[]` | -| `sidecars` | Add additional sidecar containers to the Kafka pod(s) | `[]` | -| `initContainers` | Add additional Add init containers to the Kafka pod(s) | `[]` | -| `pdb.create` | Deploy a pdb object for the Kafka pod | `false` | -| `pdb.minAvailable` | Maximum number/percentage of unavailable Kafka replicas | `""` | -| `pdb.maxUnavailable` | Maximum number/percentage of unavailable Kafka replicas | `1` | +| Name | Description | Value | +| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `sasl.enabledMechanisms` | Comma-separated list of allowed SASL mechanisms when SASL listeners are configured. Allowed types: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512` | `PLAIN,SCRAM-SHA-256,SCRAM-SHA-512` | +| `sasl.interBrokerMechanism` | SASL mechanism for inter broker communication. | `PLAIN` | +| `sasl.controllerMechanism` | SASL mechanism for controller communications. | `PLAIN` | +| `sasl.interbroker.user` | Username for inter-broker communications when SASL is enabled | `inter_broker_user` | +| `sasl.interbroker.password` | Password for inter-broker communications when SASL is enabled. If not set and SASL is enabled for the controller listener, a random password will be generated. | `""` | +| `sasl.controller.user` | Username for controller communications when SASL is enabled | `controller_user` | +| `sasl.controller.password` | Password for controller communications when SASL is enabled. If not set and SASL is enabled for the inter-broker listener, a random password will be generated. | `""` | +| `sasl.client.users` | Comma-separated list of usernames for client communications when SASL is enabled | `["user1"]` | +| `sasl.client.passwords` | Comma-separated list of passwords for client communications when SASL is enabled, must match the number of client.users | `""` | +| `sasl.zookeeper.user` | Username for zookeeper communications when SASL is enabled. | `""` | +| `sasl.zookeeper.password` | Password for zookeeper communications when SASL is enabled. | `""` | +| `sasl.existingSecret` | Name of the existing secret containing credentials for clientUsers, interBrokerUser, controllerUser and zookeeperUser | `""` | + +### Kafka TLS parameters + +| Name | Description | Value | +| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `tls.type` | Format to use for TLS certificates. Allowed types: `JKS` and `PEM` | `JKS` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.existingSecret` | Name of the existing secret containing the TLS certificates for the Kafka nodes. | `""` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates for Kafka brokers. Currently only supported if `tls.type` is `PEM` | `false` | +| `tls.passwordsSecret` | Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`) | `""` | +| `tls.passwordsSecretKeystoreKey` | The secret key from the tls.passwordsSecret containing the password for the Keystore. | `keystore-password` | +| `tls.passwordsSecretTruststoreKey` | The secret key from the tls.passwordsSecret containing the password for the Truststore. | `truststore-password` | +| `tls.passwordsSecretPemPasswordKey` | The secret key from the tls.passwordsSecret containing the password for the PEM key inside 'tls.passwordsSecret'. | `""` | +| `tls.keystorePassword` | Password to access the JKS keystore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. | `""` | +| `tls.truststorePassword` | Password to access the JKS truststore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. | `""` | +| `tls.keyPassword` | Password to access the PEM key when it is password-protected. | `""` | +| `tls.jksTruststoreSecret` | Name of the existing secret containing your truststore if truststore not existing or different from the one in the `tls.existingSecret` | `""` | +| `tls.jksTruststoreKey` | The secret key from the `tls.existingSecret` or `tls.jksTruststoreSecret` containing the truststore | `""` | +| `tls.endpointIdentificationAlgorithm` | The endpoint identification algorithm to validate server hostname using server certificate | `https` | +| `tls.sslClientAuth` | Sets the default value for the ssl.client.auth Kafka setting. | `required` | +| `tls.zookeeper.enabled` | Enable TLS for Zookeeper client connections. | `false` | +| `tls.zookeeper.verifyHostname` | Hostname validation. | `true` | +| `tls.zookeeper.existingSecret` | Name of the existing secret containing the TLS certificates for ZooKeeper client communications. | `""` | +| `tls.zookeeper.existingSecretKeystoreKey` | The secret key from the tls.zookeeper.existingSecret containing the Keystore. | `zookeeper.keystore.jks` | +| `tls.zookeeper.existingSecretTruststoreKey` | The secret key from the tls.zookeeper.existingSecret containing the Truststore. | `zookeeper.truststore.jks` | +| `tls.zookeeper.passwordsSecret` | Existing secret containing Keystore and Truststore passwords. | `""` | +| `tls.zookeeper.passwordsSecretKeystoreKey` | The secret key from the tls.zookeeper.passwordsSecret containing the password for the Keystore. | `keystore-password` | +| `tls.zookeeper.passwordsSecretTruststoreKey` | The secret key from the tls.zookeeper.passwordsSecret containing the password for the Truststore. | `truststore-password` | +| `tls.zookeeper.keystorePassword` | Password to access the JKS keystore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. | `""` | +| `tls.zookeeper.truststorePassword` | Password to access the JKS truststore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. | `""` | +| `extraEnvVars` | Extra environment variables to add to Kafka pods | `[]` | +| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `extraVolumes` | Optionally specify extra list of additional volumes for the Kafka pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the Kafka pod(s) | `[]` | +| `initContainers` | Add additional Add init containers to the Kafka pod(s) | `[]` | + +### Controller-eligible statefulset parameters + +| Name | Description | Value | +| -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `controller.replicaCount` | Number of Kafka controller-eligible nodes | `3` | +| `controller.controllerOnly` | If set to true, controller nodes will be deployed as dedicated controllers, instead of controller+broker processes. | `false` | +| `controller.minId` | Minimal node.id values for controller-eligible nodes. Do not change after first initialization. | `0` | +| `controller.zookeeperMigrationMode` | Set to true to deploy cluster controller quorum | `false` | +| `controller.config` | Configuration file for Kafka controller-eligible nodes, rendered as a template. Auto-generated based on chart values when not specified. | `""` | +| `controller.existingConfigmap` | ConfigMap with Kafka Configuration for controller-eligible nodes. | `""` | +| `controller.extraConfig` | Additional configuration to be appended at the end of the generated Kafka controller-eligible nodes configuration file. | `""` | +| `controller.heapOpts` | Kafka Java Heap size for controller-eligible nodes | `-Xmx1024m -Xms1024m` | +| `controller.command` | Override Kafka container command | `[]` | +| `controller.args` | Override Kafka container arguments | `[]` | +| `controller.extraEnvVars` | Extra environment variables to add to Kafka pods | `[]` | +| `controller.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `controller.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `controller.extraContainerPorts` | Kafka controller-eligible extra containerPorts. | `[]` | +| `controller.livenessProbe.enabled` | Enable livenessProbe on Kafka containers | `true` | +| `controller.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `controller.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `controller.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `controller.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `controller.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `controller.readinessProbe.enabled` | Enable readinessProbe on Kafka containers | `true` | +| `controller.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `controller.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `controller.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `controller.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `controller.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `controller.startupProbe.enabled` | Enable startupProbe on Kafka containers | `false` | +| `controller.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `controller.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `controller.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `controller.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `controller.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `controller.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `controller.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `controller.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `controller.lifecycleHooks` | lifecycleHooks for the Kafka container to automate configuration before or after startup | `{}` | +| `controller.resources.limits` | The resources limits for the container | `{}` | +| `controller.resources.requests` | The requested resources for the container | `{}` | +| `controller.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `controller.podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | +| `controller.podSecurityContext.seccompProfile.type` | Set Kafka pods's Security Context seccomp profile | `RuntimeDefault` | +| `controller.containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | +| `controller.containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | +| `controller.containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | +| `controller.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | +| `controller.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` | +| `controller.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` | +| `controller.hostAliases` | Kafka pods host aliases | `[]` | +| `controller.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | +| `controller.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | +| `controller.podLabels` | Extra labels for Kafka pods | `{}` | +| `controller.podAnnotations` | Extra annotations for Kafka pods | `{}` | +| `controller.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controller.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `controller.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controller.nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `controller.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `controller.affinity` | Affinity for pod assignment | `{}` | +| `controller.nodeSelector` | Node labels for pod assignment | `{}` | +| `controller.tolerations` | Tolerations for pod assignment | `[]` | +| `controller.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `controller.terminationGracePeriodSeconds` | Seconds the pod needs to gracefully terminate | `""` | +| `controller.podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel | `Parallel` | +| `controller.priorityClassName` | Name of the existing priority class to be used by kafka pods | `""` | +| `controller.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `controller.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `controller.updateStrategy.type` | Kafka statefulset strategy type | `RollingUpdate` | +| `controller.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka pod(s) | `[]` | +| `controller.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka container(s) | `[]` | +| `controller.sidecars` | Add additional sidecar containers to the Kafka pod(s) | `[]` | +| `controller.initContainers` | Add additional Add init containers to the Kafka pod(s) | `[]` | +| `controller.pdb.create` | Deploy a pdb object for the Kafka pod | `false` | +| `controller.pdb.minAvailable` | Maximum number/percentage of unavailable Kafka replicas | `""` | +| `controller.pdb.maxUnavailable` | Maximum number/percentage of unavailable Kafka replicas | `1` | +| `controller.persistence.enabled` | Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected | `true` | +| `controller.persistence.existingClaim` | A manually managed Persistent Volume and Claim | `""` | +| `controller.persistence.storageClass` | PVC Storage Class for Kafka data volume | `""` | +| `controller.persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | +| `controller.persistence.size` | PVC Storage Request for Kafka data volume | `8Gi` | +| `controller.persistence.annotations` | Annotations for the PVC | `{}` | +| `controller.persistence.labels` | Labels for the PVC | `{}` | +| `controller.persistence.selector` | Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it | `{}` | +| `controller.persistence.mountPath` | Mount path of the Kafka data volume | `/bitnami/kafka` | +| `controller.logPersistence.enabled` | Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected | `false` | +| `controller.logPersistence.existingClaim` | A manually managed Persistent Volume and Claim | `""` | +| `controller.logPersistence.storageClass` | PVC Storage Class for Kafka logs volume | `""` | +| `controller.logPersistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | +| `controller.logPersistence.size` | PVC Storage Request for Kafka logs volume | `8Gi` | +| `controller.logPersistence.annotations` | Annotations for the PVC | `{}` | +| `controller.logPersistence.selector` | Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it | `{}` | +| `controller.logPersistence.mountPath` | Mount path of the Kafka logs volume | `/opt/bitnami/kafka/logs` | + +### Broker-only statefulset parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `broker.replicaCount` | Number of Kafka broker-only nodes | `0` | +| `broker.minId` | Minimal node.id values for broker-only nodes. Do not change after first initialization. | `100` | +| `broker.zookeeperMigrationMode` | Set to true to deploy cluster controller quorum | `false` | +| `broker.config` | Configuration file for Kafka broker-only nodes, rendered as a template. Auto-generated based on chart values when not specified. | `""` | +| `broker.existingConfigmap` | ConfigMap with Kafka Configuration for broker-only nodes. | `""` | +| `broker.extraConfig` | Additional configuration to be appended at the end of the generated Kafka broker-only nodes configuration file. | `""` | +| `broker.heapOpts` | Kafka Java Heap size for broker-only nodes | `-Xmx1024m -Xms1024m` | +| `broker.command` | Override Kafka container command | `[]` | +| `broker.args` | Override Kafka container arguments | `[]` | +| `broker.extraEnvVars` | Extra environment variables to add to Kafka pods | `[]` | +| `broker.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `broker.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `broker.extraContainerPorts` | Kafka broker-only extra containerPorts. | `[]` | +| `broker.livenessProbe.enabled` | Enable livenessProbe on Kafka containers | `true` | +| `broker.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `broker.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `broker.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `broker.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `broker.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `broker.readinessProbe.enabled` | Enable readinessProbe on Kafka containers | `true` | +| `broker.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `broker.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `broker.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `broker.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `broker.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `broker.startupProbe.enabled` | Enable startupProbe on Kafka containers | `false` | +| `broker.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `broker.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `broker.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `broker.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `broker.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `broker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `broker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `broker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `broker.lifecycleHooks` | lifecycleHooks for the Kafka container to automate configuration before or after startup | `{}` | +| `broker.resources.limits` | The resources limits for the container | `{}` | +| `broker.resources.requests` | The requested resources for the container | `{}` | +| `broker.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `broker.podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | +| `broker.podSecurityContext.seccompProfile.type` | Set Kafka pod's Security Context seccomp profile | `RuntimeDefault` | +| `broker.containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | +| `broker.containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | +| `broker.containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | +| `broker.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | +| `broker.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` | +| `broker.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` | +| `broker.hostAliases` | Kafka pods host aliases | `[]` | +| `broker.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | +| `broker.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | +| `broker.podLabels` | Extra labels for Kafka pods | `{}` | +| `broker.podAnnotations` | Extra annotations for Kafka pods | `{}` | +| `broker.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `broker.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `broker.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `broker.nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `broker.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `broker.affinity` | Affinity for pod assignment | `{}` | +| `broker.nodeSelector` | Node labels for pod assignment | `{}` | +| `broker.tolerations` | Tolerations for pod assignment | `[]` | +| `broker.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `broker.terminationGracePeriodSeconds` | Seconds the pod needs to gracefully terminate | `""` | +| `broker.podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel | `Parallel` | +| `broker.priorityClassName` | Name of the existing priority class to be used by kafka pods | `""` | +| `broker.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `broker.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `broker.updateStrategy.type` | Kafka statefulset strategy type | `RollingUpdate` | +| `broker.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka pod(s) | `[]` | +| `broker.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka container(s) | `[]` | +| `broker.sidecars` | Add additional sidecar containers to the Kafka pod(s) | `[]` | +| `broker.initContainers` | Add additional Add init containers to the Kafka pod(s) | `[]` | +| `broker.pdb.create` | Deploy a pdb object for the Kafka pod | `false` | +| `broker.pdb.minAvailable` | Maximum number/percentage of unavailable Kafka replicas | `""` | +| `broker.pdb.maxUnavailable` | Maximum number/percentage of unavailable Kafka replicas | `1` | +| `broker.persistence.enabled` | Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected | `true` | +| `broker.persistence.existingClaim` | A manually managed Persistent Volume and Claim | `""` | +| `broker.persistence.storageClass` | PVC Storage Class for Kafka data volume | `""` | +| `broker.persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | +| `broker.persistence.size` | PVC Storage Request for Kafka data volume | `8Gi` | +| `broker.persistence.annotations` | Annotations for the PVC | `{}` | +| `broker.persistence.labels` | Labels for the PVC | `{}` | +| `broker.persistence.selector` | Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it | `{}` | +| `broker.persistence.mountPath` | Mount path of the Kafka data volume | `/bitnami/kafka` | +| `broker.logPersistence.enabled` | Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected | `false` | +| `broker.logPersistence.existingClaim` | A manually managed Persistent Volume and Claim | `""` | +| `broker.logPersistence.storageClass` | PVC Storage Class for Kafka logs volume | `""` | +| `broker.logPersistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | +| `broker.logPersistence.size` | PVC Storage Request for Kafka logs volume | `8Gi` | +| `broker.logPersistence.annotations` | Annotations for the PVC | `{}` | +| `broker.logPersistence.selector` | Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it | `{}` | +| `broker.logPersistence.mountPath` | Mount path of the Kafka logs volume | `/opt/bitnami/kafka/logs` | ### Traffic Exposure parameters -| Name | Description | Value | -| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.client` | Kafka svc port for client connections | `9092` | -| `service.ports.controller` | Kafka svc port for controller connections. It is used if "kraft.enabled: true" | `9093` | -| `service.ports.internal` | Kafka svc port for inter-broker connections | `9094` | -| `service.ports.external` | Kafka svc port for external connections | `9095` | -| `service.nodePorts.client` | Node port for the Kafka client connections | `""` | -| `service.nodePorts.external` | Node port for the Kafka external connections | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Kafka service Cluster IP | `""` | -| `service.loadBalancerIP` | Kafka service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | Kafka service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | Kafka service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for Kafka service | `{}` | -| `service.headless.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | -| `service.headless.annotations` | Annotations for the headless service. | `{}` | -| `service.headless.labels` | Labels for the headless service. | `{}` | -| `service.extraPorts` | Extra ports to expose in the Kafka service (normally used with the `sidecar` value) | `[]` | -| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` | -| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` | -| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `docker.io` | -| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `bitnami/kubectl` | -| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) | `1.25.12-debian-11-r6` | -| `externalAccess.autoDiscovery.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | -| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | -| `externalAccess.autoDiscovery.resources.limits` | The resources limits for the auto-discovery init container | `{}` | -| `externalAccess.autoDiscovery.resources.requests` | The requested resources for the auto-discovery init container | `{}` | -| `externalAccess.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | -| `externalAccess.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | -| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | -| `externalAccess.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | -| `externalAccess.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | -| `externalAccess.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | -| `externalAccess.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | -| `externalAccess.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | -| `externalAccess.service.labels` | Service labels for external access | `{}` | -| `externalAccess.service.annotations` | Service annotations for external access | `{}` | -| `externalAccess.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | -| `networkPolicy.externalAccess.from` | customize the from section for External Access on tcp-external port | `[]` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | - -### Persistence parameters - -| Name | Description | Value | -| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `persistence.enabled` | Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected | `true` | -| `persistence.existingClaim` | A manually managed Persistent Volume and Claim | `""` | -| `persistence.storageClass` | PVC Storage Class for Kafka data volume | `""` | -| `persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | -| `persistence.size` | PVC Storage Request for Kafka data volume | `8Gi` | -| `persistence.annotations` | Annotations for the PVC | `{}` | -| `persistence.labels` | Labels for the PVC | `{}` | -| `persistence.selector` | Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it | `{}` | -| `persistence.mountPath` | Mount path of the Kafka data volume | `/bitnami/kafka` | -| `logPersistence.enabled` | Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected | `false` | -| `logPersistence.existingClaim` | A manually managed Persistent Volume and Claim | `""` | -| `logPersistence.storageClass` | PVC Storage Class for Kafka logs volume | `""` | -| `logPersistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | -| `logPersistence.size` | PVC Storage Request for Kafka logs volume | `8Gi` | -| `logPersistence.annotations` | Annotations for the PVC | `{}` | -| `logPersistence.selector` | Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it | `{}` | -| `logPersistence.mountPath` | Mount path of the Kafka logs volume | `/opt/bitnami/kafka/logs` | +| Name | Description | Value | +| ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.client` | Kafka svc port for client connections | `19092` | +| `service.ports.controller` | Kafka svc port for controller connections. It is used if "kraft.enabled: true" | `19093` | +| `service.ports.interbroker` | Kafka svc port for inter-broker connections | `19094` | +| `service.ports.external` | Kafka svc port for external connections | `19095` | +| `service.extraPorts` | Extra ports to expose in the Kafka service (normally used with the `sidecar` value) | `[]` | +| `service.nodePorts.client` | Node port for the Kafka client connections | `""` | +| `service.nodePorts.external` | Node port for the Kafka external connections | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Kafka service Cluster IP | `""` | +| `service.loadBalancerIP` | Kafka service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | Kafka service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | Kafka service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for Kafka service | `{}` | +| `service.headless.controller.annotations` | Annotations for the controller-eligible headless service. | `{}` | +| `service.headless.controller.labels` | Labels for the controller-eligible headless service. | `{}` | +| `service.headless.broker.annotations` | Annotations for the broker-only headless service. | `{}` | +| `service.headless.broker.labels` | Labels for the broker-only headless service. | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `docker.io` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `bitnami/kubectl` | +| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) | `1.25.12-debian-11-r14` | +| `externalAccess.autoDiscovery.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resources.limits` | The resources limits for the auto-discovery init container | `{}` | +| `externalAccess.autoDiscovery.resources.requests` | The requested resources for the auto-discovery init container | `{}` | +| `externalAccess.controller.forceExpose` | If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes | `false` | +| `externalAccess.controller.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.controller.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | +| `externalAccess.controller.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.controller.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | +| `externalAccess.controller.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | +| `externalAccess.controller.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | +| `externalAccess.controller.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | +| `externalAccess.controller.service.labels` | Service labels for external access | `{}` | +| `externalAccess.controller.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.controller.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | +| `externalAccess.broker.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.broker.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | +| `externalAccess.broker.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.broker.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | +| `externalAccess.broker.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | +| `externalAccess.broker.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | +| `externalAccess.broker.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | +| `externalAccess.broker.service.labels` | Service labels for external access | `{}` | +| `externalAccess.broker.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.broker.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | +| `networkPolicy.externalAccess.from` | customize the from section for External Access on tcp-external port | `[]` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | ### Volume Permissions parameters @@ -312,7 +438,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r16` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r25` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | @@ -332,170 +458,181 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics parameters -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | -| `metrics.kafka.enabled` | Whether or not to create a standalone Kafka exporter to expose Kafka metrics | `false` | -| `metrics.kafka.image.registry` | Kafka exporter image registry | `docker.io` | -| `metrics.kafka.image.repository` | Kafka exporter image repository | `bitnami/kafka-exporter` | -| `metrics.kafka.image.tag` | Kafka exporter image tag (immutable tags are recommended) | `1.7.0-debian-11-r61` | -| `metrics.kafka.image.digest` | Kafka exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.kafka.image.pullPolicy` | Kafka exporter image pull policy | `IfNotPresent` | -| `metrics.kafka.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.kafka.certificatesSecret` | Name of the existing secret containing the optional certificate and key files | `""` | -| `metrics.kafka.tlsCert` | The secret key from the certificatesSecret if 'client-cert' key different from the default (cert-file) | `cert-file` | -| `metrics.kafka.tlsKey` | The secret key from the certificatesSecret if 'client-key' key different from the default (key-file) | `key-file` | -| `metrics.kafka.tlsCaSecret` | Name of the existing secret containing the optional ca certificate for Kafka exporter client authentication | `""` | -| `metrics.kafka.tlsCaCert` | The secret key from the certificatesSecret or tlsCaSecret if 'ca-cert' key different from the default (ca-file) | `ca-file` | -| `metrics.kafka.extraFlags` | Extra flags to be passed to Kafka exporter | `{}` | -| `metrics.kafka.command` | Override Kafka exporter container command | `[]` | -| `metrics.kafka.args` | Override Kafka exporter container arguments | `[]` | -| `metrics.kafka.containerPorts.metrics` | Kafka exporter metrics container port | `9308` | -| `metrics.kafka.resources.limits` | The resources limits for the container | `{}` | -| `metrics.kafka.resources.requests` | The requested resources for the container | `{}` | -| `metrics.kafka.podSecurityContext.enabled` | Enable security context for the pods | `true` | -| `metrics.kafka.podSecurityContext.fsGroup` | Set Kafka exporter pod's Security Context fsGroup | `1001` | -| `metrics.kafka.containerSecurityContext.enabled` | Enable Kafka exporter containers' Security Context | `true` | -| `metrics.kafka.containerSecurityContext.runAsUser` | Set Kafka exporter containers' Security Context runAsUser | `1001` | -| `metrics.kafka.containerSecurityContext.runAsNonRoot` | Set Kafka exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.kafka.hostAliases` | Kafka exporter pods host aliases | `[]` | -| `metrics.kafka.podLabels` | Extra labels for Kafka exporter pods | `{}` | -| `metrics.kafka.podAnnotations` | Extra annotations for Kafka exporter pods | `{}` | -| `metrics.kafka.podAffinityPreset` | Pod affinity preset. Ignored if `metrics.kafka.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `metrics.kafka.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `metrics.kafka.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `metrics.kafka.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `metrics.kafka.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `metrics.kafka.nodeAffinityPreset.key` | Node label key to match Ignored if `metrics.kafka.affinity` is set. | `""` | -| `metrics.kafka.nodeAffinityPreset.values` | Node label values to match. Ignored if `metrics.kafka.affinity` is set. | `[]` | -| `metrics.kafka.affinity` | Affinity for pod assignment | `{}` | -| `metrics.kafka.nodeSelector` | Node labels for pod assignment | `{}` | -| `metrics.kafka.tolerations` | Tolerations for pod assignment | `[]` | -| `metrics.kafka.schedulerName` | Name of the k8s scheduler (other than default) for Kafka exporter | `""` | -| `metrics.kafka.priorityClassName` | Kafka exporter pods' priorityClassName | `""` | -| `metrics.kafka.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `metrics.kafka.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka exporter pod(s) | `[]` | -| `metrics.kafka.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka exporter container(s) | `[]` | -| `metrics.kafka.sidecars` | Add additional sidecar containers to the Kafka exporter pod(s) | `[]` | -| `metrics.kafka.initContainers` | Add init containers to the Kafka exporter pods | `[]` | -| `metrics.kafka.service.ports.metrics` | Kafka exporter metrics service port | `9308` | -| `metrics.kafka.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.kafka.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.kafka.service.annotations` | Annotations for the Kafka exporter service | `{}` | -| `metrics.kafka.serviceAccount.create` | Enable creation of ServiceAccount for Kafka exporter pods | `true` | -| `metrics.kafka.serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | -| `metrics.kafka.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | -| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` | -| `metrics.jmx.image.registry` | JMX exporter image registry | `docker.io` | -| `metrics.jmx.image.repository` | JMX exporter image repository | `bitnami/jmx-exporter` | -| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.19.0-debian-11-r25` | -| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | -| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX exporter containers' Security Context | `true` | -| `metrics.jmx.containerSecurityContext.runAsUser` | Set Prometheus JMX exporter containers' Security Context runAsUser | `1001` | -| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set Prometheus JMX exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.jmx.containerPorts.metrics` | Prometheus JMX exporter metrics container port | `5556` | -| `metrics.jmx.resources.limits` | The resources limits for the JMX exporter container | `{}` | -| `metrics.jmx.resources.requests` | The requested resources for the JMX exporter container | `{}` | -| `metrics.jmx.service.ports.metrics` | Prometheus JMX exporter metrics service port | `5556` | -| `metrics.jmx.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.jmx.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.jmx.service.annotations` | Annotations for the Prometheus JMX exporter service | `{}` | -| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX exporter | `["kafka.controller:*","kafka.server:*","java.lang:*","kafka.network:*","kafka.log:*"]` | -| `metrics.jmx.config` | Configuration file for JMX exporter | `""` | -| `metrics.jmx.existingConfigmap` | Name of existing ConfigMap with JMX exporter configuration | `""` | -| `metrics.jmx.extraRules` | Add extra rules to JMX exporter configuration | `""` | -| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.kafka.enabled` or `metrics.jmx.enabled` to be `true`) | `false` | -| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (requires `metrics.kafka.enabled` or `metrics.jmx.enabled` to be `true`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace in which Prometheus is running | `""` | -| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.groups` | Prometheus Rule Groups for Kafka | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | +| `metrics.kafka.enabled` | Whether or not to create a standalone Kafka exporter to expose Kafka metrics | `false` | +| `metrics.kafka.image.registry` | Kafka exporter image registry | `docker.io` | +| `metrics.kafka.image.repository` | Kafka exporter image repository | `bitnami/kafka-exporter` | +| `metrics.kafka.image.tag` | Kafka exporter image tag (immutable tags are recommended) | `1.7.0-debian-11-r69` | +| `metrics.kafka.image.digest` | Kafka exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.kafka.image.pullPolicy` | Kafka exporter image pull policy | `IfNotPresent` | +| `metrics.kafka.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.kafka.certificatesSecret` | Name of the existing secret containing the optional certificate and key files | `""` | +| `metrics.kafka.tlsCert` | The secret key from the certificatesSecret if 'client-cert' key different from the default (cert-file) | `cert-file` | +| `metrics.kafka.tlsKey` | The secret key from the certificatesSecret if 'client-key' key different from the default (key-file) | `key-file` | +| `metrics.kafka.tlsCaSecret` | Name of the existing secret containing the optional ca certificate for Kafka exporter client authentication | `""` | +| `metrics.kafka.tlsCaCert` | The secret key from the certificatesSecret or tlsCaSecret if 'ca-cert' key different from the default (ca-file) | `ca-file` | +| `metrics.kafka.extraFlags` | Extra flags to be passed to Kafka exporter | `{}` | +| `metrics.kafka.command` | Override Kafka exporter container command | `[]` | +| `metrics.kafka.args` | Override Kafka exporter container arguments | `[]` | +| `metrics.kafka.containerPorts.metrics` | Kafka exporter metrics container port | `9308` | +| `metrics.kafka.resources.limits` | The resources limits for the container | `{}` | +| `metrics.kafka.resources.requests` | The requested resources for the container | `{}` | +| `metrics.kafka.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `metrics.kafka.podSecurityContext.fsGroup` | Set Kafka exporter pod's Security Context fsGroup | `1001` | +| `metrics.kafka.podSecurityContext.seccompProfile.type` | Set Kafka exporter pod's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.kafka.containerSecurityContext.enabled` | Enable Kafka exporter containers' Security Context | `true` | +| `metrics.kafka.containerSecurityContext.runAsUser` | Set Kafka exporter containers' Security Context runAsUser | `1001` | +| `metrics.kafka.containerSecurityContext.runAsNonRoot` | Set Kafka exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.kafka.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.kafka.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka exporter containers' Security Context readOnlyRootFilesystem | `true` | +| `metrics.kafka.containerSecurityContext.capabilities.drop` | Set Kafka exporter containers' Security Context capabilities to be dropped | `["ALL"]` | +| `metrics.kafka.hostAliases` | Kafka exporter pods host aliases | `[]` | +| `metrics.kafka.podLabels` | Extra labels for Kafka exporter pods | `{}` | +| `metrics.kafka.podAnnotations` | Extra annotations for Kafka exporter pods | `{}` | +| `metrics.kafka.podAffinityPreset` | Pod affinity preset. Ignored if `metrics.kafka.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `metrics.kafka.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `metrics.kafka.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `metrics.kafka.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `metrics.kafka.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `metrics.kafka.nodeAffinityPreset.key` | Node label key to match Ignored if `metrics.kafka.affinity` is set. | `""` | +| `metrics.kafka.nodeAffinityPreset.values` | Node label values to match. Ignored if `metrics.kafka.affinity` is set. | `[]` | +| `metrics.kafka.affinity` | Affinity for pod assignment | `{}` | +| `metrics.kafka.nodeSelector` | Node labels for pod assignment | `{}` | +| `metrics.kafka.tolerations` | Tolerations for pod assignment | `[]` | +| `metrics.kafka.schedulerName` | Name of the k8s scheduler (other than default) for Kafka exporter | `""` | +| `metrics.kafka.priorityClassName` | Kafka exporter pods' priorityClassName | `""` | +| `metrics.kafka.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `metrics.kafka.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka exporter pod(s) | `[]` | +| `metrics.kafka.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka exporter container(s) | `[]` | +| `metrics.kafka.sidecars` | Add additional sidecar containers to the Kafka exporter pod(s) | `[]` | +| `metrics.kafka.initContainers` | Add init containers to the Kafka exporter pods | `[]` | +| `metrics.kafka.service.ports.metrics` | Kafka exporter metrics service port | `9308` | +| `metrics.kafka.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.kafka.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.kafka.service.annotations` | Annotations for the Kafka exporter service | `{}` | +| `metrics.kafka.serviceAccount.create` | Enable creation of ServiceAccount for Kafka exporter pods | `true` | +| `metrics.kafka.serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | +| `metrics.kafka.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` | +| `metrics.jmx.kafkaJmxPort` | JMX port where the exporter will collect metrics, exposed in the Kafka container. | `5555` | +| `metrics.jmx.image.registry` | JMX exporter image registry | `docker.io` | +| `metrics.jmx.image.repository` | JMX exporter image repository | `bitnami/jmx-exporter` | +| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.19.0-debian-11-r33` | +| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | +| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX exporter containers' Security Context | `true` | +| `metrics.jmx.containerSecurityContext.runAsUser` | Set Prometheus JMX exporter containers' Security Context runAsUser | `1001` | +| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set Prometheus JMX exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.jmx.containerSecurityContext.allowPrivilegeEscalation` | Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.jmx.containerSecurityContext.readOnlyRootFilesystem` | Set Prometheus JMX exporter containers' Security Context readOnlyRootFilesystem | `true` | +| `metrics.jmx.containerSecurityContext.capabilities.drop` | Set Prometheus JMX exporter containers' Security Context capabilities to be dropped | `["ALL"]` | +| `metrics.jmx.containerPorts.metrics` | Prometheus JMX exporter metrics container port | `5556` | +| `metrics.jmx.resources.limits` | The resources limits for the JMX exporter container | `{}` | +| `metrics.jmx.resources.requests` | The requested resources for the JMX exporter container | `{}` | +| `metrics.jmx.service.ports.metrics` | Prometheus JMX exporter metrics service port | `5556` | +| `metrics.jmx.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.jmx.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.jmx.service.annotations` | Annotations for the Prometheus JMX exporter service | `{}` | +| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX exporter | `["kafka.controller:*","kafka.server:*","java.lang:*","kafka.network:*","kafka.log:*"]` | +| `metrics.jmx.config` | Configuration file for JMX exporter | `""` | +| `metrics.jmx.existingConfigmap` | Name of existing ConfigMap with JMX exporter configuration | `""` | +| `metrics.jmx.extraRules` | Add extra rules to JMX exporter configuration | `""` | +| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.kafka.enabled` or `metrics.jmx.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (requires `metrics.kafka.enabled` or `metrics.jmx.enabled` to be `true`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.groups` | Prometheus Rule Groups for Kafka | `[]` | ### Kafka provisioning parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | --------------------- | -| `provisioning.enabled` | Enable kafka provisioning Job | `false` | -| `provisioning.numPartitions` | Default number of partitions for topics when unspecified | `1` | -| `provisioning.replicationFactor` | Default replication factor for topics when unspecified | `1` | -| `provisioning.topics` | Kafka topics to provision | `[]` | -| `provisioning.nodeSelector` | Node labels for pod assignment | `{}` | -| `provisioning.tolerations` | Tolerations for pod assignment | `[]` | -| `provisioning.extraProvisioningCommands` | Extra commands to run to provision cluster resources | `[]` | -| `provisioning.parallel` | Number of provisioning commands to run at the same time | `1` | -| `provisioning.preScript` | Extra bash script to run before topic provisioning. $CLIENT_CONF is path to properties file with most needed configurations | `""` | -| `provisioning.postScript` | Extra bash script to run after topic provisioning. $CLIENT_CONF is path to properties file with most needed configurations | `""` | -| `provisioning.auth.tls.type` | Format to use for TLS certificates. Allowed types: `jks` and `pem`. | `jks` | -| `provisioning.auth.tls.certificatesSecret` | Existing secret containing the TLS certificates for the Kafka provisioning Job. | `""` | -| `provisioning.auth.tls.cert` | The secret key from the certificatesSecret if 'cert' key different from the default (tls.crt) | `tls.crt` | -| `provisioning.auth.tls.key` | The secret key from the certificatesSecret if 'key' key different from the default (tls.key) | `tls.key` | -| `provisioning.auth.tls.caCert` | The secret key from the certificatesSecret if 'caCert' key different from the default (ca.crt) | `ca.crt` | -| `provisioning.auth.tls.keystore` | The secret key from the certificatesSecret if 'keystore' key different from the default (keystore.jks) | `keystore.jks` | -| `provisioning.auth.tls.truststore` | The secret key from the certificatesSecret if 'truststore' key different from the default (truststore.jks) | `truststore.jks` | -| `provisioning.auth.tls.passwordsSecret` | Name of the secret containing passwords to access the JKS files or PEM key when they are password-protected. | `""` | -| `provisioning.auth.tls.keyPasswordSecretKey` | The secret key from the passwordsSecret if 'keyPasswordSecretKey' key different from the default (key-password) | `key-password` | -| `provisioning.auth.tls.keystorePasswordSecretKey` | The secret key from the passwordsSecret if 'keystorePasswordSecretKey' key different from the default (keystore-password) | `keystore-password` | -| `provisioning.auth.tls.truststorePasswordSecretKey` | The secret key from the passwordsSecret if 'truststorePasswordSecretKey' key different from the default (truststore-password) | `truststore-password` | -| `provisioning.auth.tls.keyPassword` | Password to access the password-protected PEM key if necessary. Ignored if 'passwordsSecret' is provided. | `""` | -| `provisioning.auth.tls.keystorePassword` | Password to access the JKS keystore. Ignored if 'passwordsSecret' is provided. | `""` | -| `provisioning.auth.tls.truststorePassword` | Password to access the JKS truststore. Ignored if 'passwordsSecret' is provided. | `""` | -| `provisioning.command` | Override provisioning container command | `[]` | -| `provisioning.args` | Override provisioning container arguments | `[]` | -| `provisioning.extraEnvVars` | Extra environment variables to add to the provisioning pod | `[]` | -| `provisioning.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | -| `provisioning.extraEnvVarsSecret` | Secret with extra environment variables | `""` | -| `provisioning.podAnnotations` | Extra annotations for Kafka provisioning pods | `{}` | -| `provisioning.podLabels` | Extra labels for Kafka provisioning pods | `{}` | -| `provisioning.serviceAccount.create` | Enable creation of ServiceAccount for Kafka provisioning pods | `false` | -| `provisioning.serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | -| `provisioning.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | -| `provisioning.resources.limits` | The resources limits for the Kafka provisioning container | `{}` | -| `provisioning.resources.requests` | The requested resources for the Kafka provisioning container | `{}` | -| `provisioning.podSecurityContext.enabled` | Enable security context for the pods | `true` | -| `provisioning.podSecurityContext.fsGroup` | Set Kafka provisioning pod's Security Context fsGroup | `1001` | -| `provisioning.containerSecurityContext.enabled` | Enable Kafka provisioning containers' Security Context | `true` | -| `provisioning.containerSecurityContext.runAsUser` | Set Kafka provisioning containers' Security Context runAsUser | `1001` | -| `provisioning.containerSecurityContext.runAsNonRoot` | Set Kafka provisioning containers' Security Context runAsNonRoot | `true` | -| `provisioning.schedulerName` | Name of the k8s scheduler (other than default) for kafka provisioning | `""` | -| `provisioning.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka provisioning pod(s) | `[]` | -| `provisioning.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka provisioning container(s) | `[]` | -| `provisioning.sidecars` | Add additional sidecar containers to the Kafka provisioning pod(s) | `[]` | -| `provisioning.initContainers` | Add additional Add init containers to the Kafka provisioning pod(s) | `[]` | -| `provisioning.waitForKafka` | If true use an init container to wait until kafka is ready before starting provisioning | `true` | +| Name | Description | Value | +| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `provisioning.enabled` | Enable kafka provisioning Job | `false` | +| `provisioning.numPartitions` | Default number of partitions for topics when unspecified | `1` | +| `provisioning.replicationFactor` | Default replication factor for topics when unspecified | `1` | +| `provisioning.topics` | Kafka topics to provision | `[]` | +| `provisioning.nodeSelector` | Node labels for pod assignment | `{}` | +| `provisioning.tolerations` | Tolerations for pod assignment | `[]` | +| `provisioning.extraProvisioningCommands` | Extra commands to run to provision cluster resources | `[]` | +| `provisioning.parallel` | Number of provisioning commands to run at the same time | `1` | +| `provisioning.preScript` | Extra bash script to run before topic provisioning. $CLIENT_CONF is path to properties file with most needed configurations | `""` | +| `provisioning.postScript` | Extra bash script to run after topic provisioning. $CLIENT_CONF is path to properties file with most needed configurations | `""` | +| `provisioning.auth.tls.type` | Format to use for TLS certificates. Allowed types: `JKS` and `PEM`. | `jks` | +| `provisioning.auth.tls.certificatesSecret` | Existing secret containing the TLS certificates for the Kafka provisioning Job. | `""` | +| `provisioning.auth.tls.cert` | The secret key from the certificatesSecret if 'cert' key different from the default (tls.crt) | `tls.crt` | +| `provisioning.auth.tls.key` | The secret key from the certificatesSecret if 'key' key different from the default (tls.key) | `tls.key` | +| `provisioning.auth.tls.caCert` | The secret key from the certificatesSecret if 'caCert' key different from the default (ca.crt) | `ca.crt` | +| `provisioning.auth.tls.keystore` | The secret key from the certificatesSecret if 'keystore' key different from the default (keystore.jks) | `keystore.jks` | +| `provisioning.auth.tls.truststore` | The secret key from the certificatesSecret if 'truststore' key different from the default (truststore.jks) | `truststore.jks` | +| `provisioning.auth.tls.passwordsSecret` | Name of the secret containing passwords to access the JKS files or PEM key when they are password-protected. | `""` | +| `provisioning.auth.tls.keyPasswordSecretKey` | The secret key from the passwordsSecret if 'keyPasswordSecretKey' key different from the default (key-password) | `key-password` | +| `provisioning.auth.tls.keystorePasswordSecretKey` | The secret key from the passwordsSecret if 'keystorePasswordSecretKey' key different from the default (keystore-password) | `keystore-password` | +| `provisioning.auth.tls.truststorePasswordSecretKey` | The secret key from the passwordsSecret if 'truststorePasswordSecretKey' key different from the default (truststore-password) | `truststore-password` | +| `provisioning.auth.tls.keyPassword` | Password to access the password-protected PEM key if necessary. Ignored if 'passwordsSecret' is provided. | `""` | +| `provisioning.auth.tls.keystorePassword` | Password to access the JKS keystore. Ignored if 'passwordsSecret' is provided. | `""` | +| `provisioning.auth.tls.truststorePassword` | Password to access the JKS truststore. Ignored if 'passwordsSecret' is provided. | `""` | +| `provisioning.command` | Override provisioning container command | `[]` | +| `provisioning.args` | Override provisioning container arguments | `[]` | +| `provisioning.extraEnvVars` | Extra environment variables to add to the provisioning pod | `[]` | +| `provisioning.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `provisioning.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `provisioning.podAnnotations` | Extra annotations for Kafka provisioning pods | `{}` | +| `provisioning.podLabels` | Extra labels for Kafka provisioning pods | `{}` | +| `provisioning.serviceAccount.create` | Enable creation of ServiceAccount for Kafka provisioning pods | `false` | +| `provisioning.serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | +| `provisioning.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `provisioning.resources.limits` | The resources limits for the Kafka provisioning container | `{}` | +| `provisioning.resources.requests` | The requested resources for the Kafka provisioning container | `{}` | +| `provisioning.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `provisioning.podSecurityContext.fsGroup` | Set Kafka provisioning pod's Security Context fsGroup | `1001` | +| `provisioning.podSecurityContext.seccompProfile.type` | Set Kafka provisioning pod's Security Context seccomp profile | `RuntimeDefault` | +| `provisioning.containerSecurityContext.enabled` | Enable Kafka provisioning containers' Security Context | `true` | +| `provisioning.containerSecurityContext.runAsUser` | Set Kafka provisioning containers' Security Context runAsUser | `1001` | +| `provisioning.containerSecurityContext.runAsNonRoot` | Set Kafka provisioning containers' Security Context runAsNonRoot | `true` | +| `provisioning.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka provisioning containers' Security Context allowPrivilegeEscalation | `false` | +| `provisioning.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka provisioning containers' Security Context readOnlyRootFilesystem | `true` | +| `provisioning.containerSecurityContext.capabilities.drop` | Set Kafka provisioning containers' Security Context capabilities to be dropped | `["ALL"]` | +| `provisioning.schedulerName` | Name of the k8s scheduler (other than default) for kafka provisioning | `""` | +| `provisioning.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka provisioning pod(s) | `[]` | +| `provisioning.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka provisioning container(s) | `[]` | +| `provisioning.sidecars` | Add additional sidecar containers to the Kafka provisioning pod(s) | `[]` | +| `provisioning.initContainers` | Add additional Add init containers to the Kafka provisioning pod(s) | `[]` | +| `provisioning.waitForKafka` | If true use an init container to wait until kafka is ready before starting provisioning | `true` | -### Kraft chart parameters +### KRaft chart parameters -| Name | Description | Value | -| ------------------------------- | --------------------------------------------------------------------------------------- | ------------------------ | -| `kraft.enabled` | Switch to enable or disable the Kraft mode for Kafka | `true` | -| `kraft.processRoles` | Roles of your Kafka nodes. Nodes can have 'broker', 'controller' roles or both of them. | `broker,controller` | -| `kraft.controllerListenerNames` | Controller listener names | `CONTROLLER` | -| `kraft.clusterId` | Kafka ClusterID. You must set it if your cluster contains more than one node. | `kafka_cluster_id_test1` | -| `kraft.controllerQuorumVoters` | Quorum voters of Kafka Kraft cluster. Use it for nodes with 'broker' role only. | `""` | +| Name | Description | Value | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `kraft.enabled` | Switch to enable or disable the KRaft mode for Kafka | `true` | +| `kraft.clusterId` | Kafka Kraft cluster ID. If not set, a random cluster ID will be generated the first time Kraft is initialized. | `""` | +| `kraft.controllerQuorumVoters` | Override the Kafka controller quorum voters of the Kafka Kraft cluster. If not set, it will be automatically configured to use all controller-elegible nodes. | `""` | ### ZooKeeper chart parameters | Name | Description | Value | | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `zookeeper.enabled` | Switch to enable or disable the ZooKeeper helm chart. Must be false if you use Kraft mode. | `false` | +| `zookeeperChrootPath` | Path which puts data under some path in the global ZooKeeper namespace | `""` | +| `zookeeper.enabled` | Switch to enable or disable the ZooKeeper helm chart. Must be false if you use KRaft mode. | `false` | | `zookeeper.replicaCount` | Number of ZooKeeper nodes | `1` | | `zookeeper.auth.client.enabled` | Enable ZooKeeper auth | `false` | -| `zookeeper.auth.client.clientUser` | User that will use ZooKeeper clients to auth | `""` | -| `zookeeper.auth.client.clientPassword` | Password that will use ZooKeeper clients to auth | `""` | +| `zookeeper.auth.client.clientUser` | User that will use ZooKeeper client (zkCli.sh) to authenticate. Must exist in the serverUsers comma-separated list. | `""` | +| `zookeeper.auth.client.clientPassword` | Password that will use ZooKeeper client (zkCli.sh) to authenticate. Must exist in the serverPasswords comma-separated list. | `""` | | `zookeeper.auth.client.serverUsers` | Comma, semicolon or whitespace separated list of user to be created. Specify them as a string, for example: "user1,user2,admin" | `""` | | `zookeeper.auth.client.serverPasswords` | Comma, semicolon or whitespace separated list of passwords to assign to users when created. Specify them as a string, for example: "pass4user1, pass4user2, pass4admin" | `""` | | `zookeeper.persistence.enabled` | Enable persistence on ZooKeeper using PVC(s) | `true` | | `zookeeper.persistence.storageClass` | Persistent Volume storage class | `""` | | `zookeeper.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | | `zookeeper.persistence.size` | Persistent Volume size | `8Gi` | -| `externalZookeeper.servers` | List of external zookeeper servers to use. Typically used in combination with 'zookeeperChrootPath'. Must be empty if you use Kraft mode. | `[]` | +| `externalZookeeper.servers` | List of external zookeeper servers to use. Typically used in combination with 'zookeeperChrootPath'. Must be empty if you use KRaft mode. | `[]` | ```console helm install my-release \ @@ -558,9 +695,9 @@ If you enabled SASL authentication on any listener, you can set the SASL credent - `auth.sasl.jaas.interBrokerUser`/`auth.sasl.jaas.interBrokerPassword`: when enabling SASL authentication for inter-broker communications. - `auth.jaas.zookeeperUser`/`auth.jaas.zookeeperPassword`: In the case that the Zookeeper chart is deployed with SASL authentication enabled. -In order to configure TLS authentication/encryption, you **can** create a secret per Kafka broker you have in the cluster containing the Java Key Stores (JKS) files: the truststore (`kafka.truststore.jks`) and the keystore (`kafka.keystore.jks`). Then, you need pass the secret names with the `auth.tls.existingSecrets` parameter when deploying the chart. +In order to configure TLS authentication/encryption, you **can** create a secret per Kafka broker you have in the cluster containing the Java Key Stores (JKS) files: the truststore (`kafka.truststore.jks`) and the keystore (`kafka.keystore.jks`). Then, you need pass the secret names with the `tls.existingSecret` parameter when deploying the chart. -> **Note**: If the JKS files are password protected (recommended), you will need to provide the password to get access to the keystores. To do so, use the `auth.tls.password` parameter to provide your password. +> **Note**: If the JKS files are password protected (recommended), you will need to provide the password to get access to the keystores. To do so, use the `tls.password` parameter to provide your password. For instance, to configure TLS authentication on a Kafka cluster with 2 Kafka brokers use the commands below to create the secrets: @@ -573,26 +710,24 @@ kubectl create secret generic kafka-jks-1 --from-file=kafka.truststore.jks=./kaf If, for some reason (like using Cert-Manager) you can not use the default JKS secret scheme, you can use the additional parameters: -- `auth.tls.jksTruststoreSecret` to define additional secret, where the `kafka.truststore.jks` is being kept. The truststore password **must** be the same as in `auth.tls.password` -- `auth.tls.jksTruststore` to overwrite the default value of the truststore key (`kafka.truststore.jks`). -- `auth.tls.jksKeystoreSAN` if you want to use a SAN certificate for your brokers. Setting this parameter would mean that the chart expects a existing key in the `auth.tls.jksTruststoreSecret` with the `auth.tls.jksKeystoreSAN` value and use this as a keystore for **all** brokers +- `tls.jksTruststoreSecret` to define additional secret, where the `kafka.truststore.jks` is being kept. The truststore password **must** be the same as in `tls.password` +- `tls.jksTruststore` to overwrite the default value of the truststore key (`kafka.truststore.jks`). -> **Note**: If you are using cert-manager, particularly when an ACME issuer is used, the `ca.crt` field is not put in the `Secret` that cert-manager creates. To handle this, the `auth.tls.pemChainIncluded` property can be set to `true` and the initContainer created by this Chart will attempt to extract the intermediate certs from the `tls.crt` field of the secret (which is a PEM chain) -> **Note**: The truststore/keystore from above **must** be protected with the same password as in `auth.tls.password` +> **Note**: If you are using cert-manager, particularly when an ACME issuer is used, the `ca.crt` field is not put in the `Secret` that cert-manager creates. To handle this, the `tls.pemChainIncluded` property can be set to `true` and the initContainer created by this Chart will attempt to extract the intermediate certs from the `tls.crt` field of the secret (which is a PEM chain) +> **Note**: The truststore/keystore from above **must** be protected with the same password as in `tls.password` You can deploy the chart with authentication using the following parameters: ```console replicaCount=2 -auth.clientProtocol=sasl -auth.interBrokerProtocol=tls -auth.tls.existingSecrets[0]=kafka-jks-0 -auth.tls.existingSecrets[1]=kafka-jks-1 -auth.tls.password=jksPassword -auth.sasl.jaas.clientUsers[0]=brokerUser -auth.sasl.jaas.clientPasswords[0]=brokerPassword -auth.sasl.jaas.zookeeperUser=zookeeperUser -auth.sasl.jaas.zookeeperPassword=zookeeperPassword +listeners.client.client.protocol=SASL +listeners.client.interbroker.protocol=TLS +tls.existingSecret=kafka-jks +tls.password=jksPassword +sasl.client.users[0]=brokerUser +sasl.client.passwords[0]=brokerPassword +sasl.zookeeper.user=zookeeperUser +sasl.zookeeper.password=zookeeperPassword zookeeper.auth.enabled=true zookeeper.auth.serverUsers=zookeeperUser zookeeper.auth.serverPasswords=zookeeperPassword @@ -604,15 +739,14 @@ You can deploy the chart with AclAuthorizer using the following parameters: ```console replicaCount=2 -auth.clientProtocol=sasl -auth.interBrokerProtocol=sasl_tls -auth.tls.existingSecrets[0]=kafka-jks-0 -auth.tls.existingSecrets[1]=kafka-jks-1 -auth.tls.password=jksPassword -auth.sasl.jaas.clientUsers[0]=brokerUser -auth.sasl.jaas.clientPasswords[0]=brokerPassword -auth.sasl.jaas.zookeeperUser=zookeeperUser -auth.sasl.jaas.zookeeperPassword=zookeeperPassword +listeners.client.protocol=SASL +listeners.interbroker.protocol=SASL_TLS +tls.existingSecret=kafka-jks-0 +tls.password=jksPassword +sasl.client.users[0]=brokerUser +sasl.client.passwords[0]=brokerPassword +sasl.zookeeper.user=zookeeperUser +sasl.zookeeper.password=zookeeperPassword zookeeper.auth.enabled=true zookeeper.auth.serverUsers=zookeeperUser zookeeper.auth.serverPasswords=zookeeperPassword @@ -625,11 +759,11 @@ superUsers=User:admin If you are using Kafka ACLs, you might encounter in kafka-authorizer.log the following event: `[...] Principal = User:ANONYMOUS is Allowed Operation [...]`. -By setting the following parameter: `auth.clientProtocol=mtls`, it will set the configuration in Kafka to `ssl.client.auth=required`. This option will require the clients to authenticate to Kafka brokers. +By setting the following parameter: `listeners.client.protocol=SSL` and `listener.client.sslClientAuth=required`, Kafka will require the clients to authenticate to Kafka brokers via certificate. As result, we will be able to see in kafka-authorizer.log the events specific Subject: `[...] Principal = User:CN=kafka,OU=...,O=...,L=...,C=..,ST=... is [...]`. -If you also enable exposing metrics using the Kafka exporter, and you are using `sasl_tls`, `tls`, or `mtls` authentication protocols, you need to mount the CA certificated used to sign the brokers certificates in the exporter so it can validate the Kafka brokers. To do so, create a secret containing the CA, and set the `metrics.certificatesSecret` parameter. As an alternative, you can skip TLS validation using extra flags: +If you also enable exposing metrics using the Kafka exporter, and you are using `SSL` or `SASL_SSL` security protocols protocols, you need to mount the CA certificated used to sign the brokers certificates in the exporter so it can validate the Kafka brokers. To do so, create a secret containing the CA, and set the `metrics.certificatesSecret` parameter. As an alternative, you can skip TLS validation using extra flags: ```console metrics.kafka.extraFlags={tls.insecure-skip-tls-verify: ""} @@ -649,8 +783,10 @@ You have two alternatives to use LoadBalancer services: ```console externalAccess.enabled=true -externalAccess.service.type=LoadBalancer -externalAccess.service.ports.external=9094 +externalAccess.service.broker.type=LoadBalancer +externalAccess.service.controller.type=LoadBalancer +externalAccess.service.broker.ports.external=9094 +externalAccess.service.controller.containerPorts.external=9094 externalAccess.autoDiscovery.enabled=true serviceAccount.create=true rbac.create=true @@ -662,10 +798,14 @@ Note: This option requires creating RBAC rules on clusters where RBAC policies a ```console externalAccess.enabled=true -externalAccess.service.type=LoadBalancer -externalAccess.service.ports.external=9094 -externalAccess.service.loadBalancerIPs[0]='external-ip-1' -externalAccess.service.loadBalancerIPs[1]='external-ip-2'} +externalAccess.service.controller.type=LoadBalancer +externalAccess.service.controller.containerPorts.external=9094 +externalAccess.service.controller.loadBalancerIPs[0]='external-ip-1' +externalAccess.service.controller.loadBalancerIPs[1]='external-ip-2' +externalAccess.service.broker.type=LoadBalancer +externalAccess.service.broker.ports.external=9094 +externalAccess.service.broker.loadBalancerIPs[0]='external-ip-3' +externalAccess.service.broker.loadBalancerIPs[1]='external-ip-4' ``` Note: You need to know in advance the load balancer IPs so each Kafka broker advertised listener is configured with it. @@ -680,7 +820,8 @@ You have two alternatives to use NodePort services: ```console externalAccess.enabled=true - externalAccess.service.type=NodePort + externalAccess.controller.service.type=NodePort + externalAccess.broker.service.type=NodePort externalAccess.autoDiscovery.enabled=true serviceAccount.create=true rbac.create=true @@ -692,23 +833,23 @@ You have two alternatives to use NodePort services: ```console externalAccess.enabled=true - externalAccess.service.type=NodePort - externalAccess.service.nodePorts[0]='node-port-1' - externalAccess.service.nodePorts[1]='node-port-2' + externalAccess.controller.service.type=NodePort + externalAccess.controller.service.nodePorts[0]='node-port-1' + externalAccess.controller.service.nodePorts[1]='node-port-2' ``` Note: You need to know in advance the node ports that will be exposed so each Kafka broker advertised listener is configured with it. The pod will try to get the external ip of the node using `curl -s https://ipinfo.io/ip` unless `externalAccess.service.domain` or `externalAccess.service.useHostIPs` is provided. -- Option C) Manually specify distinct external IPs +- Option C) Manually specify distinct external IPs (using controller+broker nodes) ```console externalAccess.enabled=true - externalAccess.service.type=NodePort - externalAccess.service.externalIPs[0]='172.16.0.20' - externalAccess.service.externalIPs[1]='172.16.0.21' - externalAccess.service.externalIPs[2]='172.16.0.22' + externalAccess.controller.service.type=NodePort + externalAccess.controller.service.externalIPs[0]='172.16.0.20' + externalAccess.controller.service.externalIPs[1]='172.16.0.21' + externalAccess.controller.service.externalIPs[2]='172.16.0.22' ``` Note: You need to know in advance the available IP of your cluster that will be exposed so each Kafka broker advertised listener is configured with it. @@ -719,18 +860,21 @@ Note: This option requires that an ingress is deployed within your cluster ```console externalAccess.enabled=true -externalAccess.service.type=ClusterIP -externalAccess.service.ports.external=9094 -externalAccess.service.domain='ingress-ip' +externalAccess.controller.service.type=ClusterIP +externalAccess.controller.service.ports.external=9094 +externalAccess.controller.service.domain='ingress-ip' +externalAccess.broker.service.type=ClusterIP +externalAccess.broker.service.ports.external=9094 +externalAccess.broker.service.domain='ingress-ip' ``` Note: the deployed ingress must contain the following block: ```console tcp: - 9094: "{{ .Release.Namespace }}/{{ include "kafka.fullname" . }}-0-external:9094" - 9095: "{{ .Release.Namespace }}/{{ include "kafka.fullname" . }}-1-external:9094" - 9096: "{{ .Release.Namespace }}/{{ include "kafka.fullname" . }}-2-external:9094" + 9094: "{{ include "common.names.namespace" . }}/{{ include "common.names.fullname" . }}-0-external:9094" + 9095: "{{ include "common.names.namespace" . }}/{{ include "common.names.fullname" . }}-1-external:9094" + 9096: "{{ include "common.names.namespace" . }}/{{ include "common.names.fullname" . }}-2-external:9094" ``` #### Name resolution with External-DNS @@ -776,7 +920,7 @@ extraDeploy: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "kafka.fullname" . }}-connect + name: {{ include "common.names.fullname" . }}-connect labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: connector spec: @@ -802,17 +946,17 @@ extraDeploy: volumes: - name: configuration configMap: - name: {{ include "kafka.fullname" . }}-connect + name: {{ include "common.names.fullname" . }}-connect - | apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "kafka.fullname" . }}-connect + name: {{ include "common.names.fullname" . }}-connect labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: connector data: connect-standalone.properties: |- - bootstrap.servers = {{ include "kafka.fullname" . }}-0.{{ include "kafka.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.port }} + bootstrap.servers = {{ include "common.names.fullname" . }}-0.{{ include "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.port }} ... mongodb.properties: |- connection.uri=mongodb://root:password@mongodb-hostname:27017 @@ -821,7 +965,7 @@ extraDeploy: apiVersion: v1 kind: Service metadata: - name: {{ include "kafka.fullname" . }}-connect + name: {{ include "common.names.fullname" . }}-connect labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: connector spec: @@ -846,9 +990,7 @@ CMD /opt/bitnami/kafka/bin/connect-standalone.sh /opt/bitnami/kafka/config/conne ## Persistence -The [Bitnami Kafka](https://github.com/bitnami/containers/tree/main/bitnami/kafka) image stores the Kafka data at the `/bitnami/kafka` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. See the [Parameters](#persistence-parameters) section to configure the PVC or to disable persistence. +The [Bitnami Kafka](https://github.com/bitnami/containers/tree/main/bitnami/kafka) image stores the Kafka data at the `/bitnami/kafka` path of the container. Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. ### Adjust permissions of persistent volume mountpoint @@ -863,8 +1005,210 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +## Migrating from Zookeeper (Early access) + +This guide is an adaptation from upstream documentation: [Migrate from ZooKeeper to KRaft](https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html) + +1. Retrieve the cluster ID from Zookeeper: + + ```console + $ kubectl exec -it -- zkCli.sh get /cluster/id + /opt/bitnami/java/bin/java + Connecting to localhost:2181 + + WATCHER:: + + WatchedEvent state:SyncConnected type:None path:null + {"version":"1","id":"TEr3HVPvTqSWixWRHngP5g"} + ``` + +2. Deploy at least one Kraft controller-only in your deployment and enable `zookeeperMigrationMode=true`. The Kraft controllers will migrate the data from your Kafka ZkBroker to Kraft mode. + + To do so add the following values to your Zookeeper deployment when upgrading: + + ```yaml + controller: + replicaCount: 1 + controllerOnly: true + zookeeperMigrationMode: true + # If needed, set controllers minID to avoid conflict with your ZK brokers' ids. + # minID: 0 + broker: + zookeeperMigrationMode: true + kraft: + enabled: true + clusterId: "" + ``` + +3. Wait until until all brokers are ready. You should see the following log in the broker logs: + + ```console + INFO [KafkaServer id=100] Finished catching up on KRaft metadata log, requesting that the KRaft controller unfence this broker (kafka.server.KafkaServer) + INFO [BrokerLifecycleManager id=100 isZkBroker=true] The broker has been unfenced. Transitioning from RECOVERY to RUNNING. (kafka.server.BrokerLifecycleManager) + ``` + + In the controllers, the following message should show up: + + ```console + Transitioning ZK migration state from PRE_MIGRATION to MIGRATION (org.apache.kafka.controller.FeatureControlManager) + ``` + +4. Once all brokers have been successfully migrated, set `broker.zookeeperMigrationMode=false` to fully migrate them. + + ```yaml + broker: + zookeeperMigrationMode: false + ``` + +5. To conclude the migration, switch off migration mode on controllers and stop Zookeeper: + + ```yaml + controller: + zookeeperMigrationMode: false + zookeeper: + enabled: false + ``` + + After migration is complete, you should see the following message in your controllers: + + ```console + [2023-07-13 13:07:45,226] INFO [QuorumController id=1] Transitioning ZK migration state from MIGRATION to POST_MIGRATION (org.apache.kafka.controller.FeatureControlManager) + ``` + +6. (**Optional**) If you would like to switch to a non-dedicated cluster, set `controller.controllerOnly=false`. This will cause controller-only nodes to switch to controller+broker nodes. + + At that point, you could manually decommission broker-only nodes by reassigning its partitions to controller-eligible nodes. + + For more information about decommissioning kafka broker check the [Kafka documentation](https://www.confluent.io/blog/remove-kafka-brokers-from-any-cluster-the-easy-way/). + ## Upgrading +### To 24.0.0 + +This major version is a refactor of the Kafka chart and its architecture, to better adapt to Kraft features introduced in version 22.0.0. + +The changes introduced in this version are: + +- New architecture. The chart now has two statefulsets, one for controller-eligible nodes (controller or controller+broker) and another one for broker-only nodes. Please take a look at the subsections [Upgrading from Kraft mode](#upgrading-from-kraft-mode) and [Upgrading from Zookeeper mode](#upgrading-from-zookeeper-mode) for more information about how to upgrade this chart depending on which mode you were using. + + The new architecture is designed to support two main features: + - Deployment of dedicated nodes + - Support for Zookeeper to Kraft migration + +- Adds compatibility with `securityContext.readOnlyRootFs=true`, which is now the execution default. + - The Kafka configuration is now mounted as a ConfigMap instead of generated at runtime. + - Due to the implementation of readOnlyRootFs support, the following settings have been removed and will now rely on Kafka defaults. To override them, please use `extraConfig` to extend your Kafka configuration instead. + - `deleteTopicEnable` + - `autoCreateTopicsEnable` + - `logFlushIntervalMessages` + - `logFlushIntervalMs` + - `logRetentionBytes` + - `logRetentionCheckIntervalMs` + - `logRetentionHours` + - `logSegmentBytes` + - `logsDirs` + - `maxMessageBytes` + - `defaultReplicationFactor` + - `offsetsTopicReplicationFactor` + - `transactionStateLogReplicationFactor` + - `transactionStateLogMinIsr` + - `numIoThreads` + - `numNetworkThreads` + - `numPartitions` + - `numRecoveryThreadsPerDataDir` + - `socketReceiveBufferBytes` + - `socketRequestMaxBytes` + - `socketSendBufferBytes` + - `zookeeperConnectionTimeoutMs` + - `authorizerClassName` + - `allowEveryoneIfNoAclFound` + - `superUsers` +- All listeners are configured with protocol 'SASL_PLAINTEXT' by default. +- Support for SCRAM authentication in KRaft mode +- All statefulset settings have been moved from values' root to `controller.*` and `broker.*`. +- Refactor of listeners configuration: + - Settings `listeners`, `advertisedListeners` and `listenerSecurityProtocolMap` have been replaced with `listeners.*` object, which includes default listeners and each listener can be configured individually and extended using `listeners.extraListeners`. + - Values `interBrokerListenerName`, `allowPlaintextListener` have been removed. +- Refactor of SASL, SSL and ACL settings: + - Authentication nomenclature `plaintext,tls,mtls,sasl,sasl_tls` has been removed. Listeners are now configured using Kafka nomenclature `PLAINTEXT,SASL_PLAINTEXT,SASL_SSL,SSL` in `listeners.*.protocol`. + - mTLS is configured by default for SSL protocol listeners, while it can now also be configured for SASL_SSL listeners if `listener.*.sslClientAuth` is set. + - All SASL settings are now grouped under `sasl.*`. + - `auth.sasl.mechanisms` -> `sasl.enabledMechanisms` + - `auth.interBrokerMechanism` -> `sasl.interBrokerMechanism` + - `auth.sasl.jaas.clientUSers` -> `sasl.client.users` + - `auth.sasl.jaas.clientPasswords` -> `sasl.client.passwords` + - `auth.sasl.jaas.interBrokerUser` -> `sasl.interbroker.user` + - `auth.sasl.jaas.interBrokerPassword` -> `sasl.interbroker.password` + - `auth.sasl.jaas.zookeeperUser` -> `sasl.zookeeper.user` + - `auth.sasl.jaas.zookeeperPassword` -> `sasl.zookeeper.password` + - `auth.sasl.jaas.existingSecret` -> `sasl.existingSecret` + - Added support for Controller listener protocols other than PLAINTEXT. + - TLS settings have been moved from `auth.tls.*` to `tls.*`. + - Zookeeper TLS settings have been moved from `auth.zookeeper*` to `tls.zookeeper.*` +- Refactor externalAccess to support the new architecture: + - `externalAccess.service.*` have been renamed to `externalAccess.controller.service.*` and `externalAccess.controller.service.*`. + - Controller pods will not configure externalAccess unless: + - `controller.controllerOnly=false` (default), meaning the pods are running as 'controller+broker' nodes. + - `externalAccess.controller.service.forceExpose=true`, for use cases where controller-only nodes want to be exposed externally. + +#### Upgrading from Kraft mode + +If upgrading from Kraft mode, existing PVCs from Kafka containers should be reattached to 'controller' pods. + +#### Upgrading from Zookeeper mode + +If upgrading from Zookeeper mode, make sure you set 'controller.replicaCount=0' and reattach the existing PVCs to 'broker' pods. +This will allow you to perform a migration to Kraft mode in the future by following the 'Migrating from Zookeeper' section of this documentation. + +#### Retaining PersistentVolumes + +When upgrading the Kafka chart, you may want to retain your existing data. To do so, we recommend following this guide: + +**NOTE**: This guide requires the binaries 'kubectl' and 'jq'. + +```console +# Env variables +REPLICA=0 +OLD_PVC="data--kafka-${REPLICA}" +NEW_PVC="data--kafka--${REPLICA}" +PV_NAME=$(kubectl get pvc $OLD_PVC -o jsonpath="{.spec.volumeName}") +NEW_PVC_MANIFEST_FILE="$NEW_PVC.yaml" + +# Modify PV reclaim policy +kubectl patch pv $PV_NAME -p '{"spec":{"persistentVolumeReclaimPolicy":"Retain"}}' +# Manually check field 'RECLAIM POLICY' +kubectl get pv $PV_NAME + +# Create new PVC manifest +kubectl get pvc $OLD_PVC -o json | jq " + .metadata.name = \"$NEW_PVC\" + | with_entries( + select([.key] | + inside([\"metadata\", \"spec\", \"apiVersion\", \"kind\"])) + ) + | del( + .metadata.annotations, .metadata.creationTimestamp, + .metadata.finalizers, .metadata.resourceVersion, + .metadata.selfLink, .metadata.uid + ) + " > $NEW_PVC_MANIFEST_FILE +# Check manifest +cat $NEW_PVC_MANIFEST_FILE + +# Delete your old Statefulset and PVC +kubectl delete sts "-kafka" +kubectl delete pvc $OLD_PVC +# Make PV available again and create the new PVC +kubectl patch pv $PV_NAME -p '{"spec":{"claimRef": null}}' +kubectl apply -f $NEW_PVC_MANIFEST_FILE +``` + +Repeat this process for each replica you had in your Kafka cluster. Once completed, upgrade the cluster and the new Statefulset should reuse the existing PVCs. + +### To 23.0.0 + +This major updates Kafka to its newest version, 3.5.x. For more information, please refer to [kafka upgrade notes](https://kafka.apache.org/35/documentation.html#upgrade). + ### To 22.0.0 This major updates the Kafka's configuration to use Kraft by default. You can learn more about this configuration [here](https://developer.confluent.io/learn/kraft). Apart from seting the `kraft.enabled` parameter to `true`, we also made the following changes: diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml index 87efd8062..3cb81d328 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml @@ -21,4 +21,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 11.4.9 +version: 11.4.10 diff --git a/charts/bitnami/kafka/charts/zookeeper/README.md b/charts/bitnami/kafka/charts/zookeeper/README.md index 4e3eb81a9..b764107d7 100644 --- a/charts/bitnami/kafka/charts/zookeeper/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/README.md @@ -82,7 +82,7 @@ The command removes all the Kubernetes components associated with the chart and | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ----------------------- | | `image.registry` | ZooKeeper image registry | `docker.io` | | `image.repository` | ZooKeeper image repository | `bitnami/zookeeper` | -| `image.tag` | ZooKeeper image tag (immutable tags are recommended) | `3.8.2-debian-11-r4` | +| `image.tag` | ZooKeeper image tag (immutable tags are recommended) | `3.8.2-debian-11-r7` | | `image.digest` | ZooKeeper image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | ZooKeeper image pull policy | `IfNotPresent` | | `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -248,7 +248,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r13` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r19` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | diff --git a/charts/bitnami/kafka/charts/zookeeper/values.yaml b/charts/bitnami/kafka/charts/zookeeper/values.yaml index e39c70430..d2baca092 100644 --- a/charts/bitnami/kafka/charts/zookeeper/values.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/values.yaml @@ -79,7 +79,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.8.2-debian-11-r4 + tag: 3.8.2-debian-11-r7 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -663,7 +663,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r13 + tag: 11-debian-11-r19 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/kafka/templates/NOTES.txt b/charts/bitnami/kafka/templates/NOTES.txt index f34c2563f..2b5462a55 100644 --- a/charts/bitnami/kafka/templates/NOTES.txt +++ b/charts/bitnami/kafka/templates/NOTES.txt @@ -22,19 +22,12 @@ In order to replicate the container startup scripts execute this command: {{- else }} -{{- $replicaCount := int .Values.replicaCount -}} -{{- $releaseNamespace := .Release.Namespace -}} -{{- $clusterDomain := .Values.clusterDomain -}} -{{- $fullname := include "common.names.fullname" . -}} -{{- $clientProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.clientProtocol) -}} -{{- $externalClientProtocol := include "kafka.listenerType" (dict "protocol" (include "kafka.externalClientProtocol" . )) -}} -{{- $saslMechanisms := .Values.auth.sasl.mechanisms -}} -{{- $tlsEndpointIdentificationAlgorithm := default "" .Values.auth.tls.endpointIdentificationAlgorithm -}} -{{- $tlsPasswordSecret := printf "$(kubectl get secret %s --namespace %s -o jsonpath='{.data.password}' | base64 -d | cut -d , -f 1)" .Values.auth.tls.existingSecret $releaseNamespace -}} -{{- $tlsPassword := ternary .Values.auth.tls.password $tlsPasswordSecret (eq .Values.auth.tls.existingSecret "") -}} -{{- $servicePort := int .Values.service.ports.client -}} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $fullname := include "common.names.fullname" . }} +{{- $servicePort := int .Values.service.ports.client }} -{{- if and (or (eq .Values.service.type "LoadBalancer") .Values.externalAccess.enabled) (eq $externalClientProtocol "PLAINTEXT") }} +{{- if and (or (eq .Values.service.type "LoadBalancer") .Values.externalAccess.enabled) (eq (upper .Values.listeners.external.protocol) "PLAINTEXT") }} --------------------------------------------------------------------------------------------- WARNING @@ -57,114 +50,95 @@ Kafka can be accessed by consumers via port {{ $servicePort }} on the following Each Kafka broker can be accessed by producers via port {{ $servicePort }} on the following DNS name(s) from within your cluster: {{- $brokerList := list }} -{{- range $e, $i := until $replicaCount }} -{{- $brokerList = append $brokerList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }} +{{- range $i := until (int .Values.controller.replicaCount) }} +{{- $brokerList = append $brokerList (printf "%s-controller-%d.%s-controller-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }} +{{- end }} +{{- range $i := until (int .Values.broker.replicaCount) }} +{{- $brokerList = append $brokerList (printf "%s-broker-%d.%s-broker-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }} {{- end }} {{ join "\n" $brokerList | nindent 4 }} -{{- if (include "kafka.client.saslAuthentication" .) }} +{{- $clientSaslEnabled := regexFind "SASL" (upper .Values.listeners.client.protocol) }} +{{- $clientSslEnabled := regexFind "SSL" (upper .Values.listeners.client.protocol) }} +{{- $clientMTlsEnabled := or (and .Values.listeners.client.sslClientAuth (not (eq .Values.listeners.client.sslClientAuth "none"))) (and (empty .Values.listeners.client.sslClientAuth) (not (eq .Values.tls.sslClientAuth "none"))) }} +{{- if or $clientSaslEnabled $clientSslEnabled }} -You need to configure your Kafka client to access using SASL authentication. To do so, you need to create the 'kafka_jaas.conf' and 'client.properties' configuration files with the content below: +The {{ upper .Values.listeners.client.name }} listener for Kafka client connections from within your cluster have been configured with the following security settings: + {{- if $clientSaslEnabled }} + - SASL authentication + {{- end }} + {{- if $clientSslEnabled }} + - TLS encryption + {{- end }} + {{- if and $clientSslEnabled $clientMTlsEnabled }} + - mTLS authentication + {{- end }} - - kafka_jaas.conf: +To connect a client to your Kafka, you need to create the 'client.properties' configuration files with the content below: -KafkaClient { -{{- if $saslMechanisms | regexFind "scram" }} -org.apache.kafka.common.security.scram.ScramLoginModule required -{{- else }} -org.apache.kafka.common.security.plain.PlainLoginModule required -{{- end }} -username="{{ index .Values.auth.sasl.jaas.clientUsers 0 }}" -password="$(kubectl get secret {{ $fullname }}-jaas --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)"; -}; - - - client.properties: - -security.protocol={{ $clientProtocol }} -{{- if $saslMechanisms | regexFind "scram-sha-256" }} +security.protocol={{ .Values.listeners.client.protocol }} +{{- if $clientSaslEnabled }} +{{- if regexFind "SCRAM-SHA-256" (upper .Values.sasl.enabledMechanisms) }} sasl.mechanism=SCRAM-SHA-256 -{{- else if $saslMechanisms | regexFind "scram-sha-512" }} +{{- else if regexFind "SCRAM-SHA-512" (upper .Values.sasl.enabledMechanisms) }} sasl.mechanism=SCRAM-SHA-512 -{{- else }} +{{- else if regexFind "PLAIN" (upper .Values.sasl.enabledMechanisms) }} sasl.mechanism=PLAIN {{- end }} -{{- if eq $clientProtocol "SASL_SSL" }} -ssl.truststore.type={{ upper .Values.auth.tls.type }} - {{- if eq .Values.auth.tls.type "jks" }} +{{- $securityModule := ternary "org.apache.kafka.common.security.scram.ScramLoginModule required" "org.apache.kafka.common.security.plain.PlainLoginModule required" (regexMatch "SCRAM" (upper .Values.sasl.enabledMechanisms)) }} +sasl.jaas.config={{ $securityModule }} \ + username="{{ index .Values.sasl.client.users 0 }}" \ + password="$(kubectl get secret {{ $fullname }}-user-passwords --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)"; +{{- end }} +{{- if $clientSslEnabled }} +{{- $clientTlsType := upper .Values.tls.type }} +ssl.truststore.type={{ $clientTlsType }} +{{- if eq $clientTlsType "JKS" }} ssl.truststore.location=/tmp/kafka.truststore.jks - {{- if not (empty $tlsPassword) }} -ssl.truststore.password={{ $tlsPassword }} - {{- end }} - {{- else if eq .Values.auth.tls.type "pem" }} -ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \ -... \ ------END CERTIFICATE----- - {{- end }} - {{- if eq $tlsEndpointIdentificationAlgorithm "" }} -ssl.endpoint.identification.algorithm= - {{- end }} -{{- end }} - -{{- else if (include "kafka.client.tlsEncryption" .) }} - -You need to configure your Kafka client to access using TLS authentication. To do so, you need to create the 'client.properties' configuration file with the content below: - -security.protocol={{ $clientProtocol }} -ssl.truststore.type={{ upper .Values.auth.tls.type }} -{{- if eq .Values.auth.tls.type "jks" }} -ssl.truststore.location=/tmp/kafka.truststore.{{ .Values.auth.tls.type }} - {{- if not (empty $tlsPassword) }} -ssl.truststore.password={{ $tlsPassword }} - {{- end }} -{{- else if eq .Values.auth.tls.type "pem" }} +# Uncomment this line if your client truststore is password protected +#ssl.truststore.password= +{{- else if eq $clientTlsType "PEM" }} ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \ ... \ -----END CERTIFICATE----- {{- end }} -{{- if eq .Values.auth.clientProtocol "mtls" }} -ssl.keystore.type={{ upper .Values.auth.tls.type }} - {{- if eq .Values.auth.tls.type "jks" }} +{{- if and $clientMTlsEnabled }} +ssl.keystore.type={{ $clientTlsType }} +{{- if eq $clientTlsType "JKS" }} ssl.keystore.location=/tmp/client.keystore.jks - {{- if not (empty $tlsPassword) }} -ssl.keystore.password={{ $tlsPassword }} - {{- end }} - {{- else if eq .Values.auth.tls.type "pem" }} +# Uncomment this line if your client truststore is password protected +#ssl.keystore.password= +{{- else if eq $clientTlsType "PEM" }} ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- \ ... \ -----END CERTIFICATE----- ssl.keystore.key=-----BEGIN ENCRYPTED PRIVATE KEY----- \ ... \ -----END ENCRYPTED PRIVATE KEY----- - {{- end }} {{- end }} -{{- if eq $tlsEndpointIdentificationAlgorithm "" }} +{{- end }} +{{- if eq .Values.tls.endpointIdentificationAlgorithm "" }} ssl.endpoint.identification.algorithm= {{- end }} - +{{- end }} {{- end }} To create a pod that you can use as a Kafka client run the following commands: kubectl run {{ $fullname }}-client --restart='Never' --image {{ template "kafka.image" . }} --namespace {{ $releaseNamespace }} --command -- sleep infinity - {{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }} + {{- if or $clientSaslEnabled $clientSslEnabled }} kubectl cp --namespace {{ $releaseNamespace }} /path/to/client.properties {{ $fullname }}-client:/tmp/client.properties {{- end }} - {{- if (include "kafka.client.saslAuthentication" .) }} - kubectl cp --namespace {{ $releaseNamespace }} /path/to/kafka_jaas.conf {{ $fullname }}-client:/tmp/kafka_jaas.conf - {{- end }} - {{- if and (include "kafka.client.tlsEncryption" .) (eq .Values.auth.tls.type "jks") }} + {{- if and $clientSslEnabled (eq (upper .Values.tls.type) "JKS") }} kubectl cp --namespace {{ $releaseNamespace }} ./kafka.truststore.jks {{ $fullname }}-client:/tmp/kafka.truststore.jks - {{- if eq .Values.auth.clientProtocol "mtls" }} + {{- if $clientMTlsEnabled }} kubectl cp --namespace {{ $releaseNamespace }} ./client.keystore.jks {{ $fullname }}-client:/tmp/client.keystore.jks {{- end }} {{- end }} kubectl exec --tty -i {{ $fullname }}-client --namespace {{ $releaseNamespace }} -- bash - {{- if (include "kafka.client.saslAuthentication" .) }} - export KAFKA_OPTS="-Djava.security.auth.login.config=/tmp/kafka_jaas.conf" - {{- end }} PRODUCER: kafka-console-producer.sh \ - {{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }} + {{- if or $clientSaslEnabled $clientSslEnabled }} --producer.config /tmp/client.properties \ {{- end }} --broker-list {{ join "," $brokerList }} \ @@ -172,7 +146,7 @@ To create a pod that you can use as a Kafka client run the following commands: CONSUMER: kafka-console-consumer.sh \ - {{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.client.tlsEncryption" .) }} + {{- if or $clientSaslEnabled $clientSslEnabled }} --consumer.config /tmp/client.properties \ {{- end }} --bootstrap-server {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.client }} \ @@ -180,132 +154,161 @@ To create a pod that you can use as a Kafka client run the following commands: --from-beginning {{- if .Values.externalAccess.enabled }} +{{- if or (not .Values.kraft.enabled) (not .Values.controller.controllerOnly) .Values.externalAccess.controller.forceExpose }} -To connect to your Kafka server from outside the cluster, follow the instructions below: - -{{- if eq "NodePort" .Values.externalAccess.service.type }} -{{- if .Values.externalAccess.service.domain }} - - Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.service.domain }} - +{{- if not .Values.kraft.enabled }} +To connect to your Kafka nodes from outside the cluster, follow these instructions: +{{- else if and .Values.controller.controllerOnly .Values.externalAccess.controller.forceExpose }} +To connect to your Kafka controller-only nodes from outside the cluster, follow these instructions: {{- else }} +To connect to your Kafka controller+broker nodes from outside the cluster, follow these instructions: +{{- end }} +{{- if eq "NodePort" .Values.externalAccess.controller.service.type }} + {{- if .Values.externalAccess.controller.service.domain }} + Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.controller.service.domain }} + + {{- else }} Kafka brokers domain: You can get the external node IP from the Kafka configuration file with the following commands (Check the EXTERNAL listener) 1. Obtain the pod name: - kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka" + kubectl get pods --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka" 2. Obtain pod configuration: kubectl exec -it KAFKA_POD -- cat /opt/bitnami/kafka/config/server.properties | grep advertised.listeners -{{- end }} - + {{- end }} Kafka brokers port: You will have a different node port for each Kafka broker. You can get the list of configured node ports using the command below: - echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" -{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }} +{{- else if eq "LoadBalancer" .Values.externalAccess.controller.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. - NOTE: It may take a few minutes for the LoadBalancer IPs to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w' Kafka Brokers domain: You will have a different external IP for each Kafka broker. You can get the list of external IPs using the command below: - echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" - Kafka Brokers port: {{ .Values.externalAccess.service.ports.external }} + Kafka Brokers port: {{ .Values.externalAccess.controller.service.ports.external }} -{{- else if eq "ClusterIP" .Values.externalAccess.service.type }} +{{- else if eq "ClusterIP" .Values.externalAccess.controller.service.type }} + Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.controller.service.domain }} - Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.service.domain }} - - Kafka brokers port: You will have a different port for each Kafka broker starting at {{ .Values.externalAccess.service.ports.external }} + Kafka brokers port: You will have a different port for each Kafka broker starting at {{ .Values.externalAccess.controller.service.ports.external }} {{- end }} - -{{- if not (eq $clientProtocol $externalClientProtocol) }} -{{- if (include "kafka.client.saslAuthentication" .) }} - -You need to configure your Kafka client to access using SASL authentication. To do so, you need to create the 'kafka_jaas.conf' and 'client.properties' configuration files with the content below: - - - kafka_jaas.conf: - -KafkaClient { -{{- if $saslMechanisms | regexFind "scram" }} -org.apache.kafka.common.security.scram.ScramLoginModule required -{{- else }} -org.apache.kafka.common.security.plain.PlainLoginModule required {{- end }} -username="{{ index .Values.auth.sasl.jaas.clientUsers 0 }}" -password="$(kubectl get secret {{ $fullname }}-jaas --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)"; -}; - - client.properties: +{{- $brokerReplicaCount := int .Values.broker.replicaCount -}} +{{- if gt $brokerReplicaCount 0 }} +To connect to your Kafka broker nodes from outside the cluster, follow these instructions: -security.protocol={{ $externalClientProtocol }} -{{- if $saslMechanisms | regexFind "scram-sha-256" }} +{{- if eq "NodePort" .Values.externalAccess.broker.service.type }} + {{- if .Values.externalAccess.broker.service.domain }} + Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.broker.service.domain }} + + {{- else }} + Kafka brokers domain: You can get the external node IP from the Kafka configuration file with the following commands (Check the EXTERNAL listener) + + 1. Obtain the pod name: + + kubectl get pods --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka" + + 2. Obtain pod configuration: + + kubectl exec -it KAFKA_POD -- cat /opt/bitnami/kafka/config/server.properties | grep advertised.listeners + + {{- end }} + Kafka brokers port: You will have a different node port for each Kafka broker. You can get the list of configured node ports using the command below: + + echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + +{{- else if eq "LoadBalancer" .Values.externalAccess.broker.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. + + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w' + + Kafka Brokers domain: You will have a different external IP for each Kafka broker. You can get the list of external IPs using the command below: + + echo "$(kubectl get svc --namespace {{ include "common.names.namespace" . }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + + Kafka Brokers port: {{ .Values.externalAccess.broker.service.ports.external }} + +{{- else if eq "ClusterIP" .Values.externalAccess.broker.service.type }} + Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.broker.service.domain }} + + Kafka brokers port: You will have a different port for each Kafka broker starting at {{ .Values.externalAccess.broker.service.ports.external }} + +{{- end }} +{{- end }} +{{- if or $clientSaslEnabled $clientSslEnabled }} +{{- $externalSaslEnabled := regexFind "SASL" (upper .Values.listeners.external.protocol) }} +{{- $externalSslEnabled := regexFind "SSL" (upper .Values.listeners.external.protocol) }} +{{- $externalMTlsEnabled := or (and .Values.listeners.external.sslClientAuth (not (eq .Values.listeners.external.sslClientAuth "none"))) (and (empty .Values.listeners.external.sslClientAuth) (not (eq .Values.tls.sslClientAuth "none"))) }} + +The {{ upper .Values.listeners.external.name }} listener for Kafka client connections from within your cluster have been configured with the following settings: + {{- if $externalSaslEnabled }} + - SASL authentication + {{- end }} + {{- if $externalSslEnabled }} + - TLS encryption + {{- end }} + {{- if and $externalSslEnabled $externalMTlsEnabled }} + - mTLS authentication + {{- end }} + +To connect a client to your Kafka, you need to create the 'client.properties' configuration files with the content below: + +security.protocol={{ .Values.listeners.external.protocol }} +{{- if $externalSaslEnabled }} +{{- if regexFind "SCRAM-SHA-256" (upper .Values.sasl.enabledMechanisms) }} sasl.mechanism=SCRAM-SHA-256 -{{- else if $saslMechanisms | regexFind "scram-sha-512" }} +{{- else if regexFind "SCRAM-SHA-512" (upper .Values.sasl.enabledMechanisms) }} sasl.mechanism=SCRAM-SHA-512 {{- else }} sasl.mechanism=PLAIN {{- end }} -{{- if eq $externalClientProtocol "SASL_SSL" }} -ssl.truststore.type={{ upper .Values.auth.tls.type }} - {{- if eq .Values.auth.tls.type "jks" }} +{{- $securityModule := ternary "org.apache.kafka.common.security.scram.ScramLoginModule required" "org.apache.kafka.common.security.plain.PlainLoginModule required" (regexMatch "SCRAM" (upper .Values.sasl.enabledMechanisms)) }} +sasl.jaas.config={{ $securityModule }} \ + username="{{ index .Values.sasl.client.users 0 }}" \ + password="$(kubectl get secret {{ $fullname }}-user-passwords --namespace {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 -d | cut -d , -f 1)"; +{{- end }} +{{- if $externalSslEnabled }} +{{- $clientTlsType := upper .Values.tls.type }} +ssl.truststore.type={{ $clientTlsType }} +{{- if eq $clientTlsType "JKS" }} ssl.truststore.location=/tmp/kafka.truststore.jks - {{- if not (empty $tlsPassword) }} -ssl.truststore.password={{ $tlsPassword }} - {{- end }} - {{- else if eq .Values.auth.tls.type "pem" }} -ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \ -... \ ------END CERTIFICATE----- - {{- end }} - {{- if eq $tlsEndpointIdentificationAlgorithm "" }} -ssl.endpoint.identification.algorithm= - {{- end }} -{{- end }} - -{{- else if (include "kafka.externalClient.tlsEncryption" .) }} - -You need to configure your Kafka client to access using TLS authentication. To do so, you need to create the 'client.properties' configuration file with the content below: - -security.protocol={{ $externalClientProtocol }} -ssl.truststore.type={{ upper .Values.auth.tls.type }} -{{- if eq .Values.auth.tls.type "jks" }} -ssl.truststore.location=/tmp/kafka.truststore.{{ .Values.auth.tls.type }} - {{- if not (empty $tlsPassword) }} -ssl.truststore.password={{ $tlsPassword }} - {{- end }} -{{- else if eq .Values.auth.tls.type "pem" }} +# Uncomment this line if your client truststore is password protected +#ssl.truststore.password= +{{- else if eq $clientTlsType "PEM" }} ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \ ... \ -----END CERTIFICATE----- {{- end }} -{{- if eq .Values.auth.externalClientProtocol "mtls" }} -ssl.keystore.type={{ upper .Values.auth.tls.type }} - {{- if eq .Values.auth.tls.type "jks" }} +{{- if and $externalMTlsEnabled }} +ssl.keystore.type={{ $clientTlsType }} +{{- if eq $clientTlsType "JKS" }} ssl.keystore.location=/tmp/client.keystore.jks - {{- if not (empty $tlsPassword) }} -ssl.keystore.password={{ $tlsPassword }} - {{- end }} - {{- else if eq .Values.auth.tls.type "pem" }} +# Uncomment this line if your client truststore is password protected +#ssl.keystore.password= +{{- else if eq $clientTlsType "PEM" }} ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- \ ... \ -----END CERTIFICATE----- ssl.keystore.key=-----BEGIN ENCRYPTED PRIVATE KEY----- \ ... \ -----END ENCRYPTED PRIVATE KEY----- - {{- end }} {{- end }} -{{- if eq $tlsEndpointIdentificationAlgorithm "" }} +{{- end }} +{{- if eq .Values.tls.endpointIdentificationAlgorithm "" }} ssl.endpoint.identification.algorithm= {{- end }} - {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/bitnami/kafka/templates/_helpers.tpl b/charts/bitnami/kafka/templates/_helpers.tpl index b5823fe29..ebc2f3e88 100644 --- a/charts/bitnami/kafka/templates/_helpers.tpl +++ b/charts/bitnami/kafka/templates/_helpers.tpl @@ -57,25 +57,6 @@ Return the proper image name (for the init container volume-permissions image) {{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} {{- end -}} -{{/* -Create a default fully qualified Kafka exporter name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "kafka.metrics.kafka.fullname" -}} - {{- printf "%s-exporter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} -{{- end -}} - -{{/* - Create the name of the service account to use for Kafka exporter pods - */}} -{{- define "kafka.metrics.kafka.serviceAccountName" -}} -{{- if .Values.metrics.kafka.serviceAccount.create -}} - {{ default (include "kafka.metrics.kafka.fullname" .) .Values.metrics.kafka.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.metrics.kafka.serviceAccount.name }} -{{- end -}} -{{- end -}} - {{/* Return the proper Kafka exporter image name */}} @@ -98,187 +79,183 @@ Return the proper Docker Image Registry Secret Names {{- end -}} {{/* -Return the proper Storage Class +Create a default fully qualified Kafka exporter name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} -{{- define "kafka.storageClass" -}} +{{- define "kafka.metrics.kafka.fullname" -}} + {{- printf "%s-exporter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + {{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -*/}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- if (eq "-" .Values.global.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.global.storageClass -}} - {{- end -}} - {{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} - {{- end -}} + Create the name of the service account to use for Kafka exporter pods + */}} +{{- define "kafka.metrics.kafka.serviceAccountName" -}} +{{- if .Values.metrics.kafka.serviceAccount.create -}} + {{ default (include "kafka.metrics.kafka.fullname" .) .Values.metrics.kafka.serviceAccount.name }} {{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if authentication via SASL should be configured for client communications -*/}} -{{- define "kafka.client.saslAuthentication" -}} -{{- $saslProtocols := list "sasl" "sasl_tls" -}} -{{- if has .Values.auth.clientProtocol $saslProtocols -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if authentication via SASL should be configured for inter-broker communications -*/}} -{{- define "kafka.interBroker.saslAuthentication" -}} -{{- $saslProtocols := list "sasl" "sasl_tls" -}} -{{- if has .Values.auth.interBrokerProtocol $saslProtocols -}} - {{- true -}} + {{ default "default" .Values.metrics.kafka.serviceAccount.name }} {{- end -}} {{- end -}} {{/* Return true if encryption via TLS for client connections should be configured */}} -{{- define "kafka.client.tlsEncryption" -}} -{{- $tlsProtocols := list "tls" "mtls" "sasl_tls" -}} -{{- if (has .Values.auth.clientProtocol $tlsProtocols) -}} - {{- true -}} +{{- define "kafka.sslEnabled" -}} +{{- $res := "" -}} +{{- $listeners := list .Values.listeners.client .Values.listeners.interbroker -}} +{{- range $i := .Values.listeners.extraListeners -}} +{{- $listeners = append $listeners $i -}} +{{- end -}} +{{- if and .Values.externalAccess.enabled -}} +{{- $listeners = append $listeners .Values.listeners.external -}} +{{- end -}} +{{- if and .Values.kraft.enabled -}} +{{- $listeners = append $listeners .Values.listeners.controller -}} +{{- end -}} +{{- range $listener := $listeners -}} +{{- if regexFind "SSL" (upper $listener.protocol) -}} +{{- $res = "true" -}} +{{- end -}} +{{- end -}} +{{- if $res -}} +{{- true -}} {{- end -}} {{- end -}} {{/* -Return the configured value for the external client protocol, defaults to the same value as clientProtocol +Return true if SASL connections should be configured */}} -{{- define "kafka.externalClientProtocol" -}} - {{- coalesce .Values.auth.externalClientProtocol .Values.auth.clientProtocol -}} -{{- end -}} - -{{/* -Return true if encryption via TLS for external client connections should be configured -*/}} -{{- define "kafka.externalClient.tlsEncryption" -}} -{{- $tlsProtocols := list "tls" "mtls" "sasl_tls" -}} -{{- if (has (include "kafka.externalClientProtocol" . ) $tlsProtocols) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if encryption via TLS for inter broker communication connections should be configured -*/}} -{{- define "kafka.interBroker.tlsEncryption" -}} -{{- $tlsProtocols := list "tls" "mtls" "sasl_tls" -}} -{{- if (has .Values.auth.interBrokerProtocol $tlsProtocols) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if encryption via TLS should be configured -*/}} -{{- define "kafka.tlsEncryption" -}} -{{- if or (include "kafka.client.tlsEncryption" .) (include "kafka.interBroker.tlsEncryption" .) (include "kafka.externalClient.tlsEncryption" .) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the type of listener -Usage: -{{ include "kafka.listenerType" ( dict "protocol" .Values.path.to.the.Value ) }} -*/}} -{{- define "kafka.listenerType" -}} -{{- if eq .protocol "plaintext" -}} -PLAINTEXT -{{- else if or (eq .protocol "tls") (eq .protocol "mtls") -}} -SSL -{{- else if eq .protocol "sasl_tls" -}} -SASL_SSL -{{- else if eq .protocol "sasl" -}} -SASL_PLAINTEXT -{{- end -}} -{{- end -}} - -{{/* -Return the protocol used with zookeeper -*/}} -{{- define "kafka.zookeeper.protocol" -}} -{{- if and .Values.auth.zookeeper.tls.enabled .Values.zookeeper.auth.client.enabled .Values.auth.sasl.jaas.zookeeperUser -}} -SASL_SSL -{{- else if and .Values.auth.zookeeper.tls.enabled -}} -SSL -{{- else if and .Values.zookeeper.auth.client.enabled .Values.auth.sasl.jaas.zookeeperUser -}} -SASL +{{- define "kafka.saslEnabled" -}} +{{- $res := "" -}} +{{- if (include "kafka.client.saslEnabled" .) -}} +{{- $res = "true" -}} {{- else -}} -PLAINTEXT +{{- $listeners := list .Values.listeners.interbroker -}} +{{- if and .Values.kraft.enabled -}} +{{- $listeners = append $listeners .Values.listeners.controller -}} +{{- end -}} +{{- range $listener := $listeners -}} +{{- if regexFind "SASL" (upper $listener.protocol) -}} +{{- $res = "true" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $res -}} +{{- true -}} {{- end -}} {{- end -}} {{/* -Return the Kafka JAAS credentials secret +Return true if SASL connections should be configured */}} -{{- define "kafka.jaasSecretName" -}} -{{- $secretName := .Values.auth.sasl.jaas.existingSecret -}} -{{- if $secretName -}} - {{- printf "%s" (tpl $secretName $) -}} +{{- define "kafka.client.saslEnabled" -}} +{{- $res := "" -}} +{{- $listeners := list .Values.listeners.client -}} +{{- range $i := .Values.listeners.extraListeners -}} +{{- $listeners = append $listeners $i -}} +{{- end -}} +{{- if and .Values.externalAccess.enabled -}} +{{- $listeners = append $listeners .Values.listeners.external -}} +{{- end -}} +{{- range $listener := $listeners -}} +{{- if regexFind "SASL" (upper $listener.protocol) -}} +{{- $res = "true" -}} +{{- end -}} +{{- end -}} +{{- if $res -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Kafka SASL credentials secret +*/}} +{{- define "kafka.saslSecretName" -}} +{{- if .Values.sasl.existingSecret -}} + {{- include "common.tplvalues.render" (dict "value" .Values.sasl.existingSecret "context" $) -}} {{- else -}} - {{- printf "%s-jaas" (include "common.names.fullname" .) -}} + {{- printf "%s-user-passwords" (include "common.names.fullname" .) -}} {{- end -}} {{- end -}} {{/* -Return true if a JAAS credentials secret object should be created +Return true if a SASL credentials secret object should be created */}} -{{- define "kafka.createJaasSecret" -}} -{{- $secretName := .Values.auth.sasl.jaas.existingSecret -}} -{{- if and (or (include "kafka.client.saslAuthentication" .) (include "kafka.interBroker.saslAuthentication" .) (and .Values.zookeeper.auth.client.enabled .Values.auth.sasl.jaas.zookeeperUser)) (empty $secretName) -}} +{{- define "kafka.createSaslSecret" -}} +{{- $secretName := .Values.sasl.existingSecret -}} +{{- if and (or (include "kafka.saslEnabled" .) (or .Values.zookeeper.auth.client.enabled .Values.sasl.zookeeper.user)) (empty $secretName) -}} {{- true -}} {{- end -}} {{- end -}} +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "kafka.tlsSecretName" -}} +{{- if .Values.tls.existingSecret -}} + {{- include "common.tplvalues.render" (dict "value" .Values.tls.existingSecret "context" $) -}} +{{- else -}} + {{- printf "%s-tls" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + {{/* Return true if a TLS credentials secret object should be created */}} {{- define "kafka.createTlsSecret" -}} -{{- if and (include "kafka.tlsEncryption" .) (empty .Values.auth.tls.existingSecrets) (eq .Values.auth.tls.type "pem") .Values.auth.tls.autoGenerated }} +{{- if and (include "kafka.sslEnabled" .) (empty .Values.tls.existingSecret) .Values.tls.autoGenerated -}} {{- true -}} {{- end -}} {{- end -}} {{/* -Return the Kafka configuration configmap +Return the Kafka TLS credentials secret */}} -{{- define "kafka.configmapName" -}} -{{- if .Values.existingConfigmap -}} - {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- define "kafka.tlsPasswordsSecretName" -}} +{{- if .Values.tls.passwordsSecret -}} + {{- include "common.tplvalues.render" (dict "value" .Values.tls.passwordsSecret "context" $) -}} {{- else -}} - {{- printf "%s-configuration" (include "common.names.fullname" .) -}} + {{- printf "%s-tls-passwords" (include "common.names.fullname" .) -}} {{- end -}} {{- end -}} +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "kafka.createTlsPasswordsSecret" -}} +{{- $secretName := .Values.tls.passwordsSecret -}} +{{- if and (include "kafka.sslEnabled" .) (or (empty $secretName) .Values.tls.autoGenerated ) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Kafka TLS credentials secret +*/}} +{{- define "kafka.zookeeper.tlsPasswordsSecretName" -}} +{{- if .Values.tls.zookeeper.passwordsSecret -}} + {{- include "common.tplvalues.render" (dict "value" .Values.tls.zookeeper.passwordsSecret "context" $) -}} +{{- else -}} + {{- printf "%s-zookeeper-tls-passwords" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "kafka.zookeeper.createTlsPasswordsSecret" -}} +{{- $secretName := .Values.tls.zookeeper.passwordsSecret -}} +{{- if and .Values.tls.zookeeper.enabled (or (empty $secretName) .Values.tls.zookeeper.keystorePassword .Values.tls.zookeeper.truststorePassword ) -}} + {{- true -}} +{{- end -}} +{{- end -}} {{/* Returns the secret name for the Kafka Provisioning client */}} {{- define "kafka.client.passwordsSecretName" -}} {{- if .Values.provisioning.auth.tls.passwordsSecret -}} - {{- printf "%s" (tpl .Values.provisioning.auth.tls.passwordsSecret $) -}} + {{- include "common.tplvalues.render" (dict "value" .Values.provisioning.auth.tls.passwordsSecret "context" $) -}} {{- else -}} {{- printf "%s-client-secret" (include "common.names.fullname" .) -}} {{- end -}} @@ -296,10 +273,45 @@ Create the name of the service account to use for the Kafka Provisioning client {{- end -}} {{/* -Return true if a configmap object should be created +Return the Kafka controller-eligible configuration configmap */}} -{{- define "kafka.createConfigmap" -}} -{{- if and .Values.config (not .Values.existingConfigmap) }} +{{- define "kafka.controller.configmapName" -}} +{{- if .Values.controller.existingConfigmap -}} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.existingConfigmap "context" $) -}} +{{- else if .Values.existingConfigmap -}} + {{- include "common.tplvalues.render" (dict "value" .Values.existingConfigmap "context" $) -}} +{{- else -}} + {{- printf "%s-controller-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for controller-eligible pods +*/}} +{{- define "kafka.controller.createConfigmap" -}} +{{- if and (not .Values.controller.existingConfigmap) (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Kafka broker configuration configmap +*/}} +{{- define "kafka.broker.configmapName" -}} +{{- if .Values.broker.existingConfigmap -}} + {{- printf "%s" (tpl .Values.broker.existingConfigmap $) -}} +{{- else if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-broker-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for broker pods +*/}} +{{- define "kafka.broker.createConfigmap" -}} +{{- if and (not .Values.broker.existingConfigmap) (not .Values.existingConfigmap) }} {{- true -}} {{- end -}} {{- end -}} @@ -309,32 +321,23 @@ Return the Kafka log4j ConfigMap name. */}} {{- define "kafka.log4j.configMapName" -}} {{- if .Values.existingLog4jConfigMap -}} - {{- printf "%s" (tpl .Values.existingLog4jConfigMap $) -}} + {{- include "common.tplvalues.render" (dict "value" .Values.existingLog4jConfigMap "context" $) -}} {{- else -}} {{- printf "%s-log4j-configuration" (include "common.names.fullname" .) -}} {{- end -}} {{- end -}} -{{/* -Return true if a log4j ConfigMap object should be created. -*/}} -{{- define "kafka.log4j.createConfigMap" -}} -{{- if and .Values.log4j (not .Values.existingLog4jConfigMap) }} - {{- true -}} -{{- end -}} -{{- end -}} - {{/* Return the SASL mechanism to use for the Kafka exporter to access Kafka The exporter uses a different nomenclature so we need to do this hack */}} {{- define "kafka.metrics.kafka.saslMechanism" -}} -{{- $saslMechanisms := .Values.auth.sasl.mechanisms }} -{{- if contains "scram-sha-512" $saslMechanisms }} +{{- $saslMechanisms := .Values.sasl.enabledMechanisms }} +{{- if contains "SCRAM-SHA-512" (upper $saslMechanisms) }} {{- print "scram-sha512" -}} -{{- else if contains "scram-sha-256" $saslMechanisms }} +{{- else if contains "SCRAM-SHA-256" (upper $saslMechanisms) }} {{- print "scram-sha256" -}} -{{- else -}} +{{- else if contains "PLAIN" (upper $saslMechanisms) }} {{- print "plain" -}} {{- end -}} {{- end -}} @@ -344,9 +347,9 @@ Return the Kafka configuration configmap */}} {{- define "kafka.metrics.jmx.configmapName" -}} {{- if .Values.metrics.jmx.existingConfigmap -}} - {{- printf "%s" (tpl .Values.metrics.jmx.existingConfigmap $) -}} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.jmx.existingConfigmap "context" $) -}} {{- else -}} - {{- printf "%s-jmx-configuration" (include "common.names.fullname" .) -}} + {{ printf "%s-jmx-configuration" (include "common.names.fullname" .) -}} {{- end -}} {{- end -}} @@ -354,11 +357,446 @@ Return the Kafka configuration configmap Return true if a configmap object should be created */}} {{- define "kafka.metrics.jmx.createConfigmap" -}} -{{- if and .Values.metrics.jmx.enabled .Values.metrics.jmx.config (not .Values.metrics.jmx.existingConfigmap) }} +{{- if and .Values.metrics.jmx.enabled .Values.metrics.jmx.config (not .Values.metrics.jmx.existingConfigmap) -}} {{- true -}} {{- end -}} {{- end -}} +{{/* +Returns the Kafka listeners settings based on the listeners.* object +*/}} +{{- define "kafka.listeners" -}} +{{- if .context.Values.listeners.overrideListeners -}} + {{- printf "%s" .context.Values.listeners.overrideListeners -}} +{{- else -}} + {{- $listeners := list .context.Values.listeners.client .context.Values.listeners.interbroker -}} + {{- if and .context.Values.externalAccess.enabled -}} + {{- $listeners = append $listeners .context.Values.listeners.external -}} + {{- end -}} + {{- if and .context.Values.kraft.enabled .isController -}} + {{- if and .context.Values.controller.controllerOnly -}} + {{- $listeners = list .context.Values.listeners.controller -}} + {{- else -}} + {{- $listeners = append $listeners .context.Values.listeners.controller -}} + {{- end -}} + {{- end -}} + {{- $res := list -}} + {{- range $listener := $listeners -}} + {{- $res = append $res (printf "%s://:%d" (upper $listener.name) (int $listener.containerPort)) -}} + {{- end -}} + {{- printf "%s" (join "," $res) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the list of advertised listeners, although the advertised address will be replaced during each node init time +*/}} +{{- define "kafka.advertisedListeners" -}} +{{- if .Values.listeners.advertisedListeners -}} + {{- printf "%s" .Values.listeners.advertisedListeners -}} +{{- else -}} + {{- $listeners := list .Values.listeners.client .Values.listeners.interbroker -}} + {{- range $i := .Values.listeners.extraListeners -}} + {{- $listeners = append $listeners $i -}} + {{- end -}} + {{- $res := list -}} + {{- range $listener := $listeners -}} + {{- $res = append $res (printf "%s://advertised-address-placeholder:%d" (upper $listener.name) (int $listener.containerPort)) -}} + {{- end -}} + {{- printf "%s" (join "," $res) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the value listener.security.protocol.map based on the values of 'listeners.*.protocol' +*/}} +{{- define "kafka.securityProtocolMap" -}} +{{- if .Values.listeners.securityProtocolMap -}} + {{- printf "%s" .Values.listeners.securityProtocolMap -}} +{{- else -}} + {{- $listeners := list .Values.listeners.client .Values.listeners.interbroker -}} + {{- range $i := .Values.listeners.extraListeners -}} + {{- $listeners = append $listeners $i -}} + {{- end -}} + {{- if .Values.kraft.enabled -}} + {{- $listeners = append $listeners .Values.listeners.controller -}} + {{- end -}} + {{- if and .Values.externalAccess.enabled -}} + {{- $listeners = append $listeners .Values.listeners.external -}} + {{- end -}} + {{- $res := list -}} + {{- range $listener := $listeners -}} + {{- $res = append $res (printf "%s:%s" (upper $listener.name) (upper $listener.protocol)) -}} + {{- end -}} + {{ printf "%s" (join "," $res)}} +{{- end -}} +{{- end -}} + +{{/* +Returns the containerPorts for listeneres.extraListeners +*/}} +{{- define "kafka.extraListeners.containerPorts" -}} +{{- range $listener := .Values.listeners.extraListeners -}} +- name: {{ lower $listener.name}} + containerPort: {{ $listener.containerPort }} +{{- end -}} +{{- end -}} + +{{/* +Returns the zookeeper.connect setting value +*/}} +{{- define "kafka.zookeeperConnect" -}} +{{- if .Values.zookeeper.enabled -}} +{{- printf "%s:%s%s" (include "kafka.zookeeper.fullname" .) (ternary "3181" "2181" .Values.tls.zookeeper.enabled) (tpl .Values.zookeeperChrootPath .) -}} +{{- else -}} +{{- printf "%s%s" (join "," .Values.externalZookeeper.servers) (tpl .Values.zookeeperChrootPath .) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the controller quorum voters based on the number of controller-eligible nodes +*/}} +{{- define "kafka.kraft.controllerQuorumVoters" -}} +{{- if .Values.kraft.controllerQuorumVoters -}} + {{- include "common.tplvalues.render" (dict "value" .Values.kraft.controllerQuorumVoters "context" $) -}} +{{- else -}} + {{- $controllerVoters := list -}} + {{- $fullname := include "common.names.fullname" . -}} + {{- $releaseNamespace := include "common.names.namespace" . -}} + {{- range $i := until (int .Values.controller.replicaCount) -}} + {{- $nodeId := add (int $i) (int $.Values.controller.minId) -}} + {{- $nodeAddress := printf "%s-controller-%d.%s-controller-headless.%s.svc.%s:%d" $fullname (int $i) $fullname $releaseNamespace $.Values.clusterDomain (int $.Values.listeners.controller.containerPort) -}} + {{- $controllerVoters = append $controllerVoters (printf "%d@%s" $nodeId $nodeAddress ) -}} + {{- end -}} + {{- join "," $controllerVoters -}} +{{- end -}} +{{- end -}} + +{{/* +Section of the server.properties configmap shared by both controller-eligible and broker nodes +*/}} +{{- define "kafka.commonConfig" -}} +log.dir={{ printf "%s/data" .Values.controller.persistence.mountPath }} +{{- if or (include "kafka.saslEnabled" .) }} +sasl.enabled.mechanisms={{ upper .Values.sasl.enabledMechanisms }} +{{- end }} +# Interbroker configuration +inter.broker.listener.name={{ .Values.listeners.interbroker.name }} +{{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }} +sasl.mechanism.inter.broker.protocol={{ upper .Values.sasl.interBrokerMechanism }} +{{- end }} +{{- if (include "kafka.sslEnabled" .) }} +# TLS configuration +ssl.keystore.type=JKS +ssl.truststore.type=JKS +ssl.keystore.location=/opt/bitnami/kafka/config/certs/kafka.keystore.jks +ssl.truststore.location=/opt/bitnami/kafka/config/certs/kafka.truststore.jks +#ssl.keystore.password= +#ssl.truststore.password= +#ssl.key.password= +ssl.client.auth={{ .Values.tls.sslClientAuth }} +ssl.endpoint.identification.algorithm={{ .Values.tls.endpointIdentificationAlgorithm }} +{{- end }} +{{- if (include "kafka.saslEnabled" .) }} +# Listeners SASL JAAS configuration +{{- $listeners := list .Values.listeners.client .Values.listeners.interbroker }} +{{- range $i := .Values.listeners.extraListeners }} +{{- $listeners = append $listeners $i }} +{{- end }} +{{- if .Values.externalAccess.enabled }} +{{- $listeners = append $listeners .Values.listeners.external }} +{{- end }} +{{- range $listener := $listeners }} +{{- if and $listener.sslClientAuth (regexFind "SSL" (upper $listener.protocol)) }} +listener.name.{{lower $listener.name}}.ssl.client.auth={{ $listener.sslClientAuth }} +{{- end }} +{{- if regexFind "SASL" (upper $listener.protocol) }} +{{- range $mechanism := ( splitList "," $.Values.sasl.enabledMechanisms )}} + {{- $securityModule := ternary "org.apache.kafka.common.security.plain.PlainLoginModule required" "org.apache.kafka.common.security.scram.ScramLoginModule required" (eq "PLAIN" (upper $mechanism)) }} + {{- $saslJaasConfig := list $securityModule }} + {{- if eq $listener.name $.Values.listeners.interbroker.name }} + {{- $saslJaasConfig = append $saslJaasConfig (printf "username=\"%s\"" $.Values.sasl.interbroker.user) }} + {{- $saslJaasConfig = append $saslJaasConfig (print "password=\"interbroker-password-placeholder\"") }} + {{- end }} + {{- if eq (upper $mechanism) "PLAIN" }} + {{- if eq $listener.name $.Values.listeners.interbroker.name }} + {{- $saslJaasConfig = append $saslJaasConfig (printf "user_%s=\"interbroker-password-placeholder\"" $.Values.sasl.interbroker.user) }} + {{- end }} + {{- range $i, $user := $.Values.sasl.client.users }} + {{- $saslJaasConfig = append $saslJaasConfig (printf "user_%s=\"password-placeholder-%d\"" $user (int $i)) }} + {{- end }} + {{- end }} +listener.name.{{lower $listener.name}}.{{lower $mechanism}}.sasl.jaas.config={{ join " " $saslJaasConfig }}; +{{- end }} +{{- end }} +{{- end }} +# End of SASL JAAS configuration +{{- end }} +{{- end -}} + +{{/* +Zookeeper connection section of the server.properties +*/}} +{{- define "kafka.zookeeperConfig" -}} +zookeeper.connect={{ include "kafka.zookeeperConnect" . }} +#broker.id= +{{- if .Values.sasl.zookeeper.user }} +sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ + username="{{ .Values.sasl.zookeeper.user }}" \ + password="zookeeper-password-placeholder"; +{{- end }} +{{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }} +zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty +zookeeper.ssl.client.enable=true +zookeeper.ssl.keystore.location=/opt/bitnami/kafka/config/certs/zookeeper.keystore.jks +zookeeper.ssl.truststore.location=/opt/bitnami/kafka/config/certs/zookeeper.truststore.jks +zookeeper.ssl.hostnameVerification={{ .Values.tls.zookeeper.verifyHostname }} +#zookeeper.ssl.keystore.password= +#zookeeper.ssl.truststore.password= +{{- end }} +{{- end -}} + +{{/* +Kraft section of the server.properties +*/}} +{{- define "kafka.kraftConfig" -}} +#node.id= +controller.listener.names={{ .Values.listeners.controller.name }} +controller.quorum.voters={{ include "kafka.kraft.controllerQuorumVoters" . }} +{{- $listener := $.Values.listeners.controller }} +{{- if and $listener.sslClientAuth (regexFind "SSL" (upper $listener.protocol)) }} +# Kraft Controller listener SSL settings +listener.name.{{lower $listener.name}}.ssl.client.auth={{ $listener.sslClientAuth }} +{{- end }} +{{- if regexFind "SASL" (upper $listener.protocol) }} + {{- $mechanism := $.Values.sasl.controllerMechanism }} + {{- $securityModule := ternary "org.apache.kafka.common.security.plain.PlainLoginModule required" "org.apache.kafka.common.security.scram.ScramLoginModule required" (eq "PLAIN" (upper $mechanism)) }} + {{- $saslJaasConfig := list $securityModule }} + {{- $saslJaasConfig = append $saslJaasConfig (printf "username=\"%s\"" $.Values.sasl.controller.user) }} + {{- $saslJaasConfig = append $saslJaasConfig (print "password=\"controller-password-placeholder\"") }} + {{- if eq (upper $mechanism) "PLAIN" }} + {{- $saslJaasConfig = append $saslJaasConfig (printf "user_%s=\"controller-password-placeholder\"" $.Values.sasl.controller.user) }} + {{- end }} +# Kraft Controller listener SASL settings +sasl.mechanism.controller.protocol={{ upper $mechanism }} +listener.name.{{lower $listener.name}}.sasl.enabled.mechanisms={{ upper $mechanism }} +listener.name.{{lower $listener.name}}.{{lower $mechanism }}.sasl.jaas.config={{ join " " $saslJaasConfig }}; +{{- end }} +{{- end -}} + +{{/* +Init container definition for Kafka initialization +*/}} +{{- define "kafka.prepareKafkaInitContainer" -}} +{{- $role := .role -}} +{{- $roleSettings := index .context.Values .role -}} +- name: kafka-init + image: {{ include "kafka.image" .context }} + imagePullPolicy: {{ .context.Values.image.pullPolicy }} + {{- if $roleSettings.containerSecurityContext.enabled }} + securityContext: {{- omit $roleSettings.containerSecurityContext "enabled" | toYaml | nindent 4 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + /scripts/kafka-init.sh + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .context.Values.image.debug .context.Values.diagnosticMode.enabled) | quote }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KAFKA_VOLUME_DIR + value: {{ $roleSettings.persistence.mountPath | quote }} + - name: KAFKA_MIN_ID + value: {{ $roleSettings.minId | quote }} + {{- if or (and (eq .role "broker") .context.Values.externalAccess.enabled) (and (eq .role "controller") .context.Values.externalAccess.enabled (or .context.Values.externalAccess.controller.forceExpose (not .context.Values.controller.controllerOnly))) }} + {{- $externalAccess := index .context.Values.externalAccess .role }} + - name: EXTERNAL_ACCESS_ENABLED + value: "true" + {{- if eq $externalAccess.service.type "LoadBalancer" }} + {{- if not .context.Values.externalAccess.autoDiscovery.enabled }} + - name: EXTERNAL_ACCESS_HOSTS_LIST + value: {{ join "," (default $externalAccess.service.loadBalancerIPs $externalAccess.service.loadBalancerNames) | quote }} + {{- end }} + - name: EXTERNAL_ACCESS_PORT + value: {{ $externalAccess.service.ports.external | quote }} + {{- else if eq $externalAccess.service.type "NodePort" }} + {{- if $externalAccess.service.domain }} + - name: EXTERNAL_ACCESS_HOST + value: {{ $externalAccess.service.domain | quote }} + {{- else if and $externalAccess.service.usePodIPs .context.Values.externalAccess.autoDiscovery.enabled }} + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: EXTERNAL_ACCESS_HOST + value: "$(MY_POD_IP)" + {{- else if or $externalAccess.service.useHostIPs .context.Values.externalAccess.autoDiscovery.enabled }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: EXTERNAL_ACCESS_HOST + value: "$(HOST_IP)" + {{- else if and $externalAccess.service.externalIPs (not .context.Values.externalAccess.autoDiscovery.enabled) }} + - name: EXTERNAL_ACCESS_HOSTS_LIST + value: {{ join "," $externalAccess.service.externalIPs }} + {{- else }} + - name: EXTERNAL_ACCESS_HOST_USE_PUBLIC_IP + value: "true" + {{- end }} + {{- if not .context.Values.externalAccess.autoDiscovery.enabled }} + {{- if and $externalAccess.service.externalIPs (empty $externalAccess.service.nodePorts)}} + - name: EXTERNAL_ACCESS_PORT + value: {{ $externalAccess.service.ports.external | quote }} + {{- else }} + - name: EXTERNAL_ACCESS_PORTS_LIST + value: {{ join "," $externalAccess.service.nodePorts | quote }} + {{- end }} + {{- end }} + {{- else if eq $externalAccess.service.type "ClusterIP" }} + - name: EXTERNAL_ACCESS_HOST + value: {{ $externalAccess.service.domain | quote }} + - name: EXTERNAL_ACCESS_PORT + value: {{ $externalAccess.service.ports.external | quote}} + - name: EXTERNAL_ACCESS_PORT_AUTOINCREMENT + value: "true" + {{- end }} + {{- end }} + {{- if and (include "kafka.client.saslEnabled" .context ) .context.Values.sasl.client.users }} + - name: KAFKA_CLIENT_USERS + value: {{ join "," .context.Values.sasl.client.users | quote }} + - name: KAFKA_CLIENT_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" .context }} + key: client-passwords + {{- end }} + {{- if regexFind "SASL" (upper .context.Values.listeners.interbroker.protocol) }} + - name: KAFKA_INTER_BROKER_USER + value: {{ .context.Values.sasl.interbroker.user | quote }} + - name: KAFKA_INTER_BROKER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" .context }} + key: inter-broker-password + {{- end }} + {{- if and .context.Values.kraft.enabled (regexFind "SASL" (upper .context.Values.listeners.controller.protocol)) }} + - name: KAFKA_CONTROLLER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" .context }} + key: controller-password + {{- end }} + {{- if (include "kafka.sslEnabled" .context ) }} + - name: KAFKA_TLS_TYPE + value: {{ ternary "PEM" "JKS" (or .context.Values.tls.autoGenerated (eq (upper .context.Values.tls.type) "PEM")) }} + - name: KAFKA_TLS_KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.tlsPasswordsSecretName" .context }} + key: {{ .context.Values.tls.passwordsSecretKeystoreKey | quote }} + - name: KAFKA_TLS_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.tlsPasswordsSecretName" .context }} + key: {{ .context.Values.tls.passwordsSecretTruststoreKey | quote }} + {{- if and (not .context.Values.tls.autoGenerated) (or .context.Values.tls.keyPassword (and .context.Values.tls.passwordsSecret .context.Values.tls.passwordsSecretPemPasswordKey)) }} + - name: KAFKA_TLS_PEM_KEY_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.tlsPasswordsSecretName" .context }} + key: {{ default "key-password" .context.Values.tls.passwordsSecretPemPasswordKey | quote }} + {{- end }} + {{- end }} + {{- if or .context.Values.zookeeper.enabled .context.Values.externalZookeeper.servers }} + {{- if .context.Values.sasl.zookeeper.user }} + - name: KAFKA_ZOOKEEPER_USER + value: {{ .context.Values.sasl.zookeeper.user | quote }} + - name: KAFKA_ZOOKEEPER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" .context }} + key: zookeeper-password + {{- end }} + {{- if .context.Values.tls.zookeeper.enabled }} + {{- if and .context.Values.tls.zookeeper.passwordsSecretKeystoreKey (or .context.Values.tls.zookeeper.passwordsSecret .context.Values.tls.zookeeper.keystorePassword) }} + - name: KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.zookeeper.tlsPasswordsSecretName" .context }} + key: {{ .context.Values.tls.zookeeper.passwordsSecretKeystoreKey | quote }} + {{- end }} + {{- if and .context.Values.tls.zookeeper.passwordsSecretTruststoreKey (or .context.Values.tls.zookeeper.passwordsSecret .context.Values.tls.zookeeper.truststorePassword) }} + - name: KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.zookeeper.tlsPasswordsSecretName" .context }} + key: {{ .context.Values.tls.zookeeper.passwordsSecretTruststoreKey | quote }} + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + - name: data + mountPath: /bitnami/kafka + - name: kafka-config + mountPath: /config + - name: kafka-configmaps + mountPath: /configmaps + - name: scripts + mountPath: /scripts + {{- if and .context.Values.externalAccess.enabled .context.Values.externalAccess.autoDiscovery.enabled }} + - name: kafka-autodiscovery-shared + mountPath: /shared + {{- end }} + {{- if or (include "kafka.sslEnabled" .context) .context.Values.tls.zookeeper.enabled }} + - name: kafka-shared-certs + mountPath: /certs + {{- if and (include "kafka.sslEnabled" .context) (or .context.Values.tls.existingSecret .context.Values.tls.autoGenerated) }} + - name: kafka-certs + mountPath: /mounted-certs + readOnly: true + {{- end }} + {{- if and .context.Values.tls.zookeeper.enabled .context.Values.tls.zookeeper.existingSecret }} + - name: kafka-zookeeper-cert + mountPath: /zookeeper-certs + readOnly: true + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Init container definition for waiting for Kubernetes autodiscovery +*/}} +{{- define "kafka.autoDiscoveryInitContainer" -}} +{{- $externalAccessService := index .context.Values.externalAccess .role }} +- name: auto-discovery + image: {{ include "kafka.externalAccess.autoDiscovery.image" .context }} + imagePullPolicy: {{ .context.Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: AUTODISCOVERY_SERVICE_TYPE + value: {{ $externalAccessService.service.type | quote }} + {{- if .context.Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .context.Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: kafka-autodiscovery-shared + mountPath: /shared +{{- end -}} + {{/* Check if there are rolling tags in the images */}} @@ -375,9 +813,11 @@ Compile all warnings into a single message, and call fail. */}} {{- define "kafka.validateValues" -}} {{- $messages := list -}} -{{- $messages := append $messages (include "kafka.validateValues.authProtocols" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.nodePortListLength" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.externalIPListLength" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.listener.protocols" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.controller.nodePortListLength" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.broker.nodePortListLength" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.controller.externalIPListLength" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.broker.externalIPListLength" .) -}} {{- $messages := append $messages (include "kafka.validateValues.domainSpecified" .) -}} {{- $messages := append $messages (include "kafka.validateValues.externalAccessServiceType" .) -}} {{- $messages := append $messages (include "kafka.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} @@ -386,12 +826,13 @@ Compile all warnings into a single message, and call fail. {{- $messages := append $messages (include "kafka.validateValues.externalAccessServiceList" (dict "element" "loadBalancerNames" "context" .)) -}} {{- $messages := append $messages (include "kafka.validateValues.externalAccessServiceList" (dict "element" "loadBalancerAnnotations" "context" . )) -}} {{- $messages := append $messages (include "kafka.validateValues.saslMechanisms" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.tlsSecrets" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.tlsSecrets.length" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.tlsPasswords" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.tlsSecret" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.provisioning.tlsPasswords" .) -}} {{- $messages := append $messages (include "kafka.validateValues.kraftMode" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.ClusterIdDefinedIfKraft" .) -}} -{{- $messages := append $messages (include "kafka.validateValues.controllerQuorumVotersDefinedIfKraft" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.kraftMissingControllers" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.zookeeperMissingBrokers" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.zookeeperNoControllers" .) -}} +{{- $messages := append $messages (include "kafka.validateValues.modeEmpty" .) -}} {{- $messages := without $messages "" -}} {{- $message := join "\n" $messages -}} @@ -401,52 +842,101 @@ Compile all warnings into a single message, and call fail. {{- end -}} {{/* Validate values of Kafka - Authentication protocols for Kafka */}} -{{- define "kafka.validateValues.authProtocols" -}} -{{- $authProtocols := list "plaintext" "tls" "mtls" "sasl" "sasl_tls" -}} -{{- if or (not (has .Values.auth.clientProtocol $authProtocols)) (not (has .Values.auth.interBrokerProtocol $authProtocols)) (not (has (include "kafka.externalClientProtocol" . ) $authProtocols)) -}} -kafka: auth.clientProtocol auth.externalClientProtocol auth.interBrokerProtocol - Available authentication protocols are "plaintext", "tls", "mtls", "sasl" and "sasl_tls" +{{- define "kafka.validateValues.listener.protocols" -}} +{{- $authProtocols := list "PLAINTEXT" "SASL_PLAINTEXT" "SASL_SSL" "SSL" -}} +{{- if not .Values.listeners.securityProtocolMap -}} +{{- $listeners := list .Values.listeners.client .Values.listeners.interbroker -}} +{{- if .Values.kraft.enabled -}} +{{- $listeners = append $listeners .Values.listeners.controller -}} +{{- end -}} +{{- if and .Values.externalAccess.enabled -}} +{{- $listeners = append $listeners .Values.listeners.external -}} +{{- end -}} +{{- $error := false -}} +{{- range $listener := $listeners -}} +{{- if not (has (upper $listener.protocol) $authProtocols) -}} +{{- $error := true -}} +{{- end -}} +{{- end -}} +{{- if $error -}} +kafka: listeners.*.protocol + Available authentication protocols are "PLAINTEXT" "SASL_PLAINTEXT" "SSL" "SASL_SSL" +{{- end -}} {{- end -}} {{- end -}} -{{/* Validate values of Kafka - number of replicas must be the same as NodePort list */}} -{{- define "kafka.validateValues.nodePortListLength" -}} -{{- $replicaCount := int .Values.replicaCount -}} -{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts -}} -{{- $nodePortListIsEmpty := empty .Values.externalAccess.service.nodePorts -}} +{{/* Validate values of Kafka - number of controller-eligible replicas must be the same as NodePort list in controller-eligible external service */}} +{{- define "kafka.validateValues.controller.nodePortListLength" -}} +{{- $replicaCount := int .Values.controller.replicaCount -}} +{{- $nodePortListLength := len .Values.externalAccess.controller.service.nodePorts -}} +{{- $nodePortListIsEmpty := empty .Values.externalAccess.controller.service.nodePorts -}} {{- $nodePortListLengthEqualsReplicaCount := eq $nodePortListLength $replicaCount -}} -{{- $externalIPListIsEmpty := empty .Values.externalAccess.service.externalIPs -}} -{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.service.type "NodePort") (or (and (not $nodePortListIsEmpty) (not $nodePortListLengthEqualsReplicaCount)) (and $nodePortListIsEmpty $externalIPListIsEmpty)) -}} -kafka: .Values.externalAccess.service.nodePorts - Number of replicas and nodePort array length must be the same. Currently: replicaCount = {{ $replicaCount }} and length nodePorts = {{ $nodePortListLength }} - {{ $externalIPListIsEmpty }} +{{- $externalIPListIsEmpty := empty .Values.externalAccess.controller.service.externalIPs -}} +{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.controller.service.type "NodePort") (or (and (not $nodePortListIsEmpty) (not $nodePortListLengthEqualsReplicaCount)) (and $nodePortListIsEmpty $externalIPListIsEmpty)) -}} +kafka: .Values.externalAccess.controller.service.nodePorts + Number of controller-eligible replicas and externalAccess.controller.service.nodePorts array length must be the same. Currently: replicaCount = {{ $replicaCount }} and length nodePorts = {{ $nodePortListLength }} - {{ $externalIPListIsEmpty }} +{{- end -}} +{{- end -}} + +{{/* Validate values of Kafka - number of broker replicas must be the same as NodePort list in broker external service */}} +{{- define "kafka.validateValues.broker.nodePortListLength" -}} +{{- $replicaCount := int .Values.broker.replicaCount -}} +{{- $nodePortListLength := len .Values.externalAccess.broker.service.nodePorts -}} +{{- $nodePortListIsEmpty := empty .Values.externalAccess.broker.service.nodePorts -}} +{{- $nodePortListLengthEqualsReplicaCount := eq $nodePortListLength $replicaCount -}} +{{- $externalIPListIsEmpty := empty .Values.externalAccess.broker.service.externalIPs -}} +{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.broker.service.type "NodePort") (or (and (not $nodePortListIsEmpty) (not $nodePortListLengthEqualsReplicaCount)) (and $nodePortListIsEmpty $externalIPListIsEmpty)) -}} +kafka: .Values.externalAccess.broker.service.nodePorts + Number of broker replicas and externalAccess.broker.service.nodePorts array length must be the same. Currently: replicaCount = {{ $replicaCount }} and length nodePorts = {{ $nodePortListLength }} - {{ $externalIPListIsEmpty }} {{- end -}} {{- end -}} {{/* Validate values of Kafka - number of replicas must be the same as externalIPs list */}} -{{- define "kafka.validateValues.externalIPListLength" -}} -{{- $replicaCount := int .Values.replicaCount -}} -{{- $externalIPListLength := len .Values.externalAccess.service.externalIPs -}} -{{- $externalIPListIsEmpty := empty .Values.externalAccess.service.externalIPs -}} +{{- define "kafka.validateValues.controller.externalIPListLength" -}} +{{- $replicaCount := int .Values.controller.replicaCount -}} +{{- $externalIPListLength := len .Values.externalAccess.controller.service.externalIPs -}} +{{- $externalIPListIsEmpty := empty .Values.externalAccess.controller.service.externalIPs -}} {{- $externalIPListEqualsReplicaCount := eq $externalIPListLength $replicaCount -}} -{{- $nodePortListIsEmpty := empty .Values.externalAccess.service.nodePorts -}} -{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.service.type "NodePort") (or (and (not $externalIPListIsEmpty) (not $externalIPListEqualsReplicaCount)) (and $externalIPListIsEmpty $nodePortListIsEmpty)) -}} -kafka: .Values.externalAccess.service.externalIPs - Number of replicas and externalIPs array length must be the same. Currently: replicaCount = {{ $replicaCount }} and length externalIPs = {{ $externalIPListLength }} +{{- $nodePortListIsEmpty := empty .Values.externalAccess.controller.service.nodePorts -}} +{{- if and .Values.externalAccess.enabled (or .Values.externalAccess.controller.forceExpose (not .Values.controller.controllerOnly)) (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.controller.service.type "NodePort") (or (and (not $externalIPListIsEmpty) (not $externalIPListEqualsReplicaCount)) (and $externalIPListIsEmpty $nodePortListIsEmpty)) -}} +kafka: .Values.externalAccess.controller.service.externalIPs + Number of controller-eligible replicas and externalAccess.controller.service.externalIPs array length must be the same. Currently: replicaCount = {{ $replicaCount }} and length externalIPs = {{ $externalIPListLength }} +{{- end -}} +{{- end -}} + +{{/* Validate values of Kafka - number of replicas must be the same as externalIPs list */}} +{{- define "kafka.validateValues.broker.externalIPListLength" -}} +{{- $replicaCount := int .Values.broker.replicaCount -}} +{{- $externalIPListLength := len .Values.externalAccess.broker.service.externalIPs -}} +{{- $externalIPListIsEmpty := empty .Values.externalAccess.broker.service.externalIPs -}} +{{- $externalIPListEqualsReplicaCount := eq $externalIPListLength $replicaCount -}} +{{- $nodePortListIsEmpty := empty .Values.externalAccess.broker.service.nodePorts -}} +{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.broker.service.type "NodePort") (or (and (not $externalIPListIsEmpty) (not $externalIPListEqualsReplicaCount)) (and $externalIPListIsEmpty $nodePortListIsEmpty)) -}} +kafka: .Values.externalAccess.broker.service.externalIPs + Number of broker replicas and externalAccess.broker.service.externalIPs array length must be the same. Currently: replicaCount = {{ $replicaCount }} and length externalIPs = {{ $externalIPListLength }} {{- end -}} {{- end -}} {{/* Validate values of Kafka - domain must be defined if external service type ClusterIP */}} {{- define "kafka.validateValues.domainSpecified" -}} -{{- if and (eq .Values.externalAccess.service.type "ClusterIP") (eq .Values.externalAccess.service.domain "") -}} -kafka: .Values.externalAccess.service.domain +{{- if and (eq .Values.externalAccess.controller.service.type "ClusterIP") (empty .Values.externalAccess.controller.service.domain) -}} +kafka: .Values.externalAccess.controller.service.domain + Domain must be specified if service type ClusterIP is set for external service +{{- end -}} +{{- if and (eq .Values.externalAccess.broker.service.type "ClusterIP") (empty .Values.externalAccess.broker.service.domain) -}} +kafka: .Values.externalAccess.broker.service.domain Domain must be specified if service type ClusterIP is set for external service {{- end -}} {{- end -}} {{/* Validate values of Kafka - service type for external access */}} {{- define "kafka.validateValues.externalAccessServiceType" -}} -{{- if and (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) (not (eq .Values.externalAccess.service.type "ClusterIP")) -}} -kafka: externalAccess.service.type +{{- if and (not (eq .Values.externalAccess.controller.service.type "NodePort")) (not (eq .Values.externalAccess.controller.service.type "LoadBalancer")) (not (eq .Values.externalAccess.controller.service.type "ClusterIP")) -}} +kafka: externalAccess.controller.service.type + Available service type for external access are NodePort, LoadBalancer or ClusterIP. +{{- end -}} +{{- if and (not (eq .Values.externalAccess.broker.service.type "NodePort")) (not (eq .Values.externalAccess.broker.service.type "LoadBalancer")) (not (eq .Values.externalAccess.broker.service.type "ClusterIP")) -}} +kafka: externalAccess.broker.service.type Available service type for external access are NodePort, LoadBalancer or ClusterIP. {{- end -}} {{- end -}} @@ -464,22 +954,38 @@ kafka: rbac.create {{/* Validate values of Kafka - LoadBalancerIPs or LoadBalancerNames should be set when autoDiscovery is disabled */}} {{- define "kafka.validateValues.externalAccessAutoDiscoveryIPsOrNames" -}} -{{- $loadBalancerNameListLength := len .Values.externalAccess.service.loadBalancerNames -}} -{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs -}} -{{- if and .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "LoadBalancer") (not .Values.externalAccess.autoDiscovery.enabled) (eq $loadBalancerNameListLength 0) (eq $loadBalancerIPListLength 0) }} -kafka: externalAccess.service.loadBalancerNames or externalAccess.service.loadBalancerIPs +{{- $loadBalancerNameListLength := len .Values.externalAccess.controller.service.loadBalancerNames -}} +{{- $loadBalancerIPListLength := len .Values.externalAccess.controller.service.loadBalancerIPs -}} +{{- if and .Values.externalAccess.enabled (or .Values.externalAccess.controller.forceExpose (not .Values.controller.controllerOnly)) (eq .Values.externalAccess.controller.service.type "LoadBalancer") (not .Values.externalAccess.autoDiscovery.enabled) (eq $loadBalancerNameListLength 0) (eq $loadBalancerIPListLength 0) }} +kafka: externalAccess.controller.service.loadBalancerNames or externalAccess.controller.service.loadBalancerIPs By specifying "externalAccess.enabled=true", "externalAccess.autoDiscovery.enabled=false" and - "externalAccess.service.type=LoadBalancer" at least one of externalAccess.service.loadBalancerNames - or externalAccess.service.loadBalancerIPs must be set and the length of those arrays must be equal + "externalAccess.controller.service.type=LoadBalancer" at least one of externalAccess.controller.service.loadBalancerNames + or externalAccess.controller.service.loadBalancerIPs must be set and the length of those arrays must be equal + to the number of replicas. +{{- end -}} +{{- $loadBalancerNameListLength := len .Values.externalAccess.broker.service.loadBalancerNames -}} +{{- $loadBalancerIPListLength := len .Values.externalAccess.broker.service.loadBalancerIPs -}} +{{- $replicaCount := int .Values.broker.replicaCount }} +{{- if and .Values.externalAccess.enabled (gt 0 $replicaCount) (eq .Values.externalAccess.broker.service.type "LoadBalancer") (not .Values.externalAccess.autoDiscovery.enabled) (eq $loadBalancerNameListLength 0) (eq $loadBalancerIPListLength 0) }} +kafka: externalAccess.broker.service.loadBalancerNames or externalAccess.broker.service.loadBalancerIPs + By specifying "externalAccess.enabled=true", "externalAccess.autoDiscovery.enabled=false" and + "externalAccess.broker.service.type=LoadBalancer" at least one of externalAccess.broker.service.loadBalancerNames + or externalAccess.broker.service.loadBalancerIPs must be set and the length of those arrays must be equal to the number of replicas. {{- end -}} {{- end -}} {{/* Validate values of Kafka - number of replicas must be the same as loadBalancerIPs list */}} {{- define "kafka.validateValues.externalAccessServiceList" -}} -{{- $replicaCount := int .context.Values.replicaCount }} -{{- $listLength := len (get .context.Values.externalAccess.service .element) -}} -{{- if and .context.Values.externalAccess.enabled (not .context.Values.externalAccess.autoDiscovery.enabled) (eq .context.Values.externalAccess.service.type "LoadBalancer") (gt $listLength 0) (not (eq $replicaCount $listLength)) }} +{{- $replicaCount := int .context.Values.controller.replicaCount }} +{{- $listLength := len (get .context.Values.externalAccess.controller.service .element) -}} +{{- if and .context.Values.externalAccess.enabled (or .context.Values.externalAccess.controller.forceExpose (not .context.Values.controller.controllerOnly)) (not .context.Values.externalAccess.autoDiscovery.enabled) (eq .context.Values.externalAccess.controller.service.type "LoadBalancer") (gt $listLength 0) (not (eq $replicaCount $listLength)) }} +kafka: externalAccess.service.{{ .element }} + Number of replicas and {{ .element }} array length must be the same. Currently: replicaCount = {{ $replicaCount }} and {{ .element }} = {{ $listLength }} +{{- end -}} +{{- $replicaCount := int .context.Values.broker.replicaCount }} +{{- $listLength := len (get .context.Values.externalAccess.broker.service .element) -}} +{{- if and .context.Values.externalAccess.enabled (gt 0 $replicaCount) (not .context.Values.externalAccess.autoDiscovery.enabled) (eq .context.Values.externalAccess.broker.service.type "LoadBalancer") (gt $listLength 0) (not (eq $replicaCount $listLength)) }} kafka: externalAccess.service.{{ .element }} Number of replicas and {{ .element }} array length must be the same. Currently: replicaCount = {{ $replicaCount }} and {{ .element }} = {{ $listLength }} {{- end -}} @@ -487,74 +993,81 @@ kafka: externalAccess.service.{{ .element }} {{/* Validate values of Kafka - SASL mechanisms must be provided when using SASL */}} {{- define "kafka.validateValues.saslMechanisms" -}} -{{- if and (or (.Values.auth.clientProtocol | regexFind "sasl") (.Values.auth.interBrokerProtocol | regexFind "sasl") (and .Values.zookeeper.auth.client.enabled .Values.auth.sasl.jaas.zookeeperUser)) (not .Values.auth.sasl.mechanisms) }} -kafka: auth.sasl.mechanisms - The SASL mechanisms are required when either auth.clientProtocol or auth.interBrokerProtocol use SASL or Zookeeper user is provided. +{{- if and (include "kafka.saslEnabled" .) (not .Values.sasl.enabledMechanisms) }} +kafka: sasl.enabledMechanisms + The SASL mechanisms are required when listeners use SASL security protocol. {{- end }} -{{- if not (contains .Values.auth.sasl.interBrokerMechanism .Values.auth.sasl.mechanisms) }} -kafka: auth.sasl.mechanisms - auth.sasl.interBrokerMechanism must be provided and it should be one of the specified mechanisms at auth.saslMechanisms +{{- if not (contains .Values.sasl.interBrokerMechanism .Values.sasl.enabledMechanisms) }} +kafka: sasl.enabledMechanisms + sasl.interBrokerMechanism must be provided and it should be one of the specified mechanisms at sasl.enabledMechanisms +{{- end -}} +{{- if and .Values.kraft.enabled (not (contains .Values.sasl.controllerMechanism .Values.sasl.enabledMechanisms)) }} +kafka: sasl.enabledMechanisms + sasl.controllerMechanism must be provided and it should be one of the specified mechanisms at sasl.enabledMechanisms {{- end -}} {{- end -}} {{/* Validate values of Kafka - Secrets containing TLS certs must be provided when TLS authentication is enabled */}} -{{- define "kafka.validateValues.tlsSecrets" -}} -{{- if and (include "kafka.tlsEncryption" .) (eq .Values.auth.tls.type "jks") (empty .Values.auth.tls.existingSecrets) }} -kafka: auth.tls.existingSecrets +{{- define "kafka.validateValues.tlsSecret" -}} +{{- if and (include "kafka.sslEnabled" .) (eq (upper .Values.tls.type) "JKS") (empty .Values.tls.existingSecret) (not .Values.tls.autoGenerated) }} +kafka: tls.existingSecret A secret containing the Kafka JKS keystores and truststore is required when TLS encryption in enabled and TLS format is "JKS" -{{- else if and (include "kafka.tlsEncryption" .) (eq .Values.auth.tls.type "pem") (empty .Values.auth.tls.existingSecrets) (not .Values.auth.tls.autoGenerated) }} -kafka: auth.tls.existingSecrets +{{- else if and (include "kafka.sslEnabled" .) (eq (upper .Values.tls.type) "PEM") (empty .Values.tls.existingSecret) (not .Values.tls.autoGenerated) }} +kafka: tls.existingSecret A secret containing the Kafka TLS certificates and keys is required when TLS encryption in enabled and TLS format is "PEM" {{- end -}} {{- end -}} -{{/* Validate values of Kafka - The number of secrets containing TLS certs should be equal to the number of replicas */}} -{{- define "kafka.validateValues.tlsSecrets.length" -}} -{{- $replicaCount := int .Values.replicaCount }} -{{- if and (include "kafka.tlsEncryption" .) (not (empty .Values.auth.tls.existingSecrets)) }} -{{- $existingSecretsLength := len .Values.auth.tls.existingSecrets }} -{{- if ne $replicaCount $existingSecretsLength }} -kafka: .Values.auth.tls.existingSecrets - Number of replicas and existingSecrets array length must be the same. Currently: replicaCount = {{ $replicaCount }} and existingSecrets = {{ $existingSecretsLength }} -{{- end -}} -{{- end -}} -{{- end -}} - {{/* Validate values of Kafka provisioning - keyPasswordSecretKey, keystorePasswordSecretKey or truststorePasswordSecretKey must not be used without passwordsSecret */}} -{{- define "kafka.validateValues.tlsPasswords" -}} -{{- if and (include "kafka.client.tlsEncryption" .) .Values.provisioning.enabled (not .Values.provisioning.auth.tls.passwordsSecret) }} +{{- define "kafka.validateValues.provisioning.tlsPasswords" -}} +{{- if and (regexFind "SSL" (upper .Values.listeners.client.protocol)) .Values.provisioning.enabled (not .Values.provisioning.auth.tls.passwordsSecret) }} {{- if or .Values.provisioning.auth.tls.keyPasswordSecretKey .Values.provisioning.auth.tls.keystorePasswordSecretKey .Values.provisioning.auth.tls.truststorePasswordSecretKey }} -kafka: auth.tls.keyPasswordSecretKey,auth.tls.keystorePasswordSecretKey,auth.tls.truststorePasswordSecretKey - auth.tls.keyPasswordSecretKey,auth.tls.keystorePasswordSecretKey,auth.tls.truststorePasswordSecretKey +kafka: tls.keyPasswordSecretKey,tls.keystorePasswordSecretKey,tls.truststorePasswordSecretKey + tls.keyPasswordSecretKey,tls.keystorePasswordSecretKey,tls.truststorePasswordSecretKey must not be used without passwordsSecret setted. {{- end -}} {{- end -}} {{- end -}} -{{/* Validate values of Kafka Kraft mode. It cannot be used with zookeeper */}} +{{/* Validate values of Kafka Kraft mode. It cannot be used with Zookeeper unless migration is enabled */}} {{- define "kafka.validateValues.kraftMode" -}} -{{- $externalZKlen := len .Values.externalZookeeper.servers}} -{{- if and .Values.kraft.enabled (or .Values.zookeeper.enabled (gt $externalZKlen 0)) }} -kafka: Kraft mode - You cannot use Kraft mode and Zookeeper at the same time. They are mutually exclusive. Disable zookeeper in '.Values.zookeeper.enabled' and delete values from '.Values.externalZookeeper.servers' if you want to use Kraft mode +{{- if and .Values.kraft.enabled (or .Values.zookeeper.enabled .Values.externalZookeeper.servers) (and (not .Values.controller.zookeeperMigrationMode ) (not .Values.broker.zookeeperMigrationMode )) }} +kafka: Simultaneous KRaft and Zookeeper modes + Both Zookeeper and KRaft modes have been configured simultaneously, but migration mode has not been enabled. {{- end -}} {{- end -}} -{{/* Validate ClusterId value. It must be defined if Kraft mode is used. */}} -{{- define "kafka.validateValues.ClusterIdDefinedIfKraft" -}} -{{- if and .Values.kraft.enabled (not .Values.kraft.clusterId) (gt (int .Values.replicaCount) 1) }} -kafka: Kraft mode - .Values.kraft.clusterId must not be empty if .Values.kraft.enabled set to true and .Values.replicaCount > 1. +{{/* Validate values of Kafka Kraft mode. At least 1 controller is configured or controller.quorum.voters is set */}} +{{- define "kafka.validateValues.kraftMissingControllers" -}} +{{- if and .Values.kraft.enabled (le (int .Values.controller.replicaCount) 0) (not .Values.kraft.controllerQuorumVoters) }} +kafka: Kraft mode - Missing controller-eligible nodes + Kraft mode has been enabled, but no controller-eligible nodes have been configured {{- end -}} {{- end -}} -{{/* Validate controllerQuorumVoters value. It must be defined if it is broker-only deployment. */}} -{{- define "kafka.validateValues.controllerQuorumVotersDefinedIfKraft" -}} -{{- if and .Values.kraft.enabled (not .Values.kraft.controllerQuorumVoters) (not (contains "controller" .Values.kraft.processRoles)) }} -kafka: Kraft mode - .Values.kraft.controllerQuorumVoters must not be empty if .Values.kraft.enabled set to true and .Values.kraft.processRoles does not contain "controller". - If you deploy brokers without controllers you have to define external controllers with .Values.kraft.controllerQuorumVoters +{{/* Validate values of Kafka Zookeper mode. At least 1 broker is configured */}} +{{- define "kafka.validateValues.zookeeperMissingBrokers" -}} +{{- if and (or .Values.zookeeper.enabled .Values.externalZookeeper.servers) (le (int .Values.broker.replicaCount) 0)}} +kafka: Zookeeper mode - No Kafka brokers configured + Zookeper mode has been enabled, but no Kafka brokers nodes have been configured +{{- end -}} +{{- end -}} + +{{/* Validate values of Kafka Zookeper mode. Controller nodes not enabled in Zookeeper mode unless migration enabled */}} +{{- define "kafka.validateValues.zookeeperNoControllers" -}} +{{- if and (or .Values.zookeeper.enabled .Values.externalZookeeper.servers) (gt (int .Values.controller.replicaCount) 0) (and (not .Values.controller.zookeeperMigrationMode ) (not .Values.broker.zookeeperMigrationMode )) }} +kafka: Zookeeper mode - Controller nodes not supported + Controller replicas have been enabled in Zookeeper mode, set controller.replicaCount to zero or enable migration mode to migrate to Kraft mode +{{- end -}} +{{- end -}} + +{{/* Validate either KRaft or Zookeeper mode are enabled */}} +{{- define "kafka.validateValues.modeEmpty" -}} +{{- if and (not .Values.kraft.enabled) (not (or .Values.zookeeper.enabled .Values.externalZookeeper.servers)) }} +kafka: Missing KRaft or Zookeeper mode settings + The Kafka chart has been deployed but neither KRaft or Zookeeper modes have been enabled. + Please configure 'kraft.enabled', 'zookeeper.enabled' or `externalZookeeper.servers` before proceeding. {{- end -}} {{- end -}} diff --git a/charts/bitnami/kafka/templates/broker/configmap.yaml b/charts/bitnami/kafka/templates/broker/configmap.yaml new file mode 100644 index 000000000..2b6129e38 --- /dev/null +++ b/charts/bitnami/kafka/templates/broker/configmap.yaml @@ -0,0 +1,50 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.broker.replicaCount }} +{{- if and (include "kafka.broker.createConfigmap" .) (gt $replicaCount 0) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-broker-configuration" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if or .Values.config .Values.broker.config }} + server.properties: {{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.broker.config .Values.config) "context" $ ) | nindent 4 }} + {{- else }} + server.properties: |- + # Listeners configuration + listeners={{ include "kafka.listeners" ( dict "isController" false "context" $ ) }} + listener.security.protocol.map={{ include "kafka.securityProtocolMap" . }} + advertised.listeners={{ include "kafka.advertisedListeners" . }} + {{- if .Values.kraft.enabled }} + {{- if not .Values.broker.zookeeperMigrationMode }} + # KRaft node role + process.roles=broker + {{- end -}} + {{- include "kafka.kraftConfig" . | nindent 4 }} + {{- end }} + {{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }} + # Zookeeper configuration + {{- include "kafka.zookeeperConfig" . | nindent 4 }} + {{- if .Values.broker.zookeeperMigrationMode }} + zookeeper.metadata.migration.enable=true + inter.broker.protocol.version={{ default (regexFind "^[0-9].[0-9]+" .Chart.AppVersion) .Values.interBrokerProtocolVersion }} + {{- end }} + {{- end }} + {{- include "kafka.commonConfig" . | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraConfig "context" $ ) | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.broker.extraConfig "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/poddisruptionbudget.yaml b/charts/bitnami/kafka/templates/broker/pdb.yaml similarity index 58% rename from charts/bitnami/kafka/templates/poddisruptionbudget.yaml rename to charts/bitnami/kafka/templates/broker/pdb.yaml index f991a0c3a..5892055e9 100644 --- a/charts/bitnami/kafka/templates/poddisruptionbudget.yaml +++ b/charts/bitnami/kafka/templates/broker/pdb.yaml @@ -3,15 +3,16 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- $replicaCount := int .Values.replicaCount }} -{{- if and .Values.pdb.create (gt $replicaCount 1) }} +{{- $replicaCount := int .Values.broker.replicaCount }} +{{- if and .Values.broker.pdb.create (gt $replicaCount 0) }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: kafka + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} @@ -19,13 +20,14 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{- if .Values.pdb.minAvailable }} - minAvailable: {{ .Values.pdb.minAvailable }} + {{- if .Values.broker.pdb.minAvailable }} + minAvailable: {{ .Values.broker.pdb.minAvailable }} {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- if .Values.broker.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.broker.pdb.maxUnavailable }} {{- end }} selector: matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: kafka + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka {{- end }} diff --git a/charts/bitnami/kafka/templates/broker/statefulset.yaml b/charts/bitnami/kafka/templates/broker/statefulset.yaml new file mode 100644 index 000000000..0ae0c7663 --- /dev/null +++ b/charts/bitnami/kafka/templates/broker/statefulset.yaml @@ -0,0 +1,452 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.broker.replicaCount }} +{{- if gt $replicaCount 0 }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-broker" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podManagementPolicy: {{ .Values.broker.podManagementPolicy }} + replicas: {{ .Values.broker.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka + serviceName: {{ printf "%s-broker-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.broker.updateStrategy "context" $ ) | nindent 4 }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka + {{- if .Values.broker.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.broker.podLabels "context" $) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "kafka.broker.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/broker/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if (include "kafka.createSaslSecret" .) }} + checksum/passwords-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + {{- if (include "kafka.createTlsSecret" .) }} + checksum/tls-secret: {{ include (print $.Template.BasePath "/tls-secret.yaml") . | sha256sum }} + {{- end }} + {{- if (include "kafka.metrics.jmx.createConfigmap" .) }} + checksum/jmx-configuration: {{ include (print $.Template.BasePath "/metrics/jmx-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.broker.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.broker.podAnnotations "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kafka.imagePullSecrets" . | nindent 6 }} + {{- if .Values.broker.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.broker.hostAliases "context" $) | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.broker.hostNetwork }} + hostIPC: {{ .Values.broker.hostIPC }} + {{- if .Values.broker.schedulerName }} + schedulerName: {{ .Values.broker.schedulerName | quote }} + {{- end }} + {{- if .Values.broker.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.broker.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.broker.podAffinityPreset "component" "kafka" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.broker.podAntiAffinityPreset "component" "kafka" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.broker.nodeAffinityPreset.type "key" .Values.broker.nodeAffinityPreset.key "values" .Values.broker.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.broker.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.broker.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.broker.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.broker.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.broker.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.broker.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.broker.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.broker.priorityClassName }} + priorityClassName: {{ .Values.broker.priorityClassName }} + {{- end }} + {{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} + {{- end }} + {{- if .Values.broker.podSecurityContext.enabled }} + securityContext: {{- omit .Values.broker.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kafka.serviceAccountName" . }} + initContainers: + {{- if and .Values.volumePermissions.enabled .Values.broker.persistence.enabled }} + - name: volume-permissions + image: {{ include "kafka.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p "{{ .Values.broker.persistence.mountPath }}" "{{ .Values.broker.logPersistence.mountPath }}" + chown -R {{ .Values.broker.containerSecurityContext.runAsUser }}:{{ .Values.broker.podSecurityContext.fsGroup }} "{{ .Values.broker.persistence.mountPath }}" "{{ .Values.broker.logPersistence.mountPath }}" + find "{{ .Values.broker.persistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.broker.containerSecurityContext.runAsUser }}:{{ .Values.broker.podSecurityContext.fsGroup }} + find "{{ .Values.broker.logPersistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.broker.containerSecurityContext.runAsUser }}:{{ .Values.broker.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.broker.persistence.mountPath }} + - name: logs + mountPath: {{ .Values.broker.logPersistence.mountPath }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} + {{- include "kafka.autoDiscoveryInitContainer" ( dict "role" "broker" "context" $) | nindent 8 }} + {{- end }} + {{- include "kafka.prepareKafkaInitContainer" ( dict "role" "broker" "context" $) | nindent 8 }} + {{- if .Values.broker.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.broker.initContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.initContainers "context" $ ) | nindent 8 }} + {{- end }} + containers: + - name: kafka + image: {{ include "kafka.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.broker.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.broker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.broker.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.broker.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.broker.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.broker.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: KAFKA_HEAP_OPTS + value: {{ coalesce .Values.broker.heapOpts .Values.heapOpts | quote }} + {{- if .Values.kraft.enabled }} + - name: KAFKA_KRAFT_CLUSTER_ID + valueFrom: + secretKeyRef: + name: {{ printf "%s-kraft-cluster-id" (include "common.names.fullname" .) }} + key: kraft-cluster-id + {{- if .Values.broker.zookeeperMigrationMode }} + - name: KAFKA_SKIP_KRAFT_STORAGE_INIT + value: "true" + {{- end }} + {{- end }} + {{- if and (include "kafka.saslEnabled" .) (or (regexFind "SCRAM" (upper .Values.sasl.enabledMechanisms)) (regexFind "SCRAM" (upper .Values.sasl.controllerMechanism)) (regexFind "SCRAM" (upper .Values.sasl.interBrokerMechanism))) }} + {{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }} + - name: KAFKA_ZOOKEEPER_BOOTSTRAP_SCRAM_USERS + value: "true" + {{- else }} + - name: KAFKA_KRAFT_BOOTSTRAP_SCRAM_USERS + value: "true" + {{- end }} + {{- if and (include "kafka.client.saslEnabled" . ) .Values.sasl.client.users }} + - name: KAFKA_CLIENT_USERS + value: {{ join "," .Values.sasl.client.users | quote }} + - name: KAFKA_CLIENT_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" . }} + key: client-passwords + {{- end }} + {{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }} + - name: KAFKA_INTER_BROKER_USER + value: {{ .Values.sasl.interbroker.user | quote }} + - name: KAFKA_INTER_BROKER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" . }} + key: inter-broker-password + {{- end }} + {{- if and .Values.kraft.enabled (regexFind "SASL" (upper .Values.listeners.controller.protocol)) }} + - name: KAFKA_CONTROLLER_USER + value: {{ .Values.sasl.controller.user | quote }} + - name: KAFKA_CONTROLLER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" . }} + key: controller-password + {{- end }} + {{- end }} + {{- if .Values.metrics.jmx.enabled }} + - name: JMX_PORT + value: {{ .Values.metrics.jmx.kafkaJmxPort | quote }} + {{- end }} + {{- if .Values.broker.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.broker.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.broker.extraEnvVarsCM .Values.extraEnvVarsCM .Values.broker.extraEnvVarsSecret .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.broker.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.broker.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.broker.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.broker.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: client + containerPort: {{ .Values.listeners.client.containerPort }} + - name: interbroker + containerPort: {{ .Values.listeners.interbroker.containerPort }} + {{- if .Values.externalAccess.enabled }} + - name: external + containerPort: {{ .Values.listeners.external.containerPort }} + {{- end }} + {{- if .Values.listeners.extraListeners }} + {{- include "kafka.extraListeners.containerPorts" . | nindent 12 }} + {{- end }} + {{- if .Values.broker.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.broker.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.broker.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.broker.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.broker.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.broker.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: "client" + {{- end }} + {{- if .Values.broker.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.broker.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.broker.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.broker.readinessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: "client" + {{- end }} + {{- if .Values.broker.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.broker.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.broker.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.broker.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: "client" + {{- end }} + {{- end }} + {{- if .Values.broker.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.broker.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.broker.resources }} + resources: {{- toYaml .Values.broker.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.broker.persistence.mountPath }} + - name: logs + mountPath: {{ .Values.broker.logPersistence.mountPath }} + - name: kafka-config + mountPath: /opt/bitnami/kafka/config/server.properties + subPath: server.properties + - name: tmp + mountPath: /tmp + {{- if or .Values.log4j .Values.existingLog4jConfigMap }} + - name: log4j-config + mountPath: /opt/bitnami/kafka/config/log4j.properties + subPath: log4j.properties + {{- end }} + {{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }} + - name: kafka-shared-certs + mountPath: /opt/bitnami/kafka/config/certs + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.broker.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.broker.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.jmx.enabled }} + - name: jmx-exporter + image: {{ include "kafka.metrics.jmx.image" . }} + imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }} + {{- if .Values.metrics.jmx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else }} + command: + - java + args: + - -XX:MaxRAMPercentage=100 + - -XshowSettings:vm + - -jar + - jmx_prometheus_httpserver.jar + - "5556" + - /etc/jmx-kafka/jmx-kafka-prometheus.yml + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.jmx.containerPorts.metrics }} + {{- if .Values.metrics.jmx.resources }} + resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: jmx-config + mountPath: /etc/jmx-kafka + {{- end }} + {{- if .Values.broker.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.broker.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: kafka-configmaps + configMap: + name: {{ include "kafka.broker.configmapName" . }} + - name: kafka-config + emptyDir: {} + - name: tmp + emptyDir: {} + - name: scripts + configMap: + name: {{ include "common.names.fullname" . }}-scripts + defaultMode: 0755 + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} + - name: kafka-autodiscovery-shared + emptyDir: {} + {{- end }} + {{- if or .Values.log4j .Values.existingLog4jConfigMap }} + - name: log4j-config + configMap: + name: {{ include "kafka.log4j.configMapName" . }} + {{- end }} + {{- if .Values.metrics.jmx.enabled }} + - name: jmx-config + configMap: + name: {{ include "kafka.metrics.jmx.configmapName" . }} + {{- end }} + {{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }} + - name: kafka-shared-certs + emptyDir: {} + {{- if and (include "kafka.sslEnabled" .) (or .Values.tls.existingSecret .Values.tls.autoGenerated) }} + - name: kafka-certs + projected: + defaultMode: 256 + sources: + - secret: + name: {{ include "kafka.tlsSecretName" . }} + {{- if .Values.tls.jksTruststoreSecret }} + - secret: + name: {{ .Values.tls.jksTruststoreSecret }} + {{- end }} + {{- end }} + {{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }} + - name: kafka-zookeeper-cert + secret: + secretName: {{ .Values.tls.zookeeper.existingSecret }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.broker.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.broker.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if not .Values.broker.persistence.enabled }} + - name: data + emptyDir: {} + {{- else if .Values.broker.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.broker.persistence.existingClaim .) }} + {{- end }} + {{- if not .Values.broker.logPersistence.enabled }} + - name: logs + emptyDir: {} + {{- else if .Values.broker.logPersistence.existingClaim }} + - name: logs + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.broker.logPersistence.existingClaim .) }} + {{- end }} + {{- if or (and .Values.broker.persistence.enabled (not .Values.broker.persistence.existingClaim)) (and .Values.broker.logPersistence.enabled (not .Values.broker.logPersistence.existingClaim)) }} + volumeClaimTemplates: + {{- if and .Values.broker.persistence.enabled (not .Values.broker.persistence.existingClaim) }} + - metadata: + name: data + {{- if .Values.broker.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.broker.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.broker.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.broker.persistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.broker.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.broker.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- end }} + {{- if and .Values.broker.logPersistence.enabled (not .Values.broker.logPersistence.existingClaim) }} + - metadata: + name: logs + {{- if .Values.broker.logPersistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.logPersistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.broker.logPersistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.broker.logPersistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.broker.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.broker.logPersistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.broker.logPersistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/broker/svc-external-access.yaml b/charts/bitnami/kafka/templates/broker/svc-external-access.yaml new file mode 100644 index 000000000..5db705de8 --- /dev/null +++ b/charts/bitnami/kafka/templates/broker/svc-external-access.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.externalAccess.enabled }} +{{- $fullname := include "common.names.fullname" . }} +{{- $replicaCount := .Values.broker.replicaCount | int }} +{{- range $i := until $replicaCount }} +{{- $targetPod := printf "%s-broker-%d" (printf "%s" $fullname) $i }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d-external" (include "common.names.fullname" $) $i | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" $ | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: kafka + pod: {{ $targetPod }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.externalAccess.broker.service.labels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.broker.service.labels "context" $) | nindent 4 }} + {{- end }} + {{- if or $.Values.externalAccess.broker.service.annotations $.Values.commonAnnotations $.Values.externalAccess.broker.service.loadBalancerAnnotations }} + annotations: + {{- if and (not (empty $.Values.externalAccess.broker.service.loadBalancerAnnotations)) (eq (len $.Values.externalAccess.broker.service.loadBalancerAnnotations) $replicaCount) }} + {{ include "common.tplvalues.render" ( dict "value" (index $.Values.externalAccess.broker.service.loadBalancerAnnotations $i) "context" $) | nindent 4 }} + {{- end }} + {{- if $.Values.externalAccess.broker.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.broker.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ $.Values.externalAccess.broker.service.type }} + {{- if eq $.Values.externalAccess.broker.service.type "LoadBalancer" }} + {{- if and (not (empty $.Values.externalAccess.broker.service.loadBalancerIPs)) (eq (len $.Values.externalAccess.broker.service.loadBalancerIPs) $replicaCount) }} + loadBalancerIP: {{ index $.Values.externalAccess.broker.service.loadBalancerIPs $i }} + {{- end }} + {{- if $.Values.externalAccess.broker.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $.Values.externalAccess.broker.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} + publishNotReadyAddresses: {{ $.Values.externalAccess.broker.service.publishNotReadyAddresses }} + ports: + - name: tcp-kafka + port: {{ $.Values.externalAccess.broker.service.ports.external }} + {{- if le (add $i 1) (len $.Values.externalAccess.broker.service.nodePorts) }} + nodePort: {{ index $.Values.externalAccess.broker.service.nodePorts $i }} + {{- else }} + nodePort: null + {{- end }} + targetPort: external + {{- if $.Values.externalAccess.broker.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $.Values.externalAccess.broker.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $.Values.externalAccess.broker.service.type "NodePort") (le (add $i 1) (len $.Values.externalAccess.broker.service.externalIPs)) }} + externalIPs: [{{ index $.Values.externalAccess.broker.service.externalIPs $i | quote }}] + {{- end }} + selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} + app.kubernetes.io/part-of: kafka + app.kubernetes.io/component: broker + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/broker/svc-headless.yaml b/charts/bitnami/kafka/templates/broker/svc-headless.yaml new file mode 100644 index 000000000..f1282037b --- /dev/null +++ b/charts/bitnami/kafka/templates/broker/svc-headless.yaml @@ -0,0 +1,47 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.broker.replicaCount }} +{{- if gt $replicaCount 0 }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-broker-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka + {{- if .Values.service.headless.broker.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.broker.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.service.headless.broker.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.service.headless.broker.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.headless.broker.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp-interbroker + port: {{ .Values.service.ports.interbroker }} + protocol: TCP + targetPort: interbroker + - name: tcp-client + port: {{ .Values.service.ports.client }} + protocol: TCP + targetPort: client + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: broker + app.kubernetes.io/part-of: kafka +{{- end }} diff --git a/charts/bitnami/kafka/templates/configmap.yaml b/charts/bitnami/kafka/templates/configmap.yaml deleted file mode 100644 index 0c37ad571..000000000 --- a/charts/bitnami/kafka/templates/configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "kafka.createConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-configuration" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - server.properties: |- - {{ .Values.config | nindent 4 }} -{{- end -}} diff --git a/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml b/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml new file mode 100644 index 000000000..53912b528 --- /dev/null +++ b/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml @@ -0,0 +1,49 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.controller.replicaCount }} +{{- if and .Values.kraft.enabled (include "kafka.controller.createConfigmap" .) (gt $replicaCount 0)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-controller-configuration" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if or .Values.config .Values.controller.config }} + server.properties: {{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.controller.config .Values.config) "context" $ ) | nindent 4 }} + {{- else }} + server.properties: |- + # Listeners configuration + listeners={{ include "kafka.listeners" ( dict "isController" true "context" $ ) }} + {{- if not .Values.controller.controllerOnly }} + advertised.listeners={{ include "kafka.advertisedListeners" . }} + {{- end }} + listener.security.protocol.map={{ include "kafka.securityProtocolMap" . }} + {{- if .Values.kraft.enabled }} + # KRaft process roles + process.roles={{ ternary "controller" "controller,broker" .Values.controller.controllerOnly }} + {{- include "kafka.kraftConfig" . | nindent 4 }} + {{- end }} + {{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }} + # Zookeeper configuration + zookeeper.metadata.migration.enable=true + inter.broker.protocol.version=3.4 + inter.broker.protocol.version={{ default (regexFind "^[0-9].[0-9]+" .Chart.AppVersion) .Values.interBrokerProtocolVersion }} + {{- include "kafka.zookeeperConfig" . | nindent 4 }} + {{- end }} + {{- include "kafka.commonConfig" . | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraConfig "context" $ ) | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controller.extraConfig "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/pdb.yaml b/charts/bitnami/kafka/templates/controller-eligible/pdb.yaml new file mode 100644 index 000000000..6056b0a74 --- /dev/null +++ b/charts/bitnami/kafka/templates/controller-eligible/pdb.yaml @@ -0,0 +1,33 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.controller.replicaCount }} +{{- if and .Values.controller.pdb.create .Values.kraft.enabled (gt $replicaCount 0) }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-controller" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.controller.pdb.minAvailable }} + minAvailable: {{ .Values.controller.pdb.minAvailable }} + {{- end }} + {{- if .Values.controller.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: controller-only + app.kubernetes.io/part-of: kafka +{{- end }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml new file mode 100644 index 000000000..425cc0074 --- /dev/null +++ b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml @@ -0,0 +1,445 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.controller.replicaCount }} +{{- if and .Values.kraft.enabled (gt $replicaCount 0) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-controller" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podManagementPolicy: {{ .Values.controller.podManagementPolicy }} + replicas: {{ .Values.controller.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka + serviceName: {{ printf "%s-controller-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.controller.updateStrategy "context" $ ) | nindent 4 }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka + {{- if .Values.controller.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.podLabels "context" $) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "kafka.controller.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/controller-eligible/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if (include "kafka.createSaslSecret" .) }} + checksum/passwords-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + {{- if (include "kafka.createTlsSecret" .) }} + checksum/tls-secret: {{ include (print $.Template.BasePath "/tls-secret.yaml") . | sha256sum }} + {{- end }} + {{- if (include "kafka.metrics.jmx.createConfigmap" .) }} + checksum/jmx-configuration: {{ include (print $.Template.BasePath "/metrics/jmx-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.podAnnotations "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kafka.imagePullSecrets" . | nindent 6 }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controller.hostAliases "context" $) | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + hostIPC: {{ .Values.controller.hostIPC }} + {{- if .Values.controller.schedulerName }} + schedulerName: {{ .Values.controller.schedulerName | quote }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controller.podAffinityPreset "component" "kafka" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controller.podAntiAffinityPreset "component" "kafka" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.controller.nodeAffinityPreset.type "key" .Values.controller.nodeAffinityPreset.key "values" .Values.controller.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controller.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controller.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} + {{- end }} + {{- if .Values.controller.podSecurityContext.enabled }} + securityContext: {{- omit .Values.controller.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kafka.serviceAccountName" . }} + initContainers: + {{- if and .Values.volumePermissions.enabled .Values.controller.persistence.enabled }} + - name: volume-permissions + image: {{ include "kafka.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p "{{ .Values.controller.persistence.mountPath }}" "{{ .Values.controller.logPersistence.mountPath }}" + chown -R {{ .Values.controller.containerSecurityContext.runAsUser }}:{{ .Values.controller.podSecurityContext.fsGroup }} "{{ .Values.controller.persistence.mountPath }}" "{{ .Values.controller.logPersistence.mountPath }}" + find "{{ .Values.controller.persistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.controller.containerSecurityContext.runAsUser }}:{{ .Values.controller.podSecurityContext.fsGroup }} + find "{{ .Values.controller.logPersistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.controller.containerSecurityContext.runAsUser }}:{{ .Values.controller.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.controller.persistence.mountPath }} + - name: logs + mountPath: {{ .Values.controller.logPersistence.mountPath }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (or .Values.externalAccess.controller.forceExpose (not .Values.controller.controllerOnly))}} + {{- include "kafka.autoDiscoveryInitContainer" ( dict "role" "controller" "context" $) | nindent 8 }} + {{- end }} + {{- include "kafka.prepareKafkaInitContainer" ( dict "role" "controller" "context" $) | nindent 8 }} + {{- if .Values.controller.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controller.initContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.initContainers "context" $ ) | nindent 8 }} + {{- end }} + containers: + - name: kafka + image: {{ include "kafka.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.controller.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.controller.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.controller.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.controller.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.controller.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: KAFKA_HEAP_OPTS + value: {{ coalesce .Values.controller.heapOpts .Values.heapOpts | quote }} + - name: KAFKA_KRAFT_CLUSTER_ID + valueFrom: + secretKeyRef: + name: {{ printf "%s-kraft-cluster-id" (include "common.names.fullname" .) }} + key: kraft-cluster-id + {{- if and (include "kafka.saslEnabled" .) (or (regexFind "SCRAM" (upper .Values.sasl.enabledMechanisms)) (regexFind "SCRAM" (upper .Values.sasl.controllerMechanism)) (regexFind "SCRAM" (upper .Values.sasl.interBrokerMechanism))) }} + - name: KAFKA_KRAFT_BOOTSTRAP_SCRAM_USERS + value: "true" + {{- if and (include "kafka.client.saslEnabled" . ) .Values.sasl.client.users }} + - name: KAFKA_CLIENT_USERS + value: {{ join "," .Values.sasl.client.users | quote }} + - name: KAFKA_CLIENT_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" . }} + key: client-passwords + {{- end }} + {{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }} + - name: KAFKA_INTER_BROKER_USER + value: {{ .Values.sasl.interbroker.user | quote }} + - name: KAFKA_INTER_BROKER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" . }} + key: inter-broker-password + {{- end }} + {{- if regexFind "SASL" (upper .Values.listeners.controller.protocol) }} + - name: KAFKA_CONTROLLER_USER + value: {{ .Values.sasl.controller.user | quote }} + - name: KAFKA_CONTROLLER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "kafka.saslSecretName" . }} + key: controller-password + {{- end }} + {{- end }} + {{- if .Values.metrics.jmx.enabled }} + - name: JMX_PORT + value: {{ .Values.metrics.jmx.kafkaJmxPort | quote }} + {{- end }} + {{- if .Values.controller.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.controller.extraEnvVarsCM .Values.extraEnvVarsCM .Values.controller.extraEnvVarsSecret .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.controller.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.controller.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: controller + containerPort: {{ .Values.listeners.controller.containerPort }} + {{- if not .Values.controller.controllerOnly }} + - name: client + containerPort: {{ .Values.listeners.client.containerPort }} + - name: interbroker + containerPort: {{ .Values.listeners.interbroker.containerPort }} + {{- if .Values.externalAccess.enabled }} + - name: external + containerPort: {{ .Values.listeners.external.containerPort }} + {{- end }} + {{- if .Values.listeners.extraListeners }} + {{- include "kafka.extraListeners.containerPorts" . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.controller.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.controller.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.controller.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.controller.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: "controller" + {{- end }} + {{- if .Values.controller.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.controller.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.controller.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.controller.readinessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: "controller" + {{- end }} + {{- if .Values.controller.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.controller.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.controller.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.controller.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: "controller" + {{- end }} + {{- end }} + {{- if .Values.controller.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controller.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.controller.persistence.mountPath }} + - name: logs + mountPath: {{ .Values.controller.logPersistence.mountPath }} + - name: kafka-config + mountPath: /opt/bitnami/kafka/config/server.properties + subPath: server.properties + - name: tmp + mountPath: /tmp + {{- if or .Values.log4j .Values.existingLog4jConfigMap }} + - name: log4j-config + mountPath: /opt/bitnami/kafka/config/log4j.properties + subPath: log4j.properties + {{- end }} + {{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }} + - name: kafka-shared-certs + mountPath: /opt/bitnami/kafka/config/certs + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.jmx.enabled }} + - name: jmx-exporter + image: {{ include "kafka.metrics.jmx.image" . }} + imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }} + {{- if .Values.metrics.jmx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else }} + command: + - java + args: + - -XX:MaxRAMPercentage=100 + - -XshowSettings:vm + - -jar + - jmx_prometheus_httpserver.jar + - "5556" + - /etc/jmx-kafka/jmx-kafka-prometheus.yml + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.jmx.containerPorts.metrics }} + {{- if .Values.metrics.jmx.resources }} + resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: jmx-config + mountPath: /etc/jmx-kafka + {{- end }} + {{- if .Values.controller.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: kafka-configmaps + configMap: + name: {{ include "kafka.controller.configmapName" . }} + - name: kafka-config + emptyDir: {} + - name: tmp + emptyDir: {} + - name: scripts + configMap: + name: {{ include "common.names.fullname" . }}-scripts + defaultMode: 0755 + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} + - name: kafka-autodiscovery-shared + emptyDir: {} + {{- end }} + {{- if or .Values.log4j .Values.existingLog4jConfigMap }} + - name: log4j-config + configMap: + name: {{ include "kafka.log4j.configMapName" . }} + {{- end }} + {{- if .Values.metrics.jmx.enabled }} + - name: jmx-config + configMap: + name: {{ include "kafka.metrics.jmx.configmapName" . }} + {{- end }} + {{- if or .Values.tls.zookeeper.enabled (include "kafka.sslEnabled" .) }} + - name: kafka-shared-certs + emptyDir: {} + {{- if and (include "kafka.sslEnabled" .) (or .Values.tls.existingSecret .Values.tls.autoGenerated) }} + - name: kafka-certs + projected: + defaultMode: 256 + sources: + - secret: + name: {{ include "kafka.tlsSecretName" . }} + {{- if .Values.tls.jksTruststoreSecret }} + - secret: + name: {{ .Values.tls.jksTruststoreSecret }} + {{- end }} + {{- end }} + {{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }} + - name: kafka-zookeeper-cert + secret: + secretName: {{ .Values.tls.zookeeper.existingSecret }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if not .Values.controller.persistence.enabled }} + - name: data + emptyDir: {} + {{- else if .Values.controller.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.controller.persistence.existingClaim .) }} + {{- end }} + {{- if not .Values.controller.logPersistence.enabled }} + - name: logs + emptyDir: {} + {{- else if .Values.controller.logPersistence.existingClaim }} + - name: logs + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.controller.logPersistence.existingClaim .) }} + {{- end }} + {{- if or (and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim)) (and .Values.controller.logPersistence.enabled (not .Values.controller.logPersistence.existingClaim)) }} + volumeClaimTemplates: + {{- if and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim) }} + - metadata: + name: data + {{- if .Values.controller.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.controller.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.controller.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.controller.persistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.controller.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.controller.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- end }} + {{- if and .Values.controller.logPersistence.enabled (not .Values.controller.logPersistence.existingClaim) }} + - metadata: + name: logs + {{- if .Values.controller.logPersistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.logPersistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.controller.logPersistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.controller.logPersistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.controller.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.controller.logPersistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.controller.logPersistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml b/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml new file mode 100644 index 000000000..b5b54d870 --- /dev/null +++ b/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml @@ -0,0 +1,71 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.kraft.enabled .Values.externalAccess.enabled }} +{{- $fullname := include "common.names.fullname" . }} +{{- if or .Values.externalAccess.controller.forceExpose (not .Values.controller.controllerOnly)}} +{{- $replicaCount := .Values.controller.replicaCount | int }} +{{- range $i := until $replicaCount }} +{{- $targetPod := printf "%s-controller-%d" $fullname $i }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-controller-%d-external" $fullname $i | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" $ | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: kafka + pod: {{ $targetPod }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.externalAccess.controller.service.labels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.controller.service.labels "context" $) | nindent 4 }} + {{- end }} + {{- if or $.Values.externalAccess.controller.service.annotations $.Values.commonAnnotations $.Values.externalAccess.controller.service.loadBalancerAnnotations }} + annotations: + {{- if and (not (empty $.Values.externalAccess.controller.service.loadBalancerAnnotations)) (eq (len $.Values.externalAccess.controller.service.loadBalancerAnnotations) $replicaCount) }} + {{ include "common.tplvalues.render" ( dict "value" (index $.Values.externalAccess.controller.service.loadBalancerAnnotations $i) "context" $) | nindent 4 }} + {{- end }} + {{- if $.Values.externalAccess.controller.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.externalAccess.controller.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ $.Values.externalAccess.controller.service.type }} + {{- if eq $.Values.externalAccess.controller.service.type "LoadBalancer" }} + {{- if and (not (empty $.Values.externalAccess.controller.service.loadBalancerIPs)) (eq (len $.Values.externalAccess.controller.service.loadBalancerIPs) $replicaCount) }} + loadBalancerIP: {{ index $.Values.externalAccess.controller.service.loadBalancerIPs $i }} + {{- end }} + {{- if $.Values.externalAccess.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $.Values.externalAccess.controller.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} + publishNotReadyAddresses: {{ $.Values.externalAccess.controller.service.publishNotReadyAddresses }} + ports: + - name: tcp-kafka + port: {{ $.Values.externalAccess.controller.service.ports.external }} + {{- if le (add $i 1) (len $.Values.externalAccess.controller.service.nodePorts) }} + nodePort: {{ index $.Values.externalAccess.controller.service.nodePorts $i }} + {{- else }} + nodePort: null + {{- end }} + targetPort: external + {{- if $.Values.externalAccess.controller.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $.Values.externalAccess.controller.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $.Values.externalAccess.controller.service.type "NodePort") (le (add $i 1) (len $.Values.externalAccess.controller.service.externalIPs)) }} + externalIPs: [{{ index $.Values.externalAccess.controller.service.externalIPs $i | quote }}] + {{- end }} + selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} + app.kubernetes.io/part-of: kafka + app.kubernetes.io/component: controller-eligible + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/svc-headless.yaml b/charts/bitnami/kafka/templates/controller-eligible/svc-headless.yaml new file mode 100644 index 000000000..764397e08 --- /dev/null +++ b/charts/bitnami/kafka/templates/controller-eligible/svc-headless.yaml @@ -0,0 +1,55 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $replicaCount := int .Values.controller.replicaCount }} +{{- if and .Values.kraft.enabled (gt $replicaCount 0) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-controller-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka + {{- if .Values.service.headless.controller.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.controller.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.service.headless.controller.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.service.headless.controller.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.headless.controller.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + {{- if or (not .Values.kraft.enabled) (not .Values.controller.controllerOnly) }} + - name: tcp-interbroker + port: {{ .Values.service.ports.interbroker }} + protocol: TCP + targetPort: interbroker + - name: tcp-client + port: {{ .Values.service.ports.client }} + protocol: TCP + targetPort: client + {{- end }} + {{- if .Values.kraft.enabled }} + - name: tcp-controller + protocol: TCP + port: {{ .Values.service.ports.controller }} + targetPort: controller + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: controller-eligible + app.kubernetes.io/part-of: kafka +{{- end }} diff --git a/charts/bitnami/kafka/templates/jaas-secret.yaml b/charts/bitnami/kafka/templates/jaas-secret.yaml deleted file mode 100644 index 28fd16bb3..000000000 --- a/charts/bitnami/kafka/templates/jaas-secret.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - - -{{- $port := print .Values.service.ports.client }} -{{- $host := list }} -{{- $bootstrapServers := list }} -{{- range $i, $e := until (int .Values.replicaCount) }} - {{- $broker := printf "%s-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }} - {{- $host = append $host $broker }} - {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $broker $port) }} -{{- end }} -{{- $clientUsers := .Values.auth.sasl.jaas.clientUsers }} -{{- $clientPasswords := .Values.auth.sasl.jaas.clientPasswords }} -{{- if not $clientPasswords }} - {{- $clientPasswords = list }} -{{- range $clientUsers }} - {{- $clientPasswords = append $clientPasswords (randAlphaNum 10) }} -{{- end }} -{{- end }} -{{- if (include "kafka.createJaasSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ printf "%s-jaas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{- if (include "kafka.client.saslAuthentication" .) }} - client-passwords: {{ join "," $clientPasswords | b64enc | quote }} - system-user-password: {{ index $clientPasswords 0 | b64enc | quote }} - {{- end }} - {{- $zookeeperUser := .Values.auth.sasl.jaas.zookeeperUser }} - {{- if and .Values.zookeeper.auth.client.enabled $zookeeperUser }} - {{- $zookeeperPassword := .Values.auth.sasl.jaas.zookeeperPassword }} - zookeeper-password: {{ default (randAlphaNum 10) $zookeeperPassword | b64enc | quote }} - {{- end }} - {{- if (include "kafka.interBroker.saslAuthentication" .) }} - {{- $interBrokerPassword := .Values.auth.sasl.jaas.interBrokerPassword }} - inter-broker-password: {{ default (randAlphaNum 10) $interBrokerPassword | b64enc | quote }} - {{- end }} -{{- end }} -{{- if .Values.serviceBindings.enabled }} -{{- if (include "kafka.client.saslAuthentication" .) }} -{{- range $i, $e := until (len $clientUsers) }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" $ }}-svcbind-user-{{ $i }} - namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if $.Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: servicebinding.io/kafka -data: - provider: {{ print "bitnami" | b64enc | quote }} - type: {{ print "kafka" | b64enc | quote }} - username: {{ index $clientUsers $i | b64enc | quote }} - password: {{ index $clientPasswords $i | b64enc | quote }} - host: {{ join "," $host | b64enc | quote }} - port: {{ print $port | b64enc | quote }} - bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }} -{{- end }} -{{- else }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-svcbind - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: servicebinding.io/kafka -data: - provider: {{ print "bitnami" | b64enc | quote }} - type: {{ print "kafka" | b64enc | quote }} - host: {{ join "," $host | b64enc | quote }} - port: {{ print $port | b64enc | quote }} - bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/charts/bitnami/kafka/templates/log4j-configmap.yaml b/charts/bitnami/kafka/templates/log4j-configmap.yaml index 66c0aa981..43caadd0d 100644 --- a/charts/bitnami/kafka/templates/log4j-configmap.yaml +++ b/charts/bitnami/kafka/templates/log4j-configmap.yaml @@ -3,13 +3,14 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if (include "kafka.log4j.createConfigMap" .) }} +{{- if and .Values.log4j (not .Values.existingLog4jConfigMap) }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "kafka.log4j.configMapName" . }} - namespace: {{ .Release.Namespace | quote }} + name: {{- printf "%s-log4j-configuration" (include "common.names.fullname" .) -}} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/part-of: kafka {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} @@ -19,4 +20,4 @@ metadata: data: log4j.properties: |- {{- include "common.tplvalues.render" ( dict "value" .Values.log4j "context" $ ) | nindent 4 }} -{{- end -}} +{{- end }} diff --git a/charts/bitnami/kafka/templates/kafka-metrics-deployment.yaml b/charts/bitnami/kafka/templates/metrics/deployment.yaml similarity index 86% rename from charts/bitnami/kafka/templates/kafka-metrics-deployment.yaml rename to charts/bitnami/kafka/templates/metrics/deployment.yaml index d5b6c9c99..33c298e10 100644 --- a/charts/bitnami/kafka/templates/kafka-metrics-deployment.yaml +++ b/charts/bitnami/kafka/templates/metrics/deployment.yaml @@ -4,8 +4,7 @@ SPDX-License-Identifier: APACHE-2.0 */}} {{- if .Values.metrics.kafka.enabled }} -{{- $replicaCount := int .Values.replicaCount -}} -{{- $releaseNamespace := .Release.Namespace -}} +{{- $releaseNamespace := include "common.names.namespace" . -}} {{- $clusterDomain := .Values.clusterDomain -}} {{- $fullname := include "common.names.fullname" . -}} {{- $servicePort := int .Values.service.ports.client -}} @@ -13,7 +12,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "kafka.metrics.kafka.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: cluster-metrics {{- if .Values.commonLabels }} @@ -97,16 +96,19 @@ spec: - -ce - | kafka_exporter \ - {{- range $i, $e := until $replicaCount }} - --kafka.server={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \ + {{- range $i := until (int .Values.controller.replicaCount) }} + --kafka.server={{ $fullname }}-controller-{{ $i }}.{{ $fullname }}-controller-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \ {{- end }} - {{- if (include "kafka.client.saslAuthentication" .) }} + {{- range $i := until (int .Values.broker.replicaCount) }} + --kafka.server={{ $fullname }}-broker-{{ $i }}.{{ $fullname }}-broker-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \ + {{- end }} + {{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }} --sasl.enabled \ --sasl.username=$SASL_USERNAME \ --sasl.password=$SASL_USER_PASSWORD \ --sasl.mechanism={{ include "kafka.metrics.kafka.saslMechanism" . }} \ {{- end }} - {{- if (include "kafka.client.tlsEncryption" .) }} + {{- if regexFind "SSL" (upper .Values.listeners.client.protocol) }} --tls.enabled \ {{- if .Values.metrics.kafka.certificatesSecret }} --tls.key-file=/opt/bitnami/kafka-exporter/certs/{{ .Values.metrics.kafka.tlsKey }} \ @@ -123,17 +125,16 @@ spec: {{- end }} --web.listen-address=:{{ .Values.metrics.kafka.containerPorts.metrics }} {{- end }} - {{- if (include "kafka.client.saslAuthentication" .) }} - {{- $clientUsers := .Values.auth.sasl.jaas.clientUsers }} + {{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }} env: - name: SASL_USERNAME - value: {{ index $clientUsers 0 | quote }} + value: {{ index .Values.sasl.client.users 0 | quote }} - name: SASL_USER_PASSWORD valueFrom: secretKeyRef: - name: {{ include "kafka.jaasSecretName" . }} + name: {{ include "kafka.saslSecretName" . }} key: system-user-password - {{- end }} + {{- end }} ports: - name: metrics containerPort: {{ .Values.metrics.kafka.containerPorts.metrics }} @@ -144,7 +145,7 @@ spec: {{- if .Values.metrics.kafka.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} - {{- if and (include "kafka.client.tlsEncryption" .) .Values.metrics.kafka.certificatesSecret }} + {{- if and (regexFind "SSL" (upper .Values.listeners.client.protocol)) .Values.metrics.kafka.certificatesSecret }} - name: kafka-exporter-certificates mountPath: /opt/bitnami/kafka-exporter/certs/ readOnly: true @@ -161,7 +162,7 @@ spec: {{- if .Values.metrics.kafka.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.extraVolumes "context" $) | nindent 8 }} {{- end }} - {{- if and (include "kafka.client.tlsEncryption" .) .Values.metrics.kafka.certificatesSecret }} + {{- if and (regexFind "SSL" (upper .Values.listeners.client.protocol)) .Values.metrics.kafka.certificatesSecret }} - name: kafka-exporter-certificates secret: secretName: {{ .Values.metrics.kafka.certificatesSecret }} diff --git a/charts/bitnami/kafka/templates/jmx-configmap.yaml b/charts/bitnami/kafka/templates/metrics/jmx-configmap.yaml similarity index 98% rename from charts/bitnami/kafka/templates/jmx-configmap.yaml rename to charts/bitnami/kafka/templates/metrics/jmx-configmap.yaml index 4906b382c..2240f0aaa 100644 --- a/charts/bitnami/kafka/templates/jmx-configmap.yaml +++ b/charts/bitnami/kafka/templates/metrics/jmx-configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-jmx-configuration" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: metrics {{- if .Values.commonLabels }} diff --git a/charts/bitnami/kafka/templates/servicemonitor-jmx-metrics.yaml b/charts/bitnami/kafka/templates/metrics/jmx-servicemonitor.yaml similarity index 95% rename from charts/bitnami/kafka/templates/servicemonitor-jmx-metrics.yaml rename to charts/bitnami/kafka/templates/metrics/jmx-servicemonitor.yaml index b28b3c366..77b4e7e68 100644 --- a/charts/bitnami/kafka/templates/servicemonitor-jmx-metrics.yaml +++ b/charts/bitnami/kafka/templates/metrics/jmx-servicemonitor.yaml @@ -11,7 +11,7 @@ metadata: {{- if .Values.metrics.serviceMonitor.namespace }} namespace: {{ .Values.metrics.serviceMonitor.namespace }} {{- else }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- end }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: metrics @@ -54,5 +54,5 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . }} {{- end }} diff --git a/charts/bitnami/kafka/templates/jmx-metrics-svc.yaml b/charts/bitnami/kafka/templates/metrics/jmx-svc.yaml similarity index 95% rename from charts/bitnami/kafka/templates/jmx-metrics-svc.yaml rename to charts/bitnami/kafka/templates/metrics/jmx-svc.yaml index d9df9921c..0501de928 100644 --- a/charts/bitnami/kafka/templates/jmx-metrics-svc.yaml +++ b/charts/bitnami/kafka/templates/metrics/jmx-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-jmx-metrics" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: metrics {{- if .Values.commonLabels }} diff --git a/charts/bitnami/kafka/templates/prometheusrule.yaml b/charts/bitnami/kafka/templates/metrics/prometheusrule.yaml similarity index 100% rename from charts/bitnami/kafka/templates/prometheusrule.yaml rename to charts/bitnami/kafka/templates/metrics/prometheusrule.yaml diff --git a/charts/bitnami/kafka/templates/kafka-metrics-serviceaccount.yaml b/charts/bitnami/kafka/templates/metrics/serviceaccount.yaml similarity index 93% rename from charts/bitnami/kafka/templates/kafka-metrics-serviceaccount.yaml rename to charts/bitnami/kafka/templates/metrics/serviceaccount.yaml index c798e5cf9..140024cd8 100644 --- a/charts/bitnami/kafka/templates/kafka-metrics-serviceaccount.yaml +++ b/charts/bitnami/kafka/templates/metrics/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kafka.metrics.kafka.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: cluster-metrics {{- if .Values.commonLabels }} diff --git a/charts/bitnami/kafka/templates/servicemonitor-metrics.yaml b/charts/bitnami/kafka/templates/metrics/servicemonitor.yaml similarity index 95% rename from charts/bitnami/kafka/templates/servicemonitor-metrics.yaml rename to charts/bitnami/kafka/templates/metrics/servicemonitor.yaml index a84963fef..5f3486dca 100644 --- a/charts/bitnami/kafka/templates/servicemonitor-metrics.yaml +++ b/charts/bitnami/kafka/templates/metrics/servicemonitor.yaml @@ -11,7 +11,7 @@ metadata: {{- if .Values.metrics.serviceMonitor.namespace }} namespace: {{ .Values.metrics.serviceMonitor.namespace }} {{- else }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- end }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: cluster-metrics @@ -54,5 +54,5 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . }} {{- end }} diff --git a/charts/bitnami/kafka/templates/kafka-metrics-svc.yaml b/charts/bitnami/kafka/templates/metrics/svc.yaml similarity index 95% rename from charts/bitnami/kafka/templates/kafka-metrics-svc.yaml rename to charts/bitnami/kafka/templates/metrics/svc.yaml index 0c90acdd6..4bda625e2 100644 --- a/charts/bitnami/kafka/templates/kafka-metrics-svc.yaml +++ b/charts/bitnami/kafka/templates/metrics/svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: cluster-metrics {{- if .Values.commonLabels }} diff --git a/charts/bitnami/kafka/templates/networkpolicy-egress.yaml b/charts/bitnami/kafka/templates/network-policy/networkpolicy-egress.yaml similarity index 94% rename from charts/bitnami/kafka/templates/networkpolicy-egress.yaml rename to charts/bitnami/kafka/templates/network-policy/networkpolicy-egress.yaml index f7c723cc6..25caa9e94 100644 --- a/charts/bitnami/kafka/templates/networkpolicy-egress.yaml +++ b/charts/bitnami/kafka/templates/network-policy/networkpolicy-egress.yaml @@ -8,7 +8,7 @@ kind: NetworkPolicy apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/kafka/templates/networkpolicy-ingress.yaml b/charts/bitnami/kafka/templates/network-policy/networkpolicy-ingress.yaml similarity index 88% rename from charts/bitnami/kafka/templates/networkpolicy-ingress.yaml rename to charts/bitnami/kafka/templates/network-policy/networkpolicy-ingress.yaml index a7ee7017e..0d8137d58 100644 --- a/charts/bitnami/kafka/templates/networkpolicy-ingress.yaml +++ b/charts/bitnami/kafka/templates/network-policy/networkpolicy-ingress.yaml @@ -8,7 +8,7 @@ kind: NetworkPolicy apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -25,7 +25,7 @@ spec: ingress: # Allow client connections - ports: - - port: {{ .Values.containerPorts.client }} + - port: {{ .Values.listeners.client.containerPort }} {{- if not .Values.networkPolicy.allowExternal }} from: - podSelector: @@ -37,7 +37,7 @@ spec: {{- end }} # Allow communication inter-broker - ports: - - port: {{ .Values.containerPorts.internal }} + - port: {{ .Values.listeners.interbroker.containerPort }} from: - podSelector: matchLabels: @@ -45,7 +45,7 @@ spec: # Allow External connection {{- if .Values.externalAccess.enabled }} - ports: - - port: {{ .Values.containerPorts.external }} + - port: {{ .Values.listeners.external.containerPort }} {{- if .Values.networkPolicy.externalAccess.from }} from: {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.externalAccess.from "context" $ ) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/kafka/templates/kafka-provisioning.yaml b/charts/bitnami/kafka/templates/provisioning/job.yaml similarity index 91% rename from charts/bitnami/kafka/templates/kafka-provisioning.yaml rename to charts/bitnami/kafka/templates/provisioning/job.yaml index 646de5d5b..22d4a7dd6 100644 --- a/charts/bitnami/kafka/templates/kafka-provisioning.yaml +++ b/charts/bitnami/kafka/templates/provisioning/job.yaml @@ -4,12 +4,11 @@ SPDX-License-Identifier: APACHE-2.0 */}} {{- if .Values.provisioning.enabled }} -{{- $replicaCount := int .Values.replicaCount }} kind: Job apiVersion: batch/v1 metadata: name: {{ printf "%s-provisioning" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: kafka-provisioning {{- if .Values.commonLabels }} @@ -107,8 +106,8 @@ spec: if [ ! -f "$CLIENT_CONF" ]; then touch $CLIENT_CONF - kafka_common_conf_set "$CLIENT_CONF" security.protocol {{ include "kafka.listenerType" ( dict "protocol" .Values.auth.clientProtocol ) | quote }} - {{- if (include "kafka.client.tlsEncryption" .) }} + kafka_common_conf_set "$CLIENT_CONF" security.protocol {{ .Values.listeners.client.protocol | quote }} + {{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }} kafka_common_conf_set "$CLIENT_CONF" ssl.keystore.type {{ upper .Values.provisioning.auth.tls.type | quote }} kafka_common_conf_set "$CLIENT_CONF" ssl.truststore.type {{ upper .Values.provisioning.auth.tls.type | quote }} ! is_empty_value "$KAFKA_CLIENT_KEY_PASSWORD" && kafka_common_conf_set "$CLIENT_CONF" ssl.key.password "$KAFKA_CLIENT_KEY_PASSWORD" @@ -131,14 +130,14 @@ spec: ! is_empty_value "$KAFKA_CLIENT_TRUSTSTORE_PASSWORD" && kafka_common_conf_set "$CLIENT_CONF" ssl.truststore.password "$KAFKA_CLIENT_TRUSTSTORE_PASSWORD" {{- end }} {{- end }} - {{- if (include "kafka.client.saslAuthentication" .) }} - {{- if contains "plain" .Values.auth.sasl.mechanisms }} + {{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }} + {{- if regexFind "PLAIN" ( upper .Values.sasl.enabledMechanisms) }} kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism PLAIN kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";" - {{- else if contains "scram-sha-256" .Values.auth.sasl.mechanisms }} + {{- else if regexFind "SCRAM-SHA-256" ( upper .Values.sasl.enabledMechanisms) }} kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism SCRAM-SHA-256 kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";" - {{- else if contains "scram-sha-512" .Values.auth.sasl.mechanisms }} + {{- else if regexFind "SCRAM-SHA-512" ( upper .Values.sasl.enabledMechanisms) }} kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism SCRAM-SHA-512 kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";" {{- end }} @@ -154,8 +153,8 @@ spec: --create \ --if-not-exists \ --bootstrap-server ${KAFKA_SERVICE} \ - --replication-factor {{ $topic.replicationFactor | default $.Values.provisioning.replicationFactor }} \ - --partitions {{ $topic.partitions | default $.Values.provisioning.numPartitions }} \ + --replication-factor {{ $topic.replicationFactor | default .context.Values.provisioning.replicationFactor }} \ + --partitions {{ $topic.partitions | default .context.Values.provisioning.numPartitions }} \ {{- range $name, $value := $topic.config }} --config {{ $name }}={{ $value }} \ {{- end }} @@ -185,7 +184,7 @@ spec: env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - {{- if (include "kafka.client.tlsEncryption" .) }} + {{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }} - name: KAFKA_CLIENT_KEY_PASSWORD valueFrom: secretKeyRef: @@ -204,14 +203,13 @@ spec: {{- end }} - name: KAFKA_SERVICE value: {{ printf "%s:%d" (include "common.names.fullname" .) (.Values.service.ports.client | int64) }} - {{- if (include "kafka.client.saslAuthentication" .) }} - {{- $clientUsers := .Values.auth.sasl.jaas.clientUsers }} + {{- if regexFind "SASL" (upper .Values.listeners.client.protocol) }} - name: SASL_USERNAME - value: {{ index $clientUsers 0 | quote }} + value: {{ index .Values.sasl.client.users 0 | quote }} - name: SASL_USER_PASSWORD valueFrom: secretKeyRef: - name: {{ include "kafka.jaasSecretName" . }} + name: {{ include "kafka.saslSecretName" . }} key: system-user-password {{- end }} {{- if .Values.provisioning.extraEnvVars }} @@ -234,10 +232,10 @@ spec: volumeMounts: {{- if or .Values.log4j .Values.existingLog4jConfigMap }} - name: log4j-config - mountPath: {{ .Values.persistence.mountPath }}/config/log4j.properties + mountPath: /opt/bitnami/kafka/config/log4j.properties subPath: log4j.properties {{- end }} - {{- if (include "kafka.client.tlsEncryption" .) }} + {{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }} {{- if not (empty .Values.provisioning.auth.tls.certificatesSecret) }} - name: kafka-client-certs mountPath: /certs @@ -255,8 +253,8 @@ spec: - name: log4j-config configMap: name: {{ include "kafka.log4j.configMapName" . }} - {{ end }} - {{- if (include "kafka.client.tlsEncryption" .) }} + {{- end }} + {{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }} {{- if not (empty .Values.provisioning.auth.tls.certificatesSecret) }} - name: kafka-client-certs secret: diff --git a/charts/bitnami/kafka/templates/kafka-provisioning-serviceaccount.yaml b/charts/bitnami/kafka/templates/provisioning/serviceaccount.yaml similarity index 92% rename from charts/bitnami/kafka/templates/kafka-provisioning-serviceaccount.yaml rename to charts/bitnami/kafka/templates/provisioning/serviceaccount.yaml index f384dbcfa..1b3a01768 100644 --- a/charts/bitnami/kafka/templates/kafka-provisioning-serviceaccount.yaml +++ b/charts/bitnami/kafka/templates/provisioning/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kafka.provisioning.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/kafka/templates/kafka-provisioning-secret.yaml b/charts/bitnami/kafka/templates/provisioning/tls-secret.yaml similarity index 80% rename from charts/bitnami/kafka/templates/kafka-provisioning-secret.yaml rename to charts/bitnami/kafka/templates/provisioning/tls-secret.yaml index 9aaaa2499..3406ded42 100644 --- a/charts/bitnami/kafka/templates/kafka-provisioning-secret.yaml +++ b/charts/bitnami/kafka/templates/provisioning/tls-secret.yaml @@ -3,12 +3,12 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.provisioning.enabled (include "kafka.client.tlsEncryption" .) (not .Values.provisioning.auth.tls.passwordsSecret) }} +{{- if and .Values.provisioning.enabled (regexFind "SSL" (upper .Values.listeners.client.protocol)) (not .Values.provisioning.auth.tls.passwordsSecret) }} apiVersion: v1 kind: Secret metadata: name: {{ template "kafka.client.passwordsSecretName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/kafka/templates/role.yaml b/charts/bitnami/kafka/templates/rbac/role.yaml similarity index 88% rename from charts/bitnami/kafka/templates/role.yaml rename to charts/bitnami/kafka/templates/rbac/role.yaml index 4c8a679fb..478d161f5 100644 --- a/charts/bitnami/kafka/templates/role.yaml +++ b/charts/bitnami/kafka/templates/rbac/role.yaml @@ -3,12 +3,12 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.rbac.create -}} +{{- if .Values.rbac.create }} apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: kafka {{- if .Values.commonLabels }} @@ -26,4 +26,4 @@ rules: - get - list - watch -{{- end -}} +{{- end }} diff --git a/charts/bitnami/kafka/templates/rolebinding.yaml b/charts/bitnami/kafka/templates/rbac/rolebinding.yaml similarity index 88% rename from charts/bitnami/kafka/templates/rolebinding.yaml rename to charts/bitnami/kafka/templates/rbac/rolebinding.yaml index ff7c8e8f9..810626be0 100644 --- a/charts/bitnami/kafka/templates/rolebinding.yaml +++ b/charts/bitnami/kafka/templates/rbac/rolebinding.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: RoleBinding metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: kafka {{- if .Values.commonLabels }} @@ -24,5 +24,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "kafka.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "common.names.namespace" . }} {{- end }} diff --git a/charts/bitnami/kafka/templates/serviceaccount.yaml b/charts/bitnami/kafka/templates/rbac/serviceaccount.yaml similarity index 93% rename from charts/bitnami/kafka/templates/serviceaccount.yaml rename to charts/bitnami/kafka/templates/rbac/serviceaccount.yaml index 0c9b935a9..29036b96f 100644 --- a/charts/bitnami/kafka/templates/serviceaccount.yaml +++ b/charts/bitnami/kafka/templates/rbac/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kafka.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: kafka {{- if .Values.commonLabels }} diff --git a/charts/bitnami/kafka/templates/scripts-configmap.yaml b/charts/bitnami/kafka/templates/scripts-configmap.yaml index 6b7f6ef8d..d7650d242 100644 --- a/charts/bitnami/kafka/templates/scripts-configmap.yaml +++ b/charts/bitnami/kafka/templates/scripts-configmap.yaml @@ -3,11 +3,14 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} +{{- $releaseNamespace := include "common.names.namespace" . }} +{{- $fullname := include "common.names.fullname" . }} +{{- $clusterDomain := .Values.clusterDomain }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + name: {{ printf "%s-scripts" $fullname }} + namespace: {{ $releaseNamespace | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -16,21 +19,11 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: - {{- $fullname := include "common.names.fullname" . }} - {{- $releaseNamespace := .Release.Namespace }} - {{- $clusterDomain := .Values.clusterDomain }} - {{- $interBrokerPort := .Values.service.ports.internal }} - {{- $clientPort := .Values.service.ports.client }} - {{- $jksTruststoreSecret := .Values.auth.tls.jksTruststoreSecret -}} - {{- $jksTruststore := .Values.auth.tls.jksTruststore -}} - {{- $jksKeystoreSAN := .Values.auth.tls.jksKeystoreSAN -}} {{- if .Values.externalAccess.autoDiscovery.enabled }} auto-discovery.sh: |- #!/bin/bash - SVC_NAME="${MY_POD_NAME}-external" - - {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} + AUTODISCOVERY_SERVICE_TYPE="${AUTODISCOVERY_SERVICE_TYPE:-}" # Auxiliary functions retry_while() { local -r cmd="${1:?cmd is missing}" @@ -62,11 +55,6 @@ data: local service=${2:?service is missing} [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] } - # Wait until LoadBalancer IP is ready - retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 - # Obtain LoadBalancer external IP - k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" - {{- else if eq .Values.externalAccess.service.type "NodePort" }} k8s_svc_node_port() { local namespace=${1:?namespace is missing} local service=${2:?service is missing} @@ -74,165 +62,293 @@ data: local node_port="$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.spec.ports[$index].nodePort}")" echo "$node_port" } - k8s_svc_node_port "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" - {{- end }} + + if [[ "$AUTODISCOVERY_SERVICE_TYPE" = "LoadBalancer" ]]; then + # Wait until LoadBalancer IP is ready + retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 + # Obtain LoadBalancer external IP + k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "/shared/external-host.txt" + elif [[ "$AUTODISCOVERY_SERVICE_TYPE" = "NodePort" ]]; then + k8s_svc_node_port "{{ $releaseNamespace }}" "$SVC_NAME" | tee "/shared/external-port.txt" + else + echo "Unsupported autodiscovery service type: '$AUTODISCOVERY_SERVICE_TYPE'" + exit 1 + fi {{- end }} - setup.sh: |- + kafka-init.sh: |- #!/bin/bash - ID="${MY_POD_NAME#"{{ $fullname }}-"}" - # If process.roles is not set at all, it is assumed to be in ZooKeeper mode. - # https://kafka.apache.org/documentation/#kraft_role + set -o errexit + set -o nounset + set -o pipefail - if [[ -f "{{ .Values.logsDirs | splitList "," | first }}/meta.properties" ]]; then - if [[ $KAFKA_CFG_PROCESS_ROLES == "" ]]; then - export KAFKA_CFG_BROKER_ID="$(grep "broker.id" "{{ .Values.logsDirs | splitList "," | first }}/meta.properties" | awk -F '=' '{print $2}')" - else - export KAFKA_CFG_NODE_ID="$(grep "node.id" "{{ .Values.logsDirs | splitList "," | first }}/meta.properties" | awk -F '=' '{print $2}')" - fi - else - if [[ $KAFKA_CFG_PROCESS_ROLES == "" ]]; then - export KAFKA_CFG_BROKER_ID="$((ID + {{ .Values.minId }}))" - else - export KAFKA_CFG_NODE_ID="$((ID + {{ .Values.minId }}))" - fi - fi + error(){ + local message="${1:?missing message}" + echo "ERROR: ${message}" + exit 1 + } - if [[ $KAFKA_CFG_PROCESS_ROLES == *"controller"* && -z $KAFKA_CFG_CONTROLLER_QUORUM_VOTERS ]]; then - node_id={{ .Values.minId }} - pod_id=0 - while : - do - VOTERS="${VOTERS}$node_id@{{ include "common.names.fullname" . }}-$pod_id.{{ include "common.names.fullname" . }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.controller }}" - node_id=$(( $node_id + 1 )) - pod_id=$(( $pod_id + 1 )) - if [[ $pod_id -ge {{ .Values.replicaCount }} ]]; then - break - else - VOTERS="$VOTERS," - fi + retry_while() { + local -r cmd="${1:?cmd is missing}" + local -r retries="${2:-12}" + local -r sleep_time="${3:-5}" + local return_value=1 + + read -r -a command <<< "$cmd" + for ((i = 1 ; i <= retries ; i+=1 )); do + "${command[@]}" && return_value=0 && break + sleep "$sleep_time" done - export KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=$VOTERS - fi - {{- if eq .Values.brokerRackAssignment "aws-az" }} - export KAFKA_CFG_BROKER_RACK=$(curl "http://169.254.169.254/latest/meta-data/placement/availability-zone-id") - {{- end }} + return $return_value + } - {{- if .Values.externalAccess.enabled }} - # Configure external ip and port - {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} - {{- if .Values.externalAccess.autoDiscovery.enabled }} - export EXTERNAL_ACCESS_HOST="$(<${SHARED_FILE})" - {{- else }} - export EXTERNAL_ACCESS_HOST=$(echo '{{ .Values.externalAccess.service.loadBalancerNames | default .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - {{- end }} - export EXTERNAL_ACCESS_PORT={{ .Values.externalAccess.service.ports.external }} - {{- else if eq .Values.externalAccess.service.type "NodePort" }} - {{- if .Values.externalAccess.service.domain }} - export EXTERNAL_ACCESS_HOST={{ .Values.externalAccess.service.domain }} - {{- else if and .Values.externalAccess.service.usePodIPs .Values.externalAccess.autoDiscovery.enabled }} - export EXTERNAL_ACCESS_HOST="${MY_POD_IP}" - {{- else if or .Values.externalAccess.service.useHostIPs .Values.externalAccess.autoDiscovery.enabled }} - export EXTERNAL_ACCESS_HOST="${HOST_IP}" - {{- else if and .Values.externalAccess.service.externalIPs (not .Values.externalAccess.autoDiscovery.enabled) }} - export EXTERNAL_ACCESS_HOST=$(echo '{{ .Values.externalAccess.service.externalIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - {{- else }} - export EXTERNAL_ACCESS_HOST=$(curl -s https://ipinfo.io/ip) - {{- end }} - {{- if .Values.externalAccess.autoDiscovery.enabled }} - export EXTERNAL_ACCESS_PORT="$(<${SHARED_FILE})" - {{- else if and .Values.externalAccess.service.externalIPs (empty .Values.externalAccess.service.nodePorts)}} - export EXTERNAL_ACCESS_PORT="{{ .Values.externalAccess.service.ports.external }}" - {{- else }} - export EXTERNAL_ACCESS_PORT=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - {{- end }} - {{- else }} - export EXTERNAL_ACCESS_HOST={{ .Values.externalAccess.service.domain }} - export EXTERNAL_ACCESS_PORT="$((ID + {{ .Values.externalAccess.service.ports.external }}))" - {{- end }} + replace_in_file() { + local filename="${1:?filename is required}" + local match_regex="${2:?match regex is required}" + local substitute_regex="${3:?substitute regex is required}" + local posix_regex=${4:-true} - # Configure Kafka advertised listeners - {{- if .Values.advertisedListeners }} - export KAFKA_CFG_ADVERTISED_LISTENERS={{ join "," .Values.advertisedListeners }} - {{- else }} - export KAFKA_CFG_ADVERTISED_LISTENERS="INTERNAL://${MY_POD_NAME}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $interBrokerPort }},CLIENT://${MY_POD_NAME}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $clientPort }},EXTERNAL://${EXTERNAL_ACCESS_HOST}:${EXTERNAL_ACCESS_PORT}" - {{- end }} - {{- end }} + local result - {{- if (include "kafka.tlsEncryption" .) }} - mkdir -p /opt/bitnami/kafka/config/certs - {{- if eq .Values.auth.tls.type "jks" }} - {{- if not (empty .Values.auth.tls.existingSecrets) }} - JKS_TRUSTSTORE={{ printf "/%s/%s" (ternary "certs-${ID}" "truststore" (empty $jksTruststoreSecret)) (default "kafka.truststore.jks" $jksTruststore) | quote }} - JKS_KEYSTORE={{ printf "/certs-${ID}/%s" (default "kafka.keystore.jks" $jksKeystoreSAN) | quote }} - {{- else }} - JKS_TRUSTSTORE={{ printf "/%s/%s" (ternary "certs" "truststore" (empty $jksTruststoreSecret)) (default "kafka.truststore.jks" $jksTruststore) | quote }} - JKS_KEYSTORE={{ printf "/certs/%s" (default "kafka-${ID}.keystore.jks" $jksKeystoreSAN) | quote }} - {{- end }} - if [[ -f "$JKS_TRUSTSTORE" ]] && [[ -f "$JKS_KEYSTORE" ]]; then - cp "$JKS_TRUSTSTORE" "/opt/bitnami/kafka/config/certs/kafka.truststore.jks" - cp "$JKS_KEYSTORE" "/opt/bitnami/kafka/config/certs/kafka.keystore.jks" - else - echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled." - exit 1 - fi - export KAFKA_TLS_TRUSTSTORE_FILE="/opt/bitnami/kafka/config/certs/kafka.truststore.jks" + # We should avoid using 'sed in-place' substitutions + # 1) They are not compatible with files mounted from ConfigMap(s) + # 2) We found incompatibility issues with Debian10 and "in-place" substitutions + local -r del=$'\001' # Use a non-printable character as a 'sed' delimiter to avoid issues + if [[ $posix_regex = true ]]; then + result="$(sed -E "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")" + else + result="$(sed "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")" + fi + echo "$result" > "$filename" + } - {{- else if eq .Values.auth.tls.type "pem" }} + kafka_conf_set() { + local file="${1:?missing file}" + local key="${2:?missing key}" + local value="${3:?missing value}" - {{- if or (not (empty .Values.auth.tls.existingSecrets)) .Values.auth.tls.autoGenerated }} - PEM_CA="/certs-${ID}/ca.crt" - PEM_CERT="/certs-${ID}/tls.crt" - PEM_KEY="/certs-${ID}/tls.key" - {{- else }} - PEM_CA="/certs/kafka.truststore.pem" - PEM_CERT="/certs/kafka-${ID}.keystore.pem" - PEM_KEY="/certs/kafka-${ID}.keystore.key" - {{- end }} - if [[ -f "$PEM_CERT" ]] && [[ -f "$PEM_KEY" ]]; then - CERT_DIR="/opt/bitnami/kafka/config/certs" - PEM_CA_LOCATION="${CERT_DIR}/kafka.truststore.pem" - PEM_CERT_LOCATION="${CERT_DIR}/kafka.keystore.pem" - {{- if .Values.auth.tls.pemChainIncluded }} - cat $PEM_CERT | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f ${CERT_DIR}/xx - FIND_CA_RESULT=$(find ${CERT_DIR} -not -name 'xx00' -name 'xx*') - if [[ $(echo $FIND_CA_RESULT | wc -l) < 1 ]]; then - echo "auth.tls.pemChainIncluded was set, but PEM chain only contained 1 cert" - exit 1 - fi - echo $FIND_CA_RESULT | sort | xargs cat >> "$PEM_CA_LOCATION" - cat ${CERT_DIR}/xx00 > "$PEM_CERT_LOCATION" + # Check if the value was set before + if grep -q "^[#\\s]*$key\s*=.*" "$file"; then + # Update the existing key + replace_in_file "$file" "^[#\\s]*${key}\s*=.*" "${key}=${value}" false + else + # Add a new key + printf '\n%s=%s' "$key" "$value" >>"$file" + fi + } + + replace_placeholder() { + local placeholder="${1:?missing placeholder value}" + local password="${2:?missing password value}" + sed -i "s/$placeholder/$password/g" "$KAFKA_CONFIG_FILE" + } + + configure_external_access() { + # Configure external hostname + if [[ -f "/shared/external-host.txt" ]]; then + host=$(cat "/shared/external-host.txt") + elif [[ -n "${EXTERNAL_ACCESS_HOST:-}" ]]; then + host="$EXTERNAL_ACCESS_HOST" + elif [[ -n "${EXTERNAL_ACCESS_HOSTS_LIST:-}" ]]; then + read -r -a hosts <<<"$(tr ',' ' ' <<<"${EXTERNAL_ACCESS_HOSTS_LIST}")" + host="${hosts[$POD_ID]}" + elif [[ "$EXTERNAL_ACCESS_HOST_USE_PUBLIC_IP" =~ ^(yes|true)$ ]]; then + host=$(curl -s https://ipinfo.io/ip) + else + error "External access hostname not provided" + fi + + # Configure external port + if [[ -f "/shared/external-port.txt" ]]; then + port=$(cat "/shared/external-port.txt") + elif [[ -n "${EXTERNAL_ACCESS_PORT:-}" ]]; then + if [[ "${EXTERNAL_ACCESS_PORT_AUTOINCREMENT:-}" =~ ^(yes|true)$ ]]; then + port="$((EXTERNAL_ACCESS_PORT + POD_ID))" + else + port="$EXTERNAL_ACCESS_PORT" + fi + elif [[ -n "${EXTERNAL_ACCESS_PORTS_LIST:-}" ]]; then + read -r -a ports <<<"$(tr ',' ' ' <<<"${EXTERNAL_ACCESS_PORTS_LIST}")" + port="${ports[$POD_ID]}" + else + error "External access port not provided" + fi + # Configure Kafka advertised listeners + sed -i -E "s|^(advertised\.listeners=\S+)$|\1,{{ upper .Values.listeners.external.name }}://${host}:${port}|" "$KAFKA_CONFIG_FILE" + } + {{- if (include "kafka.sslEnabled" .) }} + configure_kafka_tls() { + # Remove previously existing keystores + rm -f /certs/kafka.keystore.jks /certs/kafka.truststore.jks + if [[ "${KAFKA_TLS_TYPE}" = "PEM" ]]; then + # Copy PEM certificate and key + if [[ -f "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.crt" && "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.key" ]]; then + cp "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.crt" /certs/tls.crt + # Copy the PEM key ensuring the key used PEM format with PKCS#8 + openssl pkcs8 -topk8 -nocrypt -in "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.key" > /certs/tls.key + elif [[ -f /mounted-certs/kafka.crt && -f /mounted-certs/kafka.key ]]; then + cp "/mounted-certs/kafka.crt" /certs/tls.crt + # Copy the PEM key ensuring the key used PEM format with PKCS#8 + openssl pkcs8 -topk8 -nocrypt -in "/mounted-certs/kafka.key" > /certs/tls.key + else + error "PEM key and cert files not found" + fi + + {{- if not .Values.tls.pemChainIncluded }} + # Copy CA certificate + if [[ -f /mounted-certs/kafka-ca.crt ]]; then + cp /mounted-certs/kafka-ca.crt /certs/ca.crt + else + error "CA certificate file not found" + fi {{- else }} - if [[ -f "$PEM_CA" ]]; then - cp "$PEM_CA" "$PEM_CA_LOCATION" - cp "$PEM_CERT" "$PEM_CERT_LOCATION" - else - echo "PEM_CA not provided, and auth.tls.pemChainIncluded was not true. One of these values must be set when using PEM type for TLS." - exit 1 - fi + # Extract CA certificate from PEM cert + cat /certs/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx + FIND_CA_RESULT=$(find /certs -not -name 'xx00' -name 'xx*') + if [[ $(echo $FIND_CA_RESULT | wc -l) < 1 ]]; then + error "auth.tls.pemChainIncluded was set, but PEM chain only contained 1 cert" + fi + echo $FIND_CA_RESULT | sort | xargs cat >> /certs/ca.crt + cat /certs/xx00 > /certs/tls.crt + find /certs -name "xx*" -exec rm {} \; {{- end }} - # Ensure the key used PEM format with PKCS#8 - openssl pkcs8 -topk8 -nocrypt -in "$PEM_KEY" > "/opt/bitnami/kafka/config/certs/kafka.keystore.key" + # Create JKS keystore from PEM cert and key + openssl pkcs12 -export -in "/certs/tls.crt" \ + -passout pass:"${KAFKA_TLS_KEYSTORE_PASSWORD}" \ + -inkey "/certs/tls.key" \ + -out "/certs/kafka.keystore.p12" + keytool -importkeystore -srckeystore "/certs/kafka.keystore.p12" \ + -srcstoretype PKCS12 \ + -srcstorepass "${KAFKA_TLS_KEYSTORE_PASSWORD}" \ + -deststorepass "${KAFKA_TLS_KEYSTORE_PASSWORD}" \ + -destkeystore "/certs/kafka.keystore.jks" \ + -noprompt + # Create JKS truststore from CA cert + keytool -keystore /certs/kafka.truststore.jks -alias CARoot -import -file /certs/ca.crt -storepass "${KAFKA_TLS_TRUSTSTORE_PASSWORD}" -noprompt + # Remove extra files + rm -f "/certs/kafka.keystore.p12" "/certs/tls.crt" "/certs/tls.key" "/certs/ca.crt" + elif [[ "${KAFKA_TLS_TYPE}" = "JKS" ]]; then + if [[ -f "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.keystore.jks" ]]; then + cp "/mounted-certs/kafka-${POD_ROLE}-${POD_ID}.keystore.jks" /certs/kafka.keystore.jks + elif [[ -f /mounted-certs/kafka.keystore.jks ]]; then + cp /mounted-certs/kafka.keystore.jks /certs/kafka.keystore.jks + else + error "Keystore file not found" + fi + + if [[ -f {{ printf "/mounted-certs/%s" ( default "kafka.truststore.jks" .Values.tls.jksTruststoreKey) | quote }} ]]; then + cp {{ printf "/mounted-certs/%s" ( default "kafka.truststore.jks" .Values.tls.jksTruststoreKey) | quote }} /certs/kafka.truststore.jks + else + error "Truststore file not found" + fi + else + error "Invalid type ${KAFKA_TLS_TYPE}" + fi + + # Configure TLS password settings in Kafka configuration + [[ -n "${KAFKA_TLS_KEYSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "ssl.keystore.password" "$KAFKA_TLS_KEYSTORE_PASSWORD" + [[ -n "${KAFKA_TLS_TRUSTSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "ssl.truststore.password" "$KAFKA_TLS_TRUSTSTORE_PASSWORD" + [[ -n "${KAFKA_TLS_PEM_KEY_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "ssl.key.password" "$KAFKA_TLS_PEM_KEY_PASSWORD" + # Avoid errors caused by previous checks + true + } + {{- end }} + {{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }} + configure_zookeeper_tls() { + # Remove previously existing keystores + rm -f /certs/zookeeper.keystore.jks /certs/zookeeper.truststore.jks + ZOOKEEPER_TRUSTSTORE={{ printf "/zookeeper-certs/%s" .Values.tls.zookeeper.existingSecretTruststoreKey | quote }} + ZOOKEEPER_KEYSTORE={{ printf "/zookeeper-certs/%s" .Values.tls.zookeeper.existingSecretKeystoreKey | quote }} + if [[ -f "$ZOOKEEPER_KEYSTORE" ]]; then + cp "$ZOOKEEPER_KEYSTORE" "/certs/zookeeper.keystore.jks" + else + error "Zookeeper keystore file not found" + fi + if [[ -f "$ZOOKEEPER_TRUSTSTORE" ]]; then + cp "$ZOOKEEPER_TRUSTSTORE" "/certs/zookeeper.truststore.jks" + else + error "Zookeeper keystore file not found" + fi + [[ -n "${KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "zookeeper.ssl.keystore.password" "${KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD}" + [[ -n "${KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD:-}" ]] && kafka_conf_set "$KAFKA_CONFIG_FILE" "zookeeper.ssl.truststore.password" "${KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD}" + # Avoid errors caused by previous checks + true + } + {{- end }} + + {{- if (include "kafka.saslEnabled" .) }} + configure_kafka_sasl() { + + # Replace placeholders with passwords + {{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }} + replace_placeholder "interbroker-password-placeholder" "$KAFKA_INTER_BROKER_PASSWORD" + {{- end -}} + {{- if and .Values.kraft.enabled (regexFind "SASL" (upper .Values.listeners.controller.protocol)) }} + replace_placeholder "controller-password-placeholder" "$KAFKA_CONTROLLER_PASSWORD" + {{- end }} + {{- if (include "kafka.client.saslEnabled" .)}} + read -r -a passwords <<<"$(tr ',;' ' ' <<<"${KAFKA_CLIENT_PASSWORDS:-}")" + for ((i = 0; i < ${#passwords[@]}; i++)); do + replace_placeholder "password-placeholder-${i}" "${passwords[i]}" + done + {{- end }} + {{- if .Values.sasl.zookeeper.user }} + replace_placeholder "zookeeper-password-placeholder" "$KAFKA_ZOOKEEPER_PASSWORD" + {{- end }} + } + {{- end }} + + {{- if .Values.externalAccess.autoDiscovery.enabled }} + # Wait for autodiscovery to finish + if [[ "${EXTERNAL_ACCESS_ENABLED:-false}" =~ ^(yes|true)$ ]]; then + retry_while "test -f /shared/external-host.txt -o -f /shared/external-port.txt" || error "Timed out waiting for autodiscovery init-container" + fi + {{- end }} + + export KAFKA_CONFIG_FILE=/config/server.properties + cp /configmaps/server.properties $KAFKA_CONFIG_FILE + + # Get pod ID and role, last and second last fields in the pod name respectively + POD_ID=$(echo "$MY_POD_NAME" | rev | cut -d'-' -f 1 | rev) + POD_ROLE=$(echo "$MY_POD_NAME" | rev | cut -d'-' -f 2 | rev) + + # Configure node.id and/or broker.id + if [[ -f "/bitnami/kafka/data/meta.properties" ]]; then + if grep -q "broker.id" /bitnami/kafka/data/meta.properties; then + ID="$(grep "broker.id" /bitnami/kafka/data/meta.properties | awk -F '=' '{print $2}')" + {{- if or (not .Values.broker.zookeeperMigrationMode) (and (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers)) }} + kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID" + {{- else }} + kafka_conf_set "$KAFKA_CONFIG_FILE" "broker.id" "$ID" + {{- end }} + else + ID="$(grep "node.id" /bitnami/kafka/data/meta.properties | awk -F '=' '{print $2}')" + kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID" + fi else - echo "Couldn't find the expected PEM files! They are mandatory when encryption via TLS is enabled." - exit 1 + ID=$((POD_ID + KAFKA_MIN_ID)) + {{- if .Values.kraft.enabled }} + kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID" + {{- end }} + {{- if or .Values.zookeeper.enabled .Values.externalZookeeper.servers }} + kafka_conf_set "$KAFKA_CONFIG_FILE" "broker.id" "$ID" + {{- end }} fi - export KAFKA_TLS_TRUSTSTORE_FILE="/opt/bitnami/kafka/config/certs/kafka.truststore.pem" - {{- end }} - {{- end }} - - # Configure zookeeper client - {{- if and (not (empty .Values.auth.zookeeper.tls.existingSecret)) .Values.auth.zookeeper.tls.enabled }} - JKS_TRUSTSTORE={{ printf "/kafka-zookeeper-cert/%s" (.Values.auth.zookeeper.tls.existingSecretTruststoreKey) | quote }} - JKS_KEYSTORE={{ printf "/kafka-zookeeper-cert/%s" (.Values.auth.zookeeper.tls.existingSecretKeystoreKey) | quote }} - if [[ -f "$JKS_TRUSTSTORE" ]] && [[ -f "$JKS_KEYSTORE" ]]; then - CERT_DIR="/opt/bitnami/kafka/config/certs" - TRUSTSTORE_LOCATION="${CERT_DIR}/zookeeper.truststore.jks" - cp "$JKS_TRUSTSTORE" "$TRUSTSTORE_LOCATION" - cp "$JKS_KEYSTORE" "${CERT_DIR}/zookeeper.keystore.jks" - export KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_FILE="${TRUSTSTORE_LOCATION}" + {{- if not .Values.listeners.advertisedListeners }} + replace_placeholder "advertised-address-placeholder" "${MY_POD_NAME}.{{ $fullname }}-${POD_ROLE}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}" + if [[ "${EXTERNAL_ACCESS_ENABLED:-false}" =~ ^(yes|true)$ ]]; then + configure_external_access fi {{- end }} + {{- if (include "kafka.sslEnabled" .) }} + configure_kafka_tls + {{- end }} + {{- if (include "kafka.saslEnabled" .) }} + configure_kafka_sasl + {{- end }} + {{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }} + configure_zookeeper_tls + {{- end }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraInit "context" $ ) | nindent 4 }} - exec /entrypoint.sh /run.sh diff --git a/charts/bitnami/kafka/templates/secrets.yaml b/charts/bitnami/kafka/templates/secrets.yaml new file mode 100644 index 000000000..1008552c0 --- /dev/null +++ b/charts/bitnami/kafka/templates/secrets.yaml @@ -0,0 +1,133 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "kafka.createSaslSecret" .) }} +{{- $secretName := printf "%s-user-passwords" (include "common.names.fullname" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if (include "kafka.client.saslEnabled" .) }} + {{- $secretValue := "" }} + {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .) $secretName).data }} + {{- if and $secretData (hasKey $secretData "client-passwords")}} + {{- $secretValue = index $secretData "client-passwords" }} + {{- end }} + {{- if or (empty $secretValue) (not (eq (len .Values.sasl.client.users) (len (splitList "," (b64dec $secretValue))))) }} + {{- $clientPasswords := .Values.sasl.client.passwords }} + {{- if empty $clientPasswords }} + {{- $clientPasswords = list }} + {{- range .Values.sasl.client.users }} + {{- $clientPasswords = append $clientPasswords (randAlphaNum 10) }} + {{- end }} + {{- end }} + {{- $secretValue = join "," $clientPasswords | toString | b64enc }} + {{- end }} + client-passwords: {{ $secretValue | quote }} + system-user-password: {{ index (splitList "," (b64dec $secretValue)) 0 | b64enc | quote }} + {{- end }} + {{- if or .Values.sasl.zookeeper.user .Values.zookeeper.auth.client.enabled }} + zookeeper-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zookeeper-password" "providedValues" (list "sasl.zookeeper.password" "zookeeper.auth.client.clientPassword") "failOnNew" false "context" $) }} + {{- end }} + {{- if regexFind "SASL" (upper .Values.listeners.interbroker.protocol) }} + inter-broker-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "inter-broker-password" "providedValues" (list "sasl.interbroker.password") "failOnNew" false "context" $) }} + {{- end }} + {{- if regexFind "SASL" (upper .Values.listeners.controller.protocol) }} + controller-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "controller-password" "providedValues" (list "sasl.controller.password") "failOnNew" false "context" $) }} + {{- end }} +{{- if .Values.serviceBindings.enabled }} + +{{- if (include "kafka.client.saslEnabled" .) }} +{{- $host := list }} +{{- $port := .Values.service.ports.client }} +{{- $bootstrapServers := list }} +{{- if not .Values.controller.controllerOnly }} + {{- range $i, $e := until (int .Values.controller.replicaCount) }} + {{- $controller := printf "%s-controller-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }} + {{- $host = append $host $controller }} + {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $controller .Values.service.ports.client) }} + {{- end }} +{{- end }} +{{- range $i, $e := until (int .Values.broker.replicaCount) }} + {{- $broker := printf "%s-broker-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }} + {{- $host = append $host $broker }} + {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $broker .Values.service.ports.client) }} +{{- end }} +{{- range $i, $e := until (len .Values.sasl.client.users) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" $ }}-svcbind-user-{{ $i }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/kafka +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "kafka" | b64enc | quote }} + username: {{ index .Values.sasl.client.users $i | b64enc | quote }} + password: {{ index .Values.sasl.client.passwords $i | b64enc | quote }} + host: {{ join "," $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }} +{{- end }} +{{- else }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/kafka +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "kafka" | b64enc | quote }} + host: {{ join "," $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.kraft.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-kraft-cluster-id" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + kraft-cluster-id: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-kraft-cluster-id" (include "common.names.fullname" .)) "key" "kraft-cluster-id" "providedValues" (list "kraft.clusterId") "length" 22 "context" $) }} +{{- end }} diff --git a/charts/bitnami/kafka/templates/statefulset.yaml b/charts/bitnami/kafka/templates/statefulset.yaml deleted file mode 100644 index de7fa5ab7..000000000 --- a/charts/bitnami/kafka/templates/statefulset.yaml +++ /dev/null @@ -1,644 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $replicaCount := int .Values.replicaCount }} -{{- $fullname := include "common.names.fullname" . }} -{{- $releaseNamespace := .Release.Namespace }} -{{- $clusterDomain := .Values.clusterDomain }} -{{- $interBrokerProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.interBrokerProtocol) -}} -{{- $clientProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.clientProtocol) -}} -{{- $controllerProtocol := include "kafka.listenerType" (dict "protocol" .Values.auth.controllerProtocol) -}} -{{- $externalClientProtocol := include "kafka.listenerType" (dict "protocol" (include "kafka.externalClientProtocol" . )) -}} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: kafka - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podManagementPolicy: {{ .Values.podManagementPolicy }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: kafka - serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: kafka - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} - annotations: - {{- if (include "kafka.createConfigmap" .) }} - checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- end }} - {{- if (include "kafka.createJaasSecret" .) }} - checksum/jaas-secret: {{ include (print $.Template.BasePath "/jaas-secret.yaml") . | sha256sum }} - {{- end }} - {{- if (include "kafka.createTlsSecret" .) }} - checksum/tls-secret: {{ include (print $.Template.BasePath "/tls-secrets.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.externalAccess.enabled }} - checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} - {{- end }} - {{- if (include "kafka.metrics.jmx.createConfigmap" .) }} - checksum/jmx-configuration: {{ include (print $.Template.BasePath "/jmx-configmap.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - spec: - {{- include "kafka.imagePullSecrets" . | nindent 6 }} - {{- if .Values.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} - {{- end }} - hostNetwork: {{ .Values.hostNetwork }} - hostIPC: {{ .Values.hostIPC }} - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName | quote }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "kafka" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "kafka" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "kafka.serviceAccountName" . }} - {{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.initContainers }} - initContainers: - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - - name: volume-permissions - image: {{ include "kafka.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - args: - - -ec - - | - mkdir -p "{{ .Values.persistence.mountPath }}" "{{ .Values.logPersistence.mountPath }}" - chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} "{{ .Values.persistence.mountPath }}" "{{ .Values.logPersistence.mountPath }}" - find "{{ .Values.persistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} - find "{{ .Values.logPersistence.mountPath }}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - - name: logs - mountPath: {{ .Values.logPersistence.mountPath }} - {{- end }} - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} - - name: auto-discovery - image: {{ include "kafka.externalAccess.autoDiscovery.image" . }} - imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} - command: - - /scripts/auto-discovery.sh - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SHARED_FILE - value: "/shared/info.txt" - {{- if .Values.externalAccess.autoDiscovery.resources }} - resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: shared - mountPath: /shared - - name: logs - mountPath: {{ .Values.logPersistence.mountPath }} - - name: scripts - mountPath: /scripts/auto-discovery.sh - subPath: auto-discovery.sh - {{- end }} - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.initContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - containers: - - name: kafka - image: {{ include "kafka.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KAFKA_CFG_ZOOKEEPER_CONNECT - {{- if .Values.zookeeper.enabled }} - value: {{ printf "%s%s" (include "kafka.zookeeper.fullname" .) (tpl .Values.zookeeperChrootPath .) | quote }} - {{- else }} - value: {{ include "common.tplvalues.render" (dict "value" (printf "%s%s" (join "," .Values.externalZookeeper.servers) (tpl .Values.zookeeperChrootPath .)) "context" $) }} - {{- end }} - - name: KAFKA_INTER_BROKER_LISTENER_NAME - value: {{ .Values.interBrokerListenerName | quote }} - - name: KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP - {{- $securityProtocolMap := list }} - {{- if .Values.listenerSecurityProtocolMap }} - {{- $securityProtocolMap = append $securityProtocolMap .Values.listenerSecurityProtocolMap }} - {{- else }} - {{- $securityProtocolMap = append $securityProtocolMap (printf "INTERNAL:%s,CLIENT:%s" $interBrokerProtocol $clientProtocol) }} - {{- if .Values.kraft.enabled }} - {{- $securityProtocolMap = append $securityProtocolMap (printf "CONTROLLER:%s" $controllerProtocol) }} - {{- end}} - {{- if .Values.externalAccess.enabled }} - {{- $securityProtocolMap = append $securityProtocolMap (printf "EXTERNAL:%s" $externalClientProtocol) }} - {{- end }} - {{- end }} - value: {{ join "," $securityProtocolMap | quote }} - {{- if or ($clientProtocol | regexFind "SASL") ($externalClientProtocol | regexFind "SASL") ($interBrokerProtocol | regexFind "SASL") .Values.auth.sasl.jaas.zookeeperUser }} - - name: KAFKA_CFG_SASL_ENABLED_MECHANISMS - value: {{ upper .Values.auth.sasl.mechanisms | quote }} - - name: KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL - value: {{ upper .Values.auth.sasl.interBrokerMechanism | quote }} - {{- end }} - - name: KAFKA_CFG_LISTENERS - {{- $listeners := list }} - {{- if .Values.listeners }} - {{- $listeners = .Values.listeners }} - {{- else }} - {{- $listeners = append $listeners (printf "INTERNAL://:%d,CLIENT://:%d" (int .Values.containerPorts.internal) (int .Values.containerPorts.client)) }} - {{- if .Values.kraft.enabled }} - {{- $listeners = append $listeners (printf "CONTROLLER://:%d" (int .Values.containerPorts.controller)) }} - {{- end}} - {{- if .Values.externalAccess.enabled }} - {{- $listeners = append $listeners (printf "EXTERNAL://:%d" (int .Values.containerPorts.external)) }} - {{- end }} - {{- end }} - value: {{ join "," $listeners | quote }} - {{- if .Values.externalAccess.enabled }} - {{- if .Values.externalAccess.autoDiscovery.enabled }} - - name: SHARED_FILE - value: "/shared/info.txt" - {{- end }} - {{- if eq .Values.externalAccess.service.type "NodePort" }} - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- end }} - {{- else }} - - name: KAFKA_CFG_ADVERTISED_LISTENERS - {{- if .Values.advertisedListeners }} - value: {{ join "," .Values.advertisedListeners }} - {{- else }} - value: "INTERNAL://$(MY_POD_NAME).{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.internal }},CLIENT://$(MY_POD_NAME).{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.ports.client }}" - {{- end }} - {{- end }} - - name: ALLOW_PLAINTEXT_LISTENER - value: {{ ternary "yes" "no" .Values.allowPlaintextListener | quote }} - {{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.interBroker.saslAuthentication" .) }} - - name: KAFKA_OPTS - value: "-Djava.security.auth.login.config=/opt/bitnami/kafka/config/kafka_jaas.conf" - {{- if (include "kafka.client.saslAuthentication" .) }} - - name: KAFKA_CLIENT_USERS - value: {{ join "," .Values.auth.sasl.jaas.clientUsers | quote }} - - name: KAFKA_CLIENT_PASSWORDS - valueFrom: - secretKeyRef: - name: {{ include "kafka.jaasSecretName" . }} - key: client-passwords - {{- end }} - {{- if (include "kafka.interBroker.saslAuthentication" .) }} - - name: KAFKA_INTER_BROKER_USER - value: {{ .Values.auth.sasl.jaas.interBrokerUser | quote }} - - name: KAFKA_INTER_BROKER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "kafka.jaasSecretName" . }} - key: inter-broker-password - {{- end }} - {{- end }} - {{- if and .Values.zookeeper.auth.client.enabled .Values.auth.sasl.jaas.zookeeperUser }} - - name: KAFKA_ZOOKEEPER_USER - value: {{ .Values.auth.sasl.jaas.zookeeperUser | quote }} - - name: KAFKA_ZOOKEEPER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "kafka.jaasSecretName" . }} - key: zookeeper-password - {{- end }} - - name: KAFKA_ZOOKEEPER_PROTOCOL - value: {{ include "kafka.zookeeper.protocol" . }} - {{- if .Values.auth.zookeeper.tls.enabled }} - - name: KAFKA_ZOOKEEPER_TLS_TYPE - value: {{ upper .Values.auth.zookeeper.tls.type | quote }} - - name: KAFKA_ZOOKEEPER_TLS_VERIFY_HOSTNAME - value: {{ .Values.auth.zookeeper.tls.verifyHostname | quote }} - {{- if .Values.auth.zookeeper.tls.passwordsSecret }} - - name: KAFKA_ZOOKEEPER_TLS_KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.auth.zookeeper.tls.passwordsSecret }} - key: {{ .Values.auth.zookeeper.tls.passwordsSecretKeystoreKey | quote }} - - name: KAFKA_ZOOKEEPER_TLS_TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.auth.zookeeper.tls.passwordsSecret }} - key: {{ .Values.auth.zookeeper.tls.passwordsSecretTruststoreKey | quote }} - {{- end }} - {{- end }} - {{- if (include "kafka.tlsEncryption" .) }} - - name: KAFKA_TLS_TYPE - value: {{ upper .Values.auth.tls.type | quote }} - - name: KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM - value: {{ default "" .Values.auth.tls.endpointIdentificationAlgorithm | quote }} - - name: KAFKA_TLS_CLIENT_AUTH - value: {{ ternary "required" "none" (or (eq (include "kafka.externalClientProtocol" . ) "mtls") (eq .Values.auth.clientProtocol "mtls")) | quote }} - - name: KAFKA_CERTIFICATE_PASSWORD - {{- if .Values.auth.tls.existingSecret }} - valueFrom: - secretKeyRef: - name: {{ .Values.auth.tls.existingSecret }} - key: password - {{- else }} - value: {{ default "" .Values.auth.tls.password | quote }} - {{- end }} - {{- end }} - {{- if .Values.metrics.jmx.enabled }} - - name: JMX_PORT - value: "5555" - {{- end }} - - name: KAFKA_VOLUME_DIR - value: {{ .Values.persistence.mountPath | quote }} - - name: KAFKA_LOG_DIR - value: {{ .Values.logPersistence.mountPath | quote }} - - name: KAFKA_CFG_DELETE_TOPIC_ENABLE - value: {{ .Values.deleteTopicEnable | quote }} - - name: KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE - value: {{ .Values.autoCreateTopicsEnable | quote }} - - name: KAFKA_HEAP_OPTS - value: {{ .Values.heapOpts | quote }} - - name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MESSAGES - value: {{ .Values.logFlushIntervalMessages | replace "_" "" | quote }} - - name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MS - value: {{ .Values.logFlushIntervalMs | quote }} - - name: KAFKA_CFG_LOG_RETENTION_BYTES - value: {{ .Values.logRetentionBytes | replace "_" "" | quote }} - - name: KAFKA_CFG_LOG_RETENTION_CHECK_INTERVAL_MS - value: {{ .Values.logRetentionCheckIntervalMs | quote }} - - name: KAFKA_CFG_LOG_RETENTION_HOURS - value: {{ .Values.logRetentionHours | quote }} - - name: KAFKA_CFG_MESSAGE_MAX_BYTES - value: {{ .Values.maxMessageBytes | replace "_" "" | quote }} - - name: KAFKA_CFG_LOG_SEGMENT_BYTES - value: {{ .Values.logSegmentBytes | replace "_" "" | quote }} - - name: KAFKA_CFG_LOG_DIRS - value: {{ .Values.logsDirs | quote }} - - name: KAFKA_CFG_DEFAULT_REPLICATION_FACTOR - value: {{ .Values.defaultReplicationFactor | quote }} - - name: KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR - value: {{ .Values.offsetsTopicReplicationFactor | quote }} - - name: KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR - value: {{ .Values.transactionStateLogReplicationFactor | quote }} - - name: KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR - value: {{ .Values.transactionStateLogMinIsr | quote }} - - name: KAFKA_CFG_NUM_IO_THREADS - value: {{ .Values.numIoThreads | quote }} - - name: KAFKA_CFG_NUM_NETWORK_THREADS - value: {{ .Values.numNetworkThreads | quote }} - - name: KAFKA_CFG_NUM_PARTITIONS - value: {{ .Values.numPartitions | quote }} - - name: KAFKA_CFG_NUM_RECOVERY_THREADS_PER_DATA_DIR - value: {{ .Values.numRecoveryThreadsPerDataDir | quote }} - - name: KAFKA_CFG_SOCKET_RECEIVE_BUFFER_BYTES - value: {{ .Values.socketReceiveBufferBytes | quote }} - - name: KAFKA_CFG_SOCKET_REQUEST_MAX_BYTES - value: {{ .Values.socketRequestMaxBytes | replace "_" "" | quote }} - - name: KAFKA_CFG_SOCKET_SEND_BUFFER_BYTES - value: {{ .Values.socketSendBufferBytes | quote }} - - name: KAFKA_CFG_ZOOKEEPER_CONNECTION_TIMEOUT_MS - value: {{ .Values.zookeeperConnectionTimeoutMs | quote }} - - name: KAFKA_CFG_AUTHORIZER_CLASS_NAME - value: {{ .Values.authorizerClassName | quote }} - - name: KAFKA_CFG_ALLOW_EVERYONE_IF_NO_ACL_FOUND - value: {{ .Values.allowEveryoneIfNoAclFound | quote }} - - name: KAFKA_CFG_SUPER_USERS - value: {{ .Values.superUsers | quote }} - - name: KAFKA_ENABLE_KRAFT - value: {{ ternary "true" "false" .Values.kraft.enabled | quote }} - {{- if .Values.kraft.enabled }} - - name: KAFKA_KRAFT_CLUSTER_ID - value: {{ .Values.kraft.clusterId | quote }} - - name: KAFKA_CFG_PROCESS_ROLES - value: {{ .Values.kraft.processRoles | quote }} - - name: KAFKA_CFG_CONTROLLER_LISTENER_NAMES - value: {{ .Values.kraft.controllerListenerNames | quote }} - {{- if .Values.kraft.controllerQuorumVoters }} - - name: KAFKA_CFG_CONTROLLER_QUORUM_VOTERS - value: {{ .Values.kraft.controllerQuorumVoters}} - {{- end }} - {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} - envFrom: - {{- if .Values.extraEnvVarsCM }} - - configMapRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} - {{- end }} - {{- if .Values.extraEnvVarsSecret }} - - secretRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} - {{- end }} - {{- end }} - ports: - - name: kafka-client - containerPort: {{ .Values.containerPorts.client }} - - name: kafka-internal - containerPort: {{ .Values.containerPorts.internal }} - {{- if .Values.externalAccess.enabled }} - - name: kafka-external - containerPort: {{ .Values.containerPorts.external }} - {{- end }} - {{- if and .Values.kraft.enabled (contains "controller" .Values.kraft.processRoles) }} - - name: kafka-ctlr - containerPort: {{ .Values.containerPorts.controller }} - {{- end }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: kafka-client - {{- end }} - {{- if .Values.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: kafka-client - {{- end }} - {{- if .Values.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: kafka-client - {{- end }} - {{- end }} - {{- if .Values.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - - name: logs - mountPath: {{ .Values.logPersistence.mountPath }} - {{- if or .Values.config .Values.existingConfigmap }} - - name: kafka-config - mountPath: {{ .Values.persistence.mountPath }}/config/server.properties - subPath: server.properties - {{- end }} - {{- if or .Values.log4j .Values.existingLog4jConfigMap }} - - name: log4j-config - mountPath: {{ .Values.persistence.mountPath }}/config/log4j.properties - subPath: log4j.properties - {{- end }} - - name: scripts - mountPath: /scripts/setup.sh - subPath: setup.sh - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} - - name: shared - mountPath: /shared - {{- end }} - {{- if (include "kafka.tlsEncryption" .) }} - {{- if not (empty .Values.auth.tls.existingSecrets) }} - {{- range $index, $_ := .Values.auth.tls.existingSecrets }} - - name: kafka-certs-{{ $index }} - mountPath: /certs-{{ $index }} - readOnly: true - {{- end }} - {{- else if .Values.auth.tls.autoGenerated }} - {{- range $index := until $replicaCount }} - - name: kafka-certs-{{ $index }} - mountPath: /certs-{{ $index }} - readOnly: true - {{- end }} - {{- end }} - {{- if and .Values.auth.zookeeper.tls.enabled .Values.auth.zookeeper.tls.existingSecret }} - - name: kafka-zookeeper-cert - mountPath: /kafka-zookeeper-cert - readOnly: true - {{- end }} - {{- if .Values.auth.tls.jksTruststoreSecret }} - - name: kafka-truststore - mountPath: /truststore - readOnly: true - {{- end }} - {{- end }} - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.jmx.enabled }} - - name: jmx-exporter - image: {{ include "kafka.metrics.jmx.image" . }} - imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }} - {{- if .Values.metrics.jmx.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else }} - command: - - java - args: - - -XX:MaxRAMPercentage=100 - - -XshowSettings:vm - - -jar - - jmx_prometheus_httpserver.jar - - "5556" - - /etc/jmx-kafka/jmx-kafka-prometheus.yml - {{- end }} - ports: - - name: metrics - containerPort: {{ .Values.metrics.jmx.containerPorts.metrics }} - {{- if .Values.metrics.jmx.resources }} - resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: jmx-config - mountPath: /etc/jmx-kafka - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - volumes: - {{- if or .Values.config .Values.existingConfigmap }} - - name: kafka-config - configMap: - name: {{ include "kafka.configmapName" . }} - {{- end }} - {{- if or .Values.log4j .Values.existingLog4jConfigMap }} - - name: log4j-config - configMap: - name: {{ include "kafka.log4j.configMapName" . }} - {{ end }} - - name: scripts - configMap: - name: {{ include "common.names.fullname" . }}-scripts - defaultMode: 0755 - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} - - name: shared - emptyDir: {} - {{- end }} - {{- if .Values.metrics.jmx.enabled }} - - name: jmx-config - configMap: - name: {{ include "kafka.metrics.jmx.configmapName" . }} - {{- end }} - {{- if (include "kafka.tlsEncryption" .) }} - {{- if not (empty .Values.auth.tls.existingSecrets) }} - {{- range $index, $secret := .Values.auth.tls.existingSecrets }} - - name: kafka-certs-{{ $index }} - secret: - secretName: {{ tpl $secret $ }} - defaultMode: 256 - {{- end }} - {{- else if .Values.auth.tls.autoGenerated }} - {{- range $index := until $replicaCount }} - - name: kafka-certs-{{ $index }} - secret: - secretName: {{ printf "%s-%d-tls" (include "common.names.fullname" $) $index }} - defaultMode: 256 - {{- end }} - {{- end }} - {{- if and .Values.auth.zookeeper.tls.enabled .Values.auth.zookeeper.tls.existingSecret }} - - name: kafka-zookeeper-cert - secret: - secretName: {{ .Values.auth.zookeeper.tls.existingSecret }} - defaultMode: 256 - {{- end }} - {{- if .Values.auth.tls.jksTruststoreSecret }} - - name: kafka-truststore - secret: - secretName: {{ .Values.auth.tls.jksTruststoreSecret }} - defaultMode: 256 - {{- end }} - {{- end }} - {{- if .Values.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} - {{- end }} -{{- if not .Values.persistence.enabled }} - - name: data - emptyDir: {} -{{- else if .Values.persistence.existingClaim }} - - name: data - persistentVolumeClaim: - claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} -{{- end }} -{{- if not .Values.logPersistence.enabled }} - - name: logs - emptyDir: {} -{{- else if .Values.logPersistence.existingClaim }} - - name: logs - persistentVolumeClaim: - claimName: {{ printf "%s" (tpl .Values.logPersistence.existingClaim .) }} -{{- end }} - {{- if or (and .Values.persistence.enabled (not .Values.persistence.existingClaim)) (and .Values.logPersistence.enabled (not .Values.logPersistence.existingClaim)) }} - volumeClaimTemplates: - {{- end }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} - - metadata: - name: data - {{- if .Values.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.persistence.labels }} - labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "kafka.storageClass" . | nindent 8 }} - {{- if .Values.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} - {{- end -}} -{{- end }} -{{- if and .Values.logPersistence.enabled (not .Values.logPersistence.existingClaim) }} - - metadata: - name: logs - {{- if .Values.logPersistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.logPersistence.annotations "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.logPersistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.logPersistence.size | quote }} - {{ include "kafka.storageClass" . | nindent 8 }} - {{- if .Values.logPersistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.logPersistence.selector "context" $) | nindent 10 }} - {{- end -}} -{{- end }} diff --git a/charts/bitnami/kafka/templates/svc-external-access.yaml b/charts/bitnami/kafka/templates/svc-external-access.yaml deleted file mode 100644 index b673714ad..000000000 --- a/charts/bitnami/kafka/templates/svc-external-access.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.externalAccess.enabled }} -{{- $fullName := include "common.names.fullname" . }} -{{- $replicaCount := .Values.replicaCount | int }} -{{- $root := . }} - -{{- range $i, $e := until $replicaCount }} -{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} -{{- $_ := set $ "targetPod" $targetPod }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-%d-external" (include "common.names.fullname" $) $i | trunc 63 | trimSuffix "-" }} - namespace: {{ $root.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: kafka - pod: {{ $targetPod }} - {{- if $root.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if $root.Values.externalAccess.service.labels }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.service.labels "context" $) | nindent 4 }} - {{- end }} - {{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations $root.Values.externalAccess.service.loadBalancerAnnotations }} - annotations: - {{- if and (not (empty $root.Values.externalAccess.service.loadBalancerAnnotations)) (eq (len $root.Values.externalAccess.service.loadBalancerAnnotations) $replicaCount) }} - {{ include "common.tplvalues.render" ( dict "value" (index $root.Values.externalAccess.service.loadBalancerAnnotations $i) "context" $) | nindent 4 }} - {{- end }} - {{- if $root.Values.externalAccess.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if $root.Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ $root.Values.externalAccess.service.type }} - {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} - {{- if and (not (empty $root.Values.externalAccess.service.loadBalancerIPs)) (eq (len $root.Values.externalAccess.service.loadBalancerIPs) $replicaCount) }} - loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} - {{- end }} - {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - {{- end }} - publishNotReadyAddresses: {{ $root.Values.externalAccess.service.publishNotReadyAddresses }} - ports: - - name: tcp-kafka - port: {{ $root.Values.externalAccess.service.ports.external }} - {{- if le (add $i 1) (len $root.Values.externalAccess.service.nodePorts) }} - nodePort: {{ index $root.Values.externalAccess.service.nodePorts $i }} - {{- else }} - nodePort: null - {{- end }} - targetPort: kafka-external - {{- if $root.Values.externalAccess.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - {{- if and (eq $root.Values.externalAccess.service.type "NodePort") (le (add $i 1) (len $root.Values.externalAccess.service.externalIPs)) }} - externalIPs: [{{ index $root.Values.externalAccess.service.externalIPs $i | quote }}] - {{- end }} - selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} - app.kubernetes.io/component: kafka - statefulset.kubernetes.io/pod-name: {{ $targetPod }} ---- -{{- end }} -{{- end }} diff --git a/charts/bitnami/kafka/templates/svc-headless.yaml b/charts/bitnami/kafka/templates/svc-headless.yaml deleted file mode 100644 index 92a51171a..000000000 --- a/charts/bitnami/kafka/templates/svc-headless.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: kafka - {{- if .Values.service.headless.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.labels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.service.headless.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.service.headless.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.headless.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - publishNotReadyAddresses: {{ .Values.service.headless.publishNotReadyAddresses }} - ports: - - name: tcp-client - port: {{ .Values.service.ports.client }} - protocol: TCP - targetPort: kafka-client - - name: tcp-internal - port: {{ .Values.service.ports.internal }} - protocol: TCP - targetPort: kafka-internal - {{- if and .Values.kraft.enabled (contains "controller" .Values.kraft.processRoles) }} - - name: tcp-controller - protocol: TCP - port: {{ .Values.service.ports.controller }} - targetPort: kafka-ctlr - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: kafka diff --git a/charts/bitnami/kafka/templates/svc.yaml b/charts/bitnami/kafka/templates/svc.yaml index b1c9cbef3..82c292162 100644 --- a/charts/bitnami/kafka/templates/svc.yaml +++ b/charts/bitnami/kafka/templates/svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: kafka {{- if .Values.commonLabels }} @@ -46,7 +46,7 @@ spec: - name: tcp-client port: {{ .Values.service.ports.client }} protocol: TCP - targetPort: kafka-client + targetPort: client {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.client)) }} nodePort: {{ .Values.service.nodePorts.client }} {{- else if eq .Values.service.type "ClusterIP" }} @@ -56,7 +56,7 @@ spec: - name: tcp-external port: {{ .Values.service.ports.external }} protocol: TCP - targetPort: kafka-external + targetPort: external {{- if (not (empty .Values.service.nodePorts.external)) }} nodePort: {{ .Values.service.nodePorts.external }} {{- end }} @@ -65,4 +65,7 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} {{- end }} selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: kafka + app.kubernetes.io/part-of: kafka + {{- if and .Values.kraft.enabled .Values.controller.controllerOnly }} + app.kubernetes.io/component: broker + {{- end }} diff --git a/charts/bitnami/kafka/templates/tls-secret.yaml b/charts/bitnami/kafka/templates/tls-secret.yaml new file mode 100644 index 000000000..be0eb0132 --- /dev/null +++ b/charts/bitnami/kafka/templates/tls-secret.yaml @@ -0,0 +1,91 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "kafka.createTlsSecret" .) }} +{{- $releaseNamespace := include "common.names.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $fullname := include "common.names.fullname" . }} +{{- $secretName := printf "%s-tls" (include "common.names.fullname" .) }} +{{- $altNames := list (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s" $fullname $releaseNamespace) $fullname }} +{{- $replicaCount := int .Values.broker.replicaCount }} +{{- range $i := until $replicaCount }} +{{- $replicaHost := printf "%s-broker-%d.%s-broker-headless" $fullname $i $fullname }} +{{- $altNames = append $altNames (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) }} +{{- $altNames = append $altNames (printf "%s.%s" $replicaHost $releaseNamespace) }} +{{- $altNames = append $altNames $replicaHost }} +{{- end }} +{{- $replicaCount := int .Values.controller.replicaCount }} +{{- range $i := until $replicaCount }} +{{- $replicaHost := printf "%s-controller-%d.%s-controller-headless" $fullname $i $fullname }} +{{- $altNames = append $altNames (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) }} +{{- $altNames = append $altNames (printf "%s.%s" $replicaHost $releaseNamespace) }} +{{- $altNames = append $altNames $replicaHost }} +{{- end }} +{{- $ca := genCA "kafka-ca" 365 }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + kafka.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "kafka.crt" "defaultValue" $cert.Cert "context" $) }} + kafka.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "kafka.key" "defaultValue" $cert.Key "context" $) }} + kafka-ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "kafka-ca.crt" "defaultValue" $ca.Cert "context" $) }} +--- +{{- end }} +{{- if (include "kafka.createTlsPasswordsSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls-passwords" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{ .Values.tls.passwordsSecretKeystoreKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-tls-passwords" (include "common.names.fullname" .)) "key" .Values.tls.passwordsSecretKeystoreKey "providedValues" (list "tls.keystorePassword") "context" $) }} + {{ .Values.tls.passwordsSecretTruststoreKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-tls-passwords" (include "common.names.fullname" .)) "key" .Values.tls.passwordsSecretTruststoreKey "providedValues" (list "tls.truststorePassword") "context" $) }} + {{- if .Values.tls.keyPassword }} + {{ default "key-password" .Values.tls.passwordsSecretPemPasswordKey }}: {{ .Values.tls.keyPassword | b64enc | quote }} + {{- end }} +--- +{{- end }} +{{- if (include "kafka.zookeeper.createTlsPasswordsSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-zookeeper-tls-passwords" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if .Values.tls.zookeeper.keystorePassword }} + {{ .Values.tls.zookeeper.passwordsSecretKeystoreKey }}: {{ .Values.tls.zookeeper.keystorePassword | b64enc | quote }} + {{- end }} + {{- if .Values.tls.zookeeper.truststorePassword }} + {{ .Values.tls.zookeeper.passwordsSecretTruststoreKey }}: {{ .Values.tls.zookeeper.truststorePassword | b64enc | quote }} + {{- end }} +--- +{{- end }} diff --git a/charts/bitnami/kafka/templates/tls-secrets.yaml b/charts/bitnami/kafka/templates/tls-secrets.yaml deleted file mode 100644 index 167a319e7..000000000 --- a/charts/bitnami/kafka/templates/tls-secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "kafka.createTlsSecret" .) }} -{{- $replicaCount := int .Values.replicaCount }} -{{- $releaseNamespace := .Release.Namespace }} -{{- $clusterDomain := .Values.clusterDomain }} -{{- $fullname := include "common.names.fullname" . }} -{{- $ca := genCA "kafka-ca" 365 }} -{{- range $i := until $replicaCount }} -{{- $secretName := printf "%s-%d-tls" (include "common.names.fullname" $) $i }} -{{- $replicaHost := printf "%s-%d.%s-headless" $fullname $i $fullname }} -{{- $altNames := list (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s" $replicaHost $releaseNamespace) (printf "%s.%s" $fullname $releaseNamespace) $replicaHost $fullname }} -{{- $cert := genSignedCert $replicaHost nil $altNames 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ printf "%s-%d-tls" (include "common.names.fullname" $) $i }} - namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if $.Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} - tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} - ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} ---- -{{- end }} -{{- end }} diff --git a/charts/bitnami/kafka/values.yaml b/charts/bitnami/kafka/values.yaml index 273546eb0..709d564bc 100644 --- a/charts/bitnami/kafka/values.yaml +++ b/charts/bitnami/kafka/values.yaml @@ -80,7 +80,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/kafka - tag: 3.5.1-debian-11-r1 + tag: 3.5.1-debian-11-r11 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -98,41 +98,19 @@ image: ## Set to true if you would like to see extra information on logs ## debug: false -## @param config Configuration file for Kafka. Auto-generated based on other parameters when not specified -## Specify content for server.properties -## NOTE: This will override any KAFKA_CFG_ environment variables (including those set by the chart) -## The server.properties is auto-generated based on other parameters when this parameter is not specified -## e.g: -## config: |- -## broker.id=-1 -## listeners=PLAINTEXT://:9092 -## advertised.listeners=PLAINTEXT://KAFKA_IP:9092 -## num.network.threads=3 -## num.io.threads=8 -## socket.send.buffer.bytes=102400 -## socket.receive.buffer.bytes=102400 -## socket.request.max.bytes=104857600 -## log.dirs=/bitnami/kafka/data -## num.partitions=1 -## num.recovery.threads.per.data.dir=1 -## offsets.topic.replication.factor=1 -## transaction.state.log.replication.factor=1 -## transaction.state.log.min.isr=1 -## log.flush.interval.messages=10000 -## log.flush.interval.ms=1000 -## log.retention.hours=168 -## log.retention.bytes=1073741824 -## log.segment.bytes=1073741824 -## log.retention.check.interval.ms=300000 -## zookeeper.connect=ZOOKEEPER_SERVICE_NAME -## zookeeper.connection.timeout.ms=6000 -## group.initial.rebalance.delay.ms=0 +## @param extraInit Additional content for the kafka init script, rendered as a template. +## +extraInit: "" +## @param config Configuration file for Kafka, rendered as a template. Auto-generated based on chart values when not specified. +## @param existingConfigmap ConfigMap with Kafka Configuration +## NOTE: This will override the configuration based on values, please act carefully +## If both are set, the existingConfigMap will be used. ## config: "" -## @param existingConfigmap ConfigMap with Kafka Configuration -## NOTE: This will override `config` AND any KAFKA_CFG_ environment variables -## existingConfigmap: "" +## @param extraConfig Additional configuration to be appended at the end of the generated Kafka configuration file. +## +extraConfig: "" ## @param log4j An optional log4j.properties file to overwrite the default of the Kafka brokers ## An optional log4j.properties file to overwrite the default of the Kafka brokers ## ref: https://github.com/apache/kafka/blob/trunk/config/log4j.properties @@ -146,279 +124,235 @@ existingLog4jConfigMap: "" ## @param heapOpts Kafka Java Heap size ## heapOpts: -Xmx1024m -Xms1024m -## @param deleteTopicEnable Switch to enable topic deletion or not +## @param interBrokerProtocolVersion Override the setting 'inter.broker.protocol.version' during the ZK migration. +## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html ## -deleteTopicEnable: false -## @param autoCreateTopicsEnable Switch to enable auto creation of topics. Enabling auto creation of topics not recommended for production or similar environments +interBrokerProtocolVersion: "" +## Kafka listeners configuration ## -autoCreateTopicsEnable: true -## @param logFlushIntervalMessages The number of messages to accept before forcing a flush of data to disk -## -logFlushIntervalMessages: _10000 -## @param logFlushIntervalMs The maximum amount of time a message can sit in a log before we force a flush -## -logFlushIntervalMs: 1000 -## @param logRetentionBytes A size-based retention policy for logs -## -logRetentionBytes: _1073741824 -## @param logRetentionCheckIntervalMs The interval at which log segments are checked to see if they can be deleted -## -logRetentionCheckIntervalMs: 300000 -## @param logRetentionHours The minimum age of a log file to be eligible for deletion due to age -## -logRetentionHours: 168 -## @param logSegmentBytes The maximum size of a log segment file. When this size is reached a new log segment will be created -## -logSegmentBytes: _1073741824 -## @param logsDirs A comma separated list of directories in which kafka's log data is kept -## ref: https://kafka.apache.org/documentation/#brokerconfigs_log.dirs -## -logsDirs: /bitnami/kafka/data -## @param maxMessageBytes The largest record batch size allowed by Kafka -## -maxMessageBytes: _1000012 -## @param defaultReplicationFactor Default replication factors for automatically created topics -## -defaultReplicationFactor: 1 -## @param offsetsTopicReplicationFactor The replication factor for the offsets topic -## -offsetsTopicReplicationFactor: 1 -## @param transactionStateLogReplicationFactor The replication factor for the transaction topic -## -transactionStateLogReplicationFactor: 1 -## @param transactionStateLogMinIsr Overridden min.insync.replicas config for the transaction topic -## -transactionStateLogMinIsr: 1 -## @param numIoThreads The number of threads doing disk I/O -## -numIoThreads: 8 -## @param numNetworkThreads The number of threads handling network requests -## -numNetworkThreads: 3 -## @param numPartitions The default number of log partitions per topic -## -numPartitions: 1 -## @param numRecoveryThreadsPerDataDir The number of threads per data directory to be used for log recovery at startup and flushing at shutdown -## -numRecoveryThreadsPerDataDir: 1 -## @param socketReceiveBufferBytes The receive buffer (SO_RCVBUF) used by the socket server -## -socketReceiveBufferBytes: 102400 -## @param socketRequestMaxBytes The maximum size of a request that the socket server will accept (protection against OOM) -## -socketRequestMaxBytes: _104857600 -## @param socketSendBufferBytes The send buffer (SO_SNDBUF) used by the socket server -## -socketSendBufferBytes: 102400 -## @param zookeeperConnectionTimeoutMs Timeout in ms for connecting to ZooKeeper -## -zookeeperConnectionTimeoutMs: 6000 -## @param zookeeperChrootPath Path which puts data under some path in the global ZooKeeper namespace -## ref: https://kafka.apache.org/documentation/#brokerconfigs_zookeeper.connect -## -zookeeperChrootPath: "" -## @param authorizerClassName The Authorizer is configured by setting authorizer.class.name=kafka.security.authorizer.AclAuthorizer in server.properties -## -authorizerClassName: "" -## @param allowEveryoneIfNoAclFound By default, if a resource has no associated ACLs, then no one is allowed to access that resource except super users -## -allowEveryoneIfNoAclFound: true -## @param superUsers You can add super users in server.properties -## -superUsers: User:admin -## Authentication parameters -## https://github.com/bitnami/containers/tree/main/bitnami/kafka#security -## -auth: - ## Authentication protocol for client and inter-broker communications - ## This table shows the security provided on each protocol: - ## | Method | Authentication | Encryption via TLS | - ## | plaintext | None | No | - ## | tls | None | Yes | - ## | mtls | Yes (two-way authentication) | Yes | - ## | sasl | Yes (via SASL) | No | - ## | sasl_tls | Yes (via SASL) | Yes | - ## @param auth.clientProtocol Authentication protocol for communications with clients. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` - ## @param auth.externalClientProtocol Authentication protocol for communications with external clients. Defaults to value of `auth.clientProtocol`. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` - ## @param auth.interBrokerProtocol Authentication protocol for inter-broker communications. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` +listeners: + ## @param listeners.client.name Name for the Kafka client listener + ## @param listeners.client.containerPort Port for the Kafka client listener + ## @param listeners.client.protocol Security protocol for the Kafka client listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.client.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' + client: + containerPort: 9092 + protocol: SASL_PLAINTEXT + name: CLIENT + sslClientAuth: "" + ## @param listeners.controller.name Name for the Kafka controller listener + ## @param listeners.controller.containerPort Port for the Kafka controller listener + ## @param listeners.controller.protocol Security protocol for the Kafka controller listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.controller.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' + ## Ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners + controller: + name: CONTROLLER + containerPort: 9093 + protocol: SASL_PLAINTEXT + sslClientAuth: "" + ## @param listeners.interbroker.name Name for the Kafka inter-broker listener + ## @param listeners.interbroker.containerPort Port for the Kafka inter-broker listener + ## @param listeners.interbroker.protocol Security protocol for the Kafka inter-broker listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.interbroker.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' + interbroker: + containerPort: 9094 + protocol: SASL_PLAINTEXT + name: INTERNAL + sslClientAuth: "" + ## @param listeners.external.containerPort Port for the Kafka external listener + ## @param listeners.external.protocol Security protocol for the Kafka external listener. . Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.external.name Name for the Kafka external listener + ## @param listeners.external.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.sslClientAuth for this listener. Allowed values are 'none', 'requested' and 'required' + external: + containerPort: 9095 + protocol: SASL_PLAINTEXT + name: EXTERNAL + sslClientAuth: "" + ## @param listeners.extraListeners Array of listener objects to be appended to already existing listeners + ## E.g. + ## extraListeners: + ## - name: CUSTOM + ## containerPort: 9097 + ## protocol: SASL_PLAINTEXT + ## sslClientAuth: "" ## - clientProtocol: plaintext - # Note: empty by default for backwards compatibility reasons, find more information at - # https://github.com/bitnami/charts/pull/8902/ - externalClientProtocol: "" - interBrokerProtocol: plaintext - ## @param auth.controllerProtocol Controller protocol. It is used with Kraft mode only. + extraListeners: [] + ## NOTE: If set, below values will override configuration set using the above values (extraListeners.*, controller.*, interbroker.*, client.* and external.*) + ## @param listeners.overrideListeners Overrides the Kafka 'listeners' configuration setting. + ## @param listeners.advertisedListeners Overrides the Kafka 'advertised.listener' configuration setting. + ## @param listeners.securityProtocolMap Overrides the Kafka 'security.protocol.map' configuration setting. + overrideListeners: "" + advertisedListeners: "" + securityProtocolMap: "" + +## @section Kafka SASL parameters +## Kafka SASL settings for authentication, required if SASL_PLAINTEXT or SASL_SSL listeners are configured +## +sasl: + ## @param sasl.enabledMechanisms Comma-separated list of allowed SASL mechanisms when SASL listeners are configured. Allowed types: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512` + ## NOTE: At the moment, Kafka Raft mode does not support SCRAM, that is why only PLAIN is configured. ## - controllerProtocol: plaintext - ## SASL configuration + enabledMechanisms: PLAIN,SCRAM-SHA-256,SCRAM-SHA-512 + ## @param sasl.interBrokerMechanism SASL mechanism for inter broker communication. ## - sasl: - ## @param auth.sasl.mechanisms SASL mechanisms when either `auth.interBrokerProtocol`, `auth.clientProtocol` or `auth.externalClientProtocol` are `sasl`. Allowed types: `plain`, `scram-sha-256`, `scram-sha-512` - ## - mechanisms: plain,scram-sha-256,scram-sha-512 - ## @param auth.sasl.interBrokerMechanism SASL mechanism for inter broker communication. - ## - interBrokerMechanism: plain - ## JAAS configuration for SASL authentication. - ## - jaas: - ## @param auth.sasl.jaas.clientUsers Kafka client user list - ## - ## clientUsers: - ## - user1 - ## - user2 - ## - clientUsers: - - user - ## @param auth.sasl.jaas.clientPasswords Kafka client passwords. This is mandatory if more than one user is specified in clientUsers - ## - ## clientPasswords: - ## - password1 - ## - password2" - ## - clientPasswords: [] - ## @param auth.sasl.jaas.interBrokerUser Kafka inter broker communication user for SASL authentication - ## - interBrokerUser: admin - ## @param auth.sasl.jaas.interBrokerPassword Kafka inter broker communication password for SASL authentication - ## - interBrokerPassword: "" - ## @param auth.sasl.jaas.zookeeperUser Kafka ZooKeeper user for SASL authentication - ## - zookeeperUser: "" - ## @param auth.sasl.jaas.zookeeperPassword Kafka ZooKeeper password for SASL authentication - ## - zookeeperPassword: "" - ## @param auth.sasl.jaas.existingSecret Name of the existing secret containing credentials for clientUsers, interBrokerUser and zookeeperUser - ## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create: - ## kubectl create secret generic SECRET_NAME --from-literal=client-passwords=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=zookeeper-password=ZOOKEEPER_PASSWORD - ## - existingSecret: "" - ## TLS configuration + interBrokerMechanism: PLAIN + ## @param sasl.controllerMechanism SASL mechanism for controller communications. ## - tls: - ## @param auth.tls.type Format to use for TLS certificates. Allowed types: `jks` and `pem` - ## - type: jks - ## @param auth.tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. - ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. - ## - pemChainIncluded: false - ## @param auth.tls.existingSecrets Array existing secrets containing the TLS certificates for the Kafka brokers - ## When using 'jks' format for certificates, each secret should contain a truststore and a keystore. - ## Create these secrets following the steps below: - ## 1) Generate your truststore and keystore files. Helpful script: https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh - ## 2) Rename your truststore to `kafka.truststore.jks`. - ## 3) Rename your keystores to `kafka-X.keystore.jks` where X is the ID of each Kafka broker. - ## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create): - ## kubectl create secret generic SECRET_NAME_0 --from-file=kafka.truststore.jks=./kafka.truststore.jks --from-file=kafka.keystore.jks=./kafka-0.keystore.jks - ## kubectl create secret generic SECRET_NAME_1 --from-file=kafka.truststore.jks=./kafka.truststore.jks --from-file=kafka.keystore.jks=./kafka-1.keystore.jks - ## ... - ## - ## When using 'pem' format for certificates, each secret should contain a public CA certificate, a public certificate and one private key. - ## Create these secrets following the steps below: - ## 1) Create a certificate key and signing request per Kafka broker, and sign the signing request with your CA - ## 2) Rename your CA file to `kafka.ca.crt`. - ## 3) Rename your certificates to `kafka-X.tls.crt` where X is the ID of each Kafka broker. - ## 3) Rename your keys to `kafka-X.tls.key` where X is the ID of each Kafka broker. - ## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create): - ## kubectl create secret generic SECRET_NAME_0 --from-file=ca.crt=./kafka.ca.crt --from-file=tls.crt=./kafka-0.tls.crt --from-file=tls.key=./kafka-0.tls.key - ## kubectl create secret generic SECRET_NAME_1 --from-file=ca.crt=./kafka.ca.crt --from-file=tls.crt=./kafka-1.tls.crt --from-file=tls.key=./kafka-1.tls.key - ## ... - ## - existingSecrets: [] - ## @param auth.tls.autoGenerated Generate automatically self-signed TLS certificates for Kafka brokers. Currently only supported if `auth.tls.type` is `pem` - ## Note: ignored when using 'jks' format or `auth.tls.existingSecrets` is not empty - ## - autoGenerated: false - ## @param auth.tls.password Password to access the JKS files or PEM key when they are password-protected. - ## Note: ignored when using 'existingSecret'. - ## + controllerMechanism: PLAIN + ## Credentials for inter-broker communications. + ## @param sasl.interbroker.user Username for inter-broker communications when SASL is enabled + ## @param sasl.interbroker.password Password for inter-broker communications when SASL is enabled. If not set and SASL is enabled for the controller listener, a random password will be generated. + ## + interbroker: + user: inter_broker_user password: "" - ## @param auth.tls.existingSecret Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`) - ## - existingSecret: "" - ## @param auth.tls.jksTruststoreSecret Name of the existing secret containing your truststore if truststore not existing or different from the ones in the `auth.tls.existingSecrets` - ## Note: ignored when using 'pem' format for certificates. - ## - jksTruststoreSecret: "" - ## @param auth.tls.jksKeystoreSAN The secret key from the `auth.tls.existingSecrets` containing the keystore with a SAN certificate - ## The SAN certificate in it should be issued with Subject Alternative Names for all headless services: - ## - kafka-0.kafka-headless.kafka.svc.cluster.local - ## - kafka-1.kafka-headless.kafka.svc.cluster.local - ## - kafka-2.kafka-headless.kafka.svc.cluster.local - ## Note: ignored when using 'pem' format for certificates. - ## - jksKeystoreSAN: "" - ## @param auth.tls.jksTruststore The secret key from the `auth.tls.existingSecrets` or `auth.tls.jksTruststoreSecret` containing the truststore - ## Note: ignored when using 'pem' format for certificates. - ## - jksTruststore: "" - ## @param auth.tls.endpointIdentificationAlgorithm The endpoint identification algorithm to validate server hostname using server certificate - ## Disable server host name verification by setting it to an empty string. - ## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings - ## - endpointIdentificationAlgorithm: https - ## Zookeeper client configuration for kafka brokers + ## Credentials for controller communications. + ## @param sasl.controller.user Username for controller communications when SASL is enabled + ## @param sasl.controller.password Password for controller communications when SASL is enabled. If not set and SASL is enabled for the inter-broker listener, a random password will be generated. + ## + controller: + user: controller_user + password: "" + ## Credentials for client communications. + ## @param sasl.client.users Comma-separated list of usernames for client communications when SASL is enabled + ## @param sasl.client.passwords Comma-separated list of passwords for client communications when SASL is enabled, must match the number of client.users + ## + client: + users: + - user1 + passwords: "" + ## Credentials for Zookeeper communications. + ## @param sasl.zookeeper.user Username for zookeeper communications when SASL is enabled. + ## @param sasl.zookeeper.password Password for zookeeper communications when SASL is enabled. ## zookeeper: - ## TLS configuration + user: "" + password: "" + ## @param sasl.existingSecret Name of the existing secret containing credentials for clientUsers, interBrokerUser, controllerUser and zookeeperUser + ## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create: + ## kubectl create secret generic SECRET_NAME --from-literal=client-passwords=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=controller-password=CONTROLLER_PASSWORD --from-literal=zookeeper-password=ZOOKEEPER_PASSWORD + ## + existingSecret: "" + +## @section Kafka TLS parameters +## Kafka TLS settings, required if SSL or SASL_SSL listeners are configured +## +tls: + ## @param tls.type Format to use for TLS certificates. Allowed types: `JKS` and `PEM` + ## + type: JKS + ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. + ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. + ## + pemChainIncluded: false + ## @param tls.existingSecret Name of the existing secret containing the TLS certificates for the Kafka nodes. + ## When using 'jks' format for certificates, each secret should contain a truststore and a keystore. + ## Create these secrets following the steps below: + ## 1) Generate your truststore and keystore files. Helpful script: https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh + ## 2) Rename your truststore to `kafka.truststore.jks`. + ## 3) Rename your keystores to `kafka--X.keystore.jks` where X is the replica number of the . + ## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create): + ## kubectl create secret generic SECRET_NAME_0 --from-file=kafka.truststore.jks=./kafka.truststore.jks \ + ## --from-file=kafka-controller-0.keystore.jks=./kafka-controller-0.keystore.jks --from-file=kafka-broker-0.keystore.jks=./kafka-broker-0.keystore.jks ... + ## + ## NOTE: Alternatively, a single keystore can be provided for all nodes under the key 'kafka.keystore.jks', this keystore will be used by all nodes unless overridden by the 'kafka--X.keystore.jks' file + ## + ## When using 'pem' format for certificates, each secret should contain a public CA certificate, a public certificate and one private key. + ## Create these secrets following the steps below: + ## 1) Create a certificate key and signing request per Kafka broker, and sign the signing request with your CA + ## 2) Rename your CA file to `kafka.ca.crt`. + ## 3) Rename your certificates to `kafka-X.tls.crt` where X is the ID of each Kafka broker. + ## 3) Rename your keys to `kafka-X.tls.key` where X is the ID of each Kafka broker. + ## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create): + ## kubectl create secret generic SECRET_NAME_0 --from-file=kafka-ca.crt=./kafka-ca.crt --from-file=kafka-controller-0.crt=./kafka-controller-0.crt --from-file=kafka-controller-0.key=./kafka-controller-0.key \ + ## --from-file=kafka-broker-0.crt=./kafka-broker-0.crt --from-file=kafka-broker-0.key=./kafka-broker-0.key ... + ## + ## NOTE: Alternatively, a single key and certificate can be provided for all nodes under the keys 'kafka.crt' and 'kafka.key'. These certificates will be used by all nodes unless overridden by the 'kafka--X.key' and 'kafka--X.crt' files + ## + existingSecret: "" + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates for Kafka brokers. Currently only supported if `tls.type` is `PEM` + ## Note: ignored when using 'jks' format or `tls.existingSecret` is not empty + ## + autoGenerated: false + ## @param tls.passwordsSecret Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`) + ## + passwordsSecret: "" + ## @param tls.passwordsSecretKeystoreKey The secret key from the tls.passwordsSecret containing the password for the Keystore. + ## + passwordsSecretKeystoreKey: keystore-password + ## @param tls.passwordsSecretTruststoreKey The secret key from the tls.passwordsSecret containing the password for the Truststore. + ## + passwordsSecretTruststoreKey: truststore-password + ## @param tls.passwordsSecretPemPasswordKey The secret key from the tls.passwordsSecret containing the password for the PEM key inside 'tls.passwordsSecret'. + ## + passwordsSecretPemPasswordKey: "" + ## @param tls.keystorePassword Password to access the JKS keystore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. + ## When using tls.type=PEM, the generated keystore will use this password or randomly generate one. + ## + keystorePassword: "" + ## @param tls.truststorePassword Password to access the JKS truststore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. + ## When using tls.type=PEM, the generated keystore will use this password or randomly generate one. + ## + truststorePassword: "" + ## @param tls.keyPassword Password to access the PEM key when it is password-protected. + ## Note: ignored when using 'tls.passwordsSecret' + ## + keyPassword: "" + ## @param tls.jksTruststoreSecret Name of the existing secret containing your truststore if truststore not existing or different from the one in the `tls.existingSecret` + ## Note: ignored when using 'pem' format for certificates. + ## + jksTruststoreSecret: "" + ## @param tls.jksTruststoreKey The secret key from the `tls.existingSecret` or `tls.jksTruststoreSecret` containing the truststore + ## Note: ignored when using 'pem' format for certificates. + ## + jksTruststoreKey: "" + ## @param tls.endpointIdentificationAlgorithm The endpoint identification algorithm to validate server hostname using server certificate + ## Disable server host name verification by setting it to an empty string. + ## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings + ## + endpointIdentificationAlgorithm: https + ## @param tls.sslClientAuth Sets the default value for the ssl.client.auth Kafka setting. + ## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings + ## + sslClientAuth: "required" + ## Zookeeper TLS connection configuration for Kafka + ## + zookeeper: + ## @param tls.zookeeper.enabled Enable TLS for Zookeeper client connections. ## - tls: - ## @param auth.zookeeper.tls.enabled Enable TLS for Zookeeper client connections. - ## - enabled: false - ## @param auth.zookeeper.tls.type Format to use for TLS certificates. Allowed types: `jks` and `pem`. - ## - type: jks - ## @param auth.zookeeper.tls.verifyHostname Hostname validation. - ## - verifyHostname: true - ## @param auth.zookeeper.tls.existingSecret Name of the existing secret containing the TLS certificates for ZooKeeper client communications. - ## - existingSecret: "" - ## @param auth.zookeeper.tls.existingSecretKeystoreKey The secret key from the auth.zookeeper.tls.existingSecret containing the Keystore. - ## - existingSecretKeystoreKey: zookeeper.keystore.jks - ## @param auth.zookeeper.tls.existingSecretTruststoreKey The secret key from the auth.zookeeper.tls.existingSecret containing the Truststore. - ## - existingSecretTruststoreKey: zookeeper.truststore.jks - ## @param auth.zookeeper.tls.passwordsSecret Existing secret containing Keystore and Truststore passwords. - ## - passwordsSecret: "" - ## @param auth.zookeeper.tls.passwordsSecretKeystoreKey The secret key from the auth.zookeeper.tls.passwordsSecret containing the password for the Keystore. - ## - passwordsSecretKeystoreKey: keystore-password - ## @param auth.zookeeper.tls.passwordsSecretTruststoreKey The secret key from the auth.zookeeper.tls.passwordsSecret containing the password for the Truststore. - ## - passwordsSecretTruststoreKey: truststore-password -## @param listeners The address(es) the socket server listens on. Auto-calculated it's set to an empty array -## When it's set to an empty array, the listeners will be configured -## based on the authentication protocols (auth.clientProtocol, auth.externalClientProtocol and auth.interBrokerProtocol parameters) -## -listeners: [] -## @param advertisedListeners The address(es) (hostname:port) the broker will advertise to producers and consumers. Auto-calculated it's set to an empty array -## When it's set to an empty array, the advertised listeners will be configured -## based on the authentication protocols (auth.clientProtocol, auth.externalClientProtocol and auth.interBrokerProtocol parameters) -## -advertisedListeners: [] -## @param listenerSecurityProtocolMap The protocol->listener mapping. Auto-calculated it's set to nil -## When it's nil, the listeners will be configured based on the authentication protocols (auth.clientProtocol, auth.externalClientProtocol and auth.interBrokerProtocol parameters) -## -listenerSecurityProtocolMap: "" -## @param allowPlaintextListener Allow to use the PLAINTEXT listener -## -allowPlaintextListener: true -## @param interBrokerListenerName The listener that the brokers should communicate on -## -interBrokerListenerName: INTERNAL -## @param command Override Kafka container command -## -command: - - /scripts/setup.sh -## @param args Override Kafka container arguments -## -args: [] + enabled: false + ## @param tls.zookeeper.verifyHostname Hostname validation. + ## + verifyHostname: true + ## @param tls.zookeeper.existingSecret Name of the existing secret containing the TLS certificates for ZooKeeper client communications. + ## + existingSecret: "" + ## @param tls.zookeeper.existingSecretKeystoreKey The secret key from the tls.zookeeper.existingSecret containing the Keystore. + ## + existingSecretKeystoreKey: zookeeper.keystore.jks + ## @param tls.zookeeper.existingSecretTruststoreKey The secret key from the tls.zookeeper.existingSecret containing the Truststore. + ## + existingSecretTruststoreKey: zookeeper.truststore.jks + ## @param tls.zookeeper.passwordsSecret Existing secret containing Keystore and Truststore passwords. + ## + passwordsSecret: "" + ## @param tls.zookeeper.passwordsSecretKeystoreKey The secret key from the tls.zookeeper.passwordsSecret containing the password for the Keystore. + ## If no keystore password is included in the passwords secret, set this value to an empty string. + ## + passwordsSecretKeystoreKey: keystore-password + ## @param tls.zookeeper.passwordsSecretTruststoreKey The secret key from the tls.zookeeper.passwordsSecret containing the password for the Truststore. + ## If no truststore password is included in the passwords secret, set this value to an empty string. + ## + passwordsSecretTruststoreKey: truststore-password + ## @param tls.zookeeper.keystorePassword Password to access the JKS keystore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. + ## When using tls.type=PEM, the generated keystore will use this password or randomly generate one. + ## + keystorePassword: "" + ## @param tls.zookeeper.truststorePassword Password to access the JKS truststore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided. + ## When using tls.type=PEM, the generated keystore will use this password or randomly generate one. + ## + truststorePassword: "" + ## @param extraEnvVars Extra environment variables to add to Kafka pods ## ref: https://github.com/bitnami/containers/tree/main/bitnami/kafka#configuration ## e.g: @@ -433,207 +367,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Secret with extra environment variables ## extraEnvVarsSecret: "" - -## @section Statefulset parameters -## - -## @param replicaCount Number of Kafka nodes -## -replicaCount: 1 -## @param minId Minimal node.id or broker.id values, nodes increment their value respectively -## Nodes or Brokers idncrement their ID starting at this minimal value. -## E.g., with `minId=100` and 3 nodes, IDs will be 100, 101, 102 for brokers 0, 1, and 2, respectively. -## -minId: 0 -## @param brokerRackAssignment Set Broker Assignment for multi tenant environment Allowed values: `aws-az` -## ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-392%3A+Allow+consumers+to+fetch+from+closest+replica -## -brokerRackAssignment: "" -## @param containerPorts.client Kafka client container port -## @param containerPorts.controller Kafka Controller listener port. It is used if "kraft.enabled: true" -## @param containerPorts.internal Kafka inter-broker container port -## @param containerPorts.external Kafka external container port -## -containerPorts: - client: 9092 - controller: 9093 - internal: 9094 - external: 9095 -## Configure extra options for Kafka containers' liveness, readiness and startup probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes -## @param livenessProbe.enabled Enable livenessProbe on Kafka containers -## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe -## @param livenessProbe.periodSeconds Period seconds for livenessProbe -## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe -## @param livenessProbe.failureThreshold Failure threshold for livenessProbe -## @param livenessProbe.successThreshold Success threshold for livenessProbe -## -livenessProbe: - enabled: true - initialDelaySeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 -## @param readinessProbe.enabled Enable readinessProbe on Kafka containers -## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe -## @param readinessProbe.periodSeconds Period seconds for readinessProbe -## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe -## @param readinessProbe.failureThreshold Failure threshold for readinessProbe -## @param readinessProbe.successThreshold Success threshold for readinessProbe -## -readinessProbe: - enabled: true - initialDelaySeconds: 5 - failureThreshold: 6 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 -## @param startupProbe.enabled Enable startupProbe on Kafka containers -## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe -## @param startupProbe.periodSeconds Period seconds for startupProbe -## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe -## @param startupProbe.failureThreshold Failure threshold for startupProbe -## @param startupProbe.successThreshold Success threshold for startupProbe -## -startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 -## @param customLivenessProbe Custom livenessProbe that overrides the default one -## -customLivenessProbe: {} -## @param customReadinessProbe Custom readinessProbe that overrides the default one -## -customReadinessProbe: {} -## @param customStartupProbe Custom startupProbe that overrides the default one -## -customStartupProbe: {} -## @param lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup -## -lifecycleHooks: {} -## Kafka resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ -## @param resources.limits The resources limits for the container -## @param resources.requests The requested resources for the container -## -resources: - limits: {} - requests: {} -## Kafka pods' Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enable security context for the pods -## @param podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup -## -podSecurityContext: - enabled: true - fsGroup: 1001 -## Kafka containers' Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enable Kafka containers' Security Context -## @param containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot -## @param containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as nonprivilege -## e.g: -## containerSecurityContext: -## enabled: true -## capabilities: -## drop: ["NET_RAW"] -## readOnlyRootFilesystem: true -## -containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - allowPrivilegeEscalation: false -## @param hostAliases Kafka pods host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## @param hostNetwork Specify if host network should be enabled for Kafka pods -## -hostNetwork: false -## @param hostIPC Specify if host IPC should be enabled for Kafka pods -## -hostIPC: false -## @param podLabels Extra labels for Kafka pods -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @param podAnnotations Extra annotations for Kafka pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -## -affinity: {} -## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## @param tolerations Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods -## -topologySpreadConstraints: [] -## @param terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate -## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution -## -terminationGracePeriodSeconds: "" -## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel -## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy -## -podManagementPolicy: Parallel -## @param priorityClassName Name of the existing priority class to be used by kafka pods -## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ -## -priorityClassName: "" -## @param schedulerName Name of the k8s scheduler (other than default) -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param updateStrategy.type Kafka statefulset strategy type -## @param updateStrategy.rollingUpdate Kafka statefulset rolling update configuration parameters -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - type: RollingUpdate - rollingUpdate: {} ## @param extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s) ## e.g: ## extraVolumes: @@ -671,16 +404,739 @@ sidecars: [] ## containerPort: 1234 ## initContainers: [] -## Kafka Pod Disruption Budget -## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ -## @param pdb.create Deploy a pdb object for the Kafka pod -## @param pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas -## @param pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas + +## @section Controller-eligible statefulset parameters ## -pdb: - create: false - minAvailable: "" - maxUnavailable: 1 +controller: + ## @param controller.replicaCount Number of Kafka controller-eligible nodes + ## Ignore this section if running in Zookeeper mode. + ## + replicaCount: 3 + ## @param controller.controllerOnly If set to true, controller nodes will be deployed as dedicated controllers, instead of controller+broker processes. + ## + controllerOnly: false + ## @param controller.minId Minimal node.id values for controller-eligible nodes. Do not change after first initialization. + ## Broker-only id increment their ID starting at this minimal value. + ## We recommend setting this this value high enough, as IDs under this value will be used by controller-elegible nodes + ## + minId: 0 + ## @param controller.zookeeperMigrationMode Set to true to deploy cluster controller quorum + ## This allows configuring both kraft and zookeeper modes simultaneously in order to perform the migration of the Kafka metadata. + ## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html + ## + zookeeperMigrationMode: false + ## @param controller.config Configuration file for Kafka controller-eligible nodes, rendered as a template. Auto-generated based on chart values when not specified. + ## @param controller.existingConfigmap ConfigMap with Kafka Configuration for controller-eligible nodes. + ## NOTE: This will override the configuration based on values, please act carefully + ## If both are set, the existingConfigMap will be used. + ## + config: "" + existingConfigmap: "" + ## @param controller.extraConfig Additional configuration to be appended at the end of the generated Kafka controller-eligible nodes configuration file. + ## + extraConfig: "" + ## @param controller.heapOpts Kafka Java Heap size for controller-eligible nodes + ## + heapOpts: -Xmx1024m -Xms1024m + ## @param controller.command Override Kafka container command + ## + command: [] + ## @param controller.args Override Kafka container arguments + ## + args: [] + ## @param controller.extraEnvVars Extra environment variables to add to Kafka pods + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/kafka#configuration + ## e.g: + ## extraEnvVars: + ## - name: KAFKA_CFG_BACKGROUND_THREADS + ## value: "10" + ## + extraEnvVars: [] + ## @param controller.extraEnvVarsCM ConfigMap with extra environment variables + ## + extraEnvVarsCM: "" + ## @param controller.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param controller.extraContainerPorts Kafka controller-eligible extra containerPorts. + ## + extraContainerPorts: [] + ## Configure extra options for Kafka containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param controller.livenessProbe.enabled Enable livenessProbe on Kafka containers + ## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + ## @param controller.readinessProbe.enabled Enable readinessProbe on Kafka containers + ## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + failureThreshold: 6 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + ## @param controller.startupProbe.enabled Enable startupProbe on Kafka containers + ## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param controller.startupProbe.periodSeconds Period seconds for startupProbe + ## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param controller.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param controller.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param controller.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param controller.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param controller.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## Kafka resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param controller.resources.limits The resources limits for the container + ## @param controller.resources.requests The requested resources for the container + ## + resources: + limits: {} + requests: {} + ## Kafka pods' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param controller.podSecurityContext.enabled Enable security context for the pods + ## @param controller.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup + ## @param controller.podSecurityContext.seccompProfile.type Set Kafka pods's Security Context seccomp profile + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + seccompProfile: + type: "RuntimeDefault" + ## Kafka containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param controller.containerSecurityContext.enabled Enable Kafka containers' Security Context + ## @param controller.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser + ## @param controller.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot + ## @param controller.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged + ## @param controller.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only + ## @param controller.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + ## @param controller.hostAliases Kafka pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param controller.hostNetwork Specify if host network should be enabled for Kafka pods + ## + hostNetwork: false + ## @param controller.hostIPC Specify if host IPC should be enabled for Kafka pods + ## + hostIPC: false + ## @param controller.podLabels Extra labels for Kafka pods + ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param controller.podAnnotations Extra annotations for Kafka pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param controller.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param controller.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param controller.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param controller.nodeSelector Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param controller.tolerations Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param controller.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param controller.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: "" + ## @param controller.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel + ## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## + podManagementPolicy: Parallel + ## @param controller.priorityClassName Name of the existing priority class to be used by kafka pods + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param controller.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param controller.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param controller.updateStrategy.type Kafka statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param controller.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s) + ## e.g: + ## extraVolumes: + ## - name: kafka-jaas + ## secret: + ## secretName: kafka-jaas + ## + extraVolumes: [] + ## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s) + ## extraVolumeMounts: + ## - name: kafka-jaas + ## mountPath: /bitnami/kafka/config/kafka_jaas.conf + ## subPath: kafka_jaas.conf + ## + extraVolumeMounts: [] + ## @param controller.sidecars Add additional sidecar containers to the Kafka pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param controller.initContainers Add additional Add init containers to the Kafka pod(s) + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Kafka Pod Disruption Budget + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## @param controller.pdb.create Deploy a pdb object for the Kafka pod + ## @param controller.pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas + ## @param controller.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas + ## + pdb: + create: false + minAvailable: "" + maxUnavailable: 1 + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param controller.persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: true + ## @param controller.persistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param controller.persistence.storageClass PVC Storage Class for Kafka data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param controller.persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param controller.persistence.size PVC Storage Request for Kafka data volume + ## + size: 8Gi + ## @param controller.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param controller.persistence.labels Labels for the PVC + ## + labels: {} + ## @param controller.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param controller.persistence.mountPath Mount path of the Kafka data volume + ## + mountPath: /bitnami/kafka + ## Log Persistence parameters + ## + logPersistence: + ## @param controller.logPersistence.enabled Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: false + ## @param controller.logPersistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param controller.logPersistence.storageClass PVC Storage Class for Kafka logs volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param controller.logPersistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param controller.logPersistence.size PVC Storage Request for Kafka logs volume + ## + size: 8Gi + ## @param controller.logPersistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param controller.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param controller.logPersistence.mountPath Mount path of the Kafka logs volume + ## + mountPath: /opt/bitnami/kafka/logs + +## @section Broker-only statefulset parameters +## +broker: + ## @param broker.replicaCount Number of Kafka broker-only nodes + ## Ignore this section if running in Zookeeper mode. + ## + replicaCount: 0 + ## @param broker.minId Minimal node.id values for broker-only nodes. Do not change after first initialization. + ## Broker-only id increment their ID starting at this minimal value. + ## We recommend setting this this value high enough, as IDs under this value will be used by controller-eligible nodes + ## + ## + minId: 100 + ## @param broker.zookeeperMigrationMode Set to true to deploy cluster controller quorum + ## This allows configuring both kraft and zookeeper modes simultaneously in order to perform the migration of the Kafka metadata. + ## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html + ## + zookeeperMigrationMode: false + ## @param broker.config Configuration file for Kafka broker-only nodes, rendered as a template. Auto-generated based on chart values when not specified. + ## @param broker.existingConfigmap ConfigMap with Kafka Configuration for broker-only nodes. + ## NOTE: This will override the configuration based on values, please act carefully + ## If both are set, the existingConfigMap will be used. + ## + config: "" + existingConfigmap: "" + ## @param broker.extraConfig Additional configuration to be appended at the end of the generated Kafka broker-only nodes configuration file. + ## + extraConfig: "" + ## @param broker.heapOpts Kafka Java Heap size for broker-only nodes + ## + heapOpts: -Xmx1024m -Xms1024m + ## @param broker.command Override Kafka container command + ## + command: [] + ## @param broker.args Override Kafka container arguments + ## + args: [] + ## @param broker.extraEnvVars Extra environment variables to add to Kafka pods + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/kafka#configuration + ## e.g: + ## extraEnvVars: + ## - name: KAFKA_CFG_BACKGROUND_THREADS + ## value: "10" + ## + extraEnvVars: [] + ## @param broker.extraEnvVarsCM ConfigMap with extra environment variables + ## + extraEnvVarsCM: "" + ## @param broker.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param broker.extraContainerPorts Kafka broker-only extra containerPorts. + ## + extraContainerPorts: [] + ## Configure extra options for Kafka containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param broker.livenessProbe.enabled Enable livenessProbe on Kafka containers + ## @param broker.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param broker.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param broker.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param broker.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param broker.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + ## @param broker.readinessProbe.enabled Enable readinessProbe on Kafka containers + ## @param broker.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param broker.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param broker.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param broker.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param broker.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + failureThreshold: 6 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + ## @param broker.startupProbe.enabled Enable startupProbe on Kafka containers + ## @param broker.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param broker.startupProbe.periodSeconds Period seconds for startupProbe + ## @param broker.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param broker.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param broker.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param broker.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param broker.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param broker.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param broker.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## Kafka resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param broker.resources.limits The resources limits for the container + ## @param broker.resources.requests The requested resources for the container + ## + resources: + limits: {} + requests: {} + ## Kafka pods' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param broker.podSecurityContext.enabled Enable security context for the pods + ## @param broker.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup + ## @param broker.podSecurityContext.seccompProfile.type Set Kafka pod's Security Context seccomp profile + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + seccompProfile: + type: "RuntimeDefault" + ## Kafka containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param broker.containerSecurityContext.enabled Enable Kafka containers' Security Context + ## @param broker.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser + ## @param broker.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot + ## @param broker.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged + ## @param broker.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only + ## @param broker.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + ## @param broker.hostAliases Kafka pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param broker.hostNetwork Specify if host network should be enabled for Kafka pods + ## + hostNetwork: false + ## @param broker.hostIPC Specify if host IPC should be enabled for Kafka pods + ## + hostIPC: false + ## @param broker.podLabels Extra labels for Kafka pods + ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param broker.podAnnotations Extra annotations for Kafka pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param broker.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param broker.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param broker.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param broker.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param broker.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param broker.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param broker.nodeSelector Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param broker.tolerations Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param broker.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param broker.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: "" + ## @param broker.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel + ## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## + podManagementPolicy: Parallel + ## @param broker.priorityClassName Name of the existing priority class to be used by kafka pods + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param broker.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param broker.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param broker.updateStrategy.type Kafka statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param broker.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s) + ## e.g: + ## extraVolumes: + ## - name: kafka-jaas + ## secret: + ## secretName: kafka-jaas + ## + extraVolumes: [] + ## @param broker.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s) + ## extraVolumeMounts: + ## - name: kafka-jaas + ## mountPath: /bitnami/kafka/config/kafka_jaas.conf + ## subPath: kafka_jaas.conf + ## + extraVolumeMounts: [] + ## @param broker.sidecars Add additional sidecar containers to the Kafka pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param broker.initContainers Add additional Add init containers to the Kafka pod(s) + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Kafka Pod Disruption Budget + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## @param broker.pdb.create Deploy a pdb object for the Kafka pod + ## @param broker.pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas + ## @param broker.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas + ## + pdb: + create: false + minAvailable: "" + maxUnavailable: 1 + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param broker.persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: true + ## @param broker.persistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param broker.persistence.storageClass PVC Storage Class for Kafka data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param broker.persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param broker.persistence.size PVC Storage Request for Kafka data volume + ## + size: 8Gi + ## @param broker.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param broker.persistence.labels Labels for the PVC + ## + labels: {} + ## @param broker.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param broker.persistence.mountPath Mount path of the Kafka data volume + ## + mountPath: /bitnami/kafka + ## Log Persistence parameters + ## + logPersistence: + ## @param broker.logPersistence.enabled Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: false + ## @param broker.logPersistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param broker.logPersistence.storageClass PVC Storage Class for Kafka logs volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param broker.logPersistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param broker.logPersistence.size PVC Storage Request for Kafka logs volume + ## + size: 8Gi + ## @param broker.logPersistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param broker.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param broker.logPersistence.mountPath Mount path of the Kafka logs volume + ## + mountPath: /opt/bitnami/kafka/logs + ## @section Traffic Exposure parameters ## @@ -693,14 +1149,17 @@ service: type: ClusterIP ## @param service.ports.client Kafka svc port for client connections ## @param service.ports.controller Kafka svc port for controller connections. It is used if "kraft.enabled: true" - ## @param service.ports.internal Kafka svc port for inter-broker connections + ## @param service.ports.interbroker Kafka svc port for inter-broker connections ## @param service.ports.external Kafka svc port for external connections ## ports: - client: 9092 - controller: 9093 - internal: 9094 - external: 9095 + client: 19092 + controller: 19093 + interbroker: 19094 + external: 19095 + ## @param service.extraPorts Extra ports to expose in the Kafka service (normally used with the `sidecar` value) + ## + extraPorts: [] ## @param service.nodePorts.client Node port for the Kafka client connections ## @param service.nodePorts.external Node port for the Kafka external connections ## NOTE: choose port between <30000-32767> @@ -745,19 +1204,20 @@ service: ## Headless service properties ## headless: - ## @param service.headless.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready - ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/ - ## - publishNotReadyAddresses: false - ## @param service.headless.annotations Annotations for the headless service. - ## - annotations: {} - ## @param service.headless.labels Labels for the headless service. - ## - labels: {} - ## @param service.extraPorts Extra ports to expose in the Kafka service (normally used with the `sidecar` value) - ## - extraPorts: [] + controller: + ## @param service.headless.controller.annotations Annotations for the controller-eligible headless service. + ## + annotations: {} + ## @param service.headless.controller.labels Labels for the controller-eligible headless service. + ## + labels: {} + broker: + ## @param service.headless.broker.annotations Annotations for the broker-only headless service. + ## + annotations: {} + ## @param service.headless.broker.labels Labels for the broker-only headless service. + ## + labels: {} ## External Access to Kafka brokers configuration ## externalAccess: @@ -784,7 +1244,7 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.25.12-debian-11-r6 + tag: 1.25.12-debian-11-r14 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -806,83 +1266,166 @@ externalAccess: resources: limits: {} requests: {} - ## Parameters to configure K8s service(s) used to externally access Kafka brokers - ## Note: A new service per broker will be created - ## - service: - ## @param externalAccess.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP + ## Service settings + controller: + ## @param externalAccess.controller.forceExpose If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes ## - type: LoadBalancer - ## @param externalAccess.service.ports.external Kafka port used for external access when service type is LoadBalancer + forceExpose: false + ## Parameters to configure K8s service(s) used to externally access Kafka brokers + ## Note: A new service per broker will be created ## - ports: - external: 9094 - ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount - ## e.g: - ## loadBalancerIPs: - ## - X.X.X.X - ## - Y.Y.Y.Y + service: + ## @param externalAccess.controller.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.controller.service.ports.external Kafka port used for external access when service type is LoadBalancer + ## + ports: + external: 9094 + ## @param externalAccess.controller.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.controller.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## loadBalancerNames: + ## - broker1.external.example.com + ## - broker2.external.example.com + ## + loadBalancerNames: [] + ## @param externalAccess.controller.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## loadBalancerAnnotations: + ## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com. + ## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com. + ## + loadBalancerAnnotations: [] + ## @param externalAccess.controller.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.controller.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.controller.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount + ## e.g: + ## externalIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + externalIPs: [] + ## @param externalAccess.controller.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort + ## + useHostIPs: false + ## @param externalAccess.controller.service.usePodIPs using the MY_POD_IP address for external access. + ## + usePodIPs: false + ## @param externalAccess.controller.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP + ## NodePort: If not specified, the container will try to get the kubernetes node external IP + ## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured + ## + domain: "" + ## @param externalAccess.controller.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready + ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/ + ## + publishNotReadyAddresses: false + ## @param externalAccess.controller.service.labels Service labels for external access + ## + labels: {} + ## @param externalAccess.controller.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.controller.service.extraPorts Extra ports to expose in the Kafka external service + ## + extraPorts: [] + broker: + ## Parameters to configure K8s service(s) used to externally access Kafka brokers + ## Note: A new service per broker will be created ## - loadBalancerIPs: [] - ## @param externalAccess.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount - ## e.g: - ## loadBalancerNames: - ## - broker1.external.example.com - ## - broker2.external.example.com - ## - loadBalancerNames: [] - ## @param externalAccess.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount - ## e.g: - ## loadBalancerAnnotations: - ## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com. - ## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com. - ## - loadBalancerAnnotations: [] - ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param externalAccess.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount - ## e.g: - ## nodePorts: - ## - 30001 - ## - 30002 - ## - nodePorts: [] - ## @param externalAccess.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount - ## e.g: - ## externalIPs: - ## - X.X.X.X - ## - Y.Y.Y.Y - ## - externalIPs: [] - ## @param externalAccess.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort - ## - useHostIPs: false - ## @param externalAccess.service.usePodIPs using the MY_POD_IP address for external access. - ## - usePodIPs: false - ## @param externalAccess.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP - ## NodePort: If not specified, the container will try to get the kubernetes node external IP - ## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured - ## - domain: "" - ## @param externalAccess.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready - ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/ - ## - publishNotReadyAddresses: false - ## @param externalAccess.service.labels Service labels for external access - ## - labels: {} - ## @param externalAccess.service.annotations Service annotations for external access - ## - annotations: {} - ## @param externalAccess.service.extraPorts Extra ports to expose in the Kafka external service - ## - extraPorts: [] + service: + ## @param externalAccess.broker.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.broker.service.ports.external Kafka port used for external access when service type is LoadBalancer + ## + ports: + external: 9094 + ## @param externalAccess.broker.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.broker.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## loadBalancerNames: + ## - broker1.external.example.com + ## - broker2.external.example.com + ## + loadBalancerNames: [] + ## @param externalAccess.broker.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## loadBalancerAnnotations: + ## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com. + ## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com. + ## + loadBalancerAnnotations: [] + ## @param externalAccess.broker.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.broker.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount + ## e.g: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.broker.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount + ## e.g: + ## externalIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + externalIPs: [] + ## @param externalAccess.broker.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort + ## + useHostIPs: false + ## @param externalAccess.broker.service.usePodIPs using the MY_POD_IP address for external access. + ## + usePodIPs: false + ## @param externalAccess.broker.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP + ## NodePort: If not specified, the container will try to get the kubernetes node external IP + ## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured + ## + domain: "" + ## @param externalAccess.broker.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready + ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/ + ## + publishNotReadyAddresses: false + ## @param externalAccess.broker.service.labels Service labels for external access + ## + labels: {} + ## @param externalAccess.broker.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.broker.service.extraPorts Extra ports to expose in the Kafka external service + ## + extraPorts: [] ## Network policies ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## @@ -931,88 +1474,6 @@ networkPolicy: ## customRules: [] -## @section Persistence parameters -## - -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ -## -persistence: - ## @param persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected - ## - enabled: true - ## @param persistence.existingClaim A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template - ## - existingClaim: "" - ## @param persistence.storageClass PVC Storage Class for Kafka data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. - ## - storageClass: "" - ## @param persistence.accessModes Persistent Volume Access Modes - ## - accessModes: - - ReadWriteOnce - ## @param persistence.size PVC Storage Request for Kafka data volume - ## - size: 8Gi - ## @param persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param persistence.labels Labels for the PVC - ## - labels: {} - ## @param persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param persistence.mountPath Mount path of the Kafka data volume - ## - mountPath: /bitnami/kafka -## Log Persistence parameters -## -logPersistence: - ## @param logPersistence.enabled Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected - ## - enabled: false - ## @param logPersistence.existingClaim A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template - ## - existingClaim: "" - ## @param logPersistence.storageClass PVC Storage Class for Kafka logs volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. - ## - storageClass: "" - ## @param logPersistence.accessModes Persistent Volume Access Modes - ## - accessModes: - - ReadWriteOnce - ## @param logPersistence.size PVC Storage Request for Kafka logs volume - ## - size: 8Gi - ## @param logPersistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param logPersistence.mountPath Mount path of the Kafka logs volume - ## - mountPath: /opt/bitnami/kafka/logs - ## @section Volume Permissions parameters ## @@ -1033,7 +1494,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r16 + tag: 11-debian-11-r25 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1115,7 +1576,7 @@ metrics: image: registry: docker.io repository: bitnami/kafka-exporter - tag: 1.7.0-debian-11-r61 + tag: 1.7.0-debian-11-r69 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1175,15 +1636,21 @@ metrics: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.kafka.podSecurityContext.enabled Enable security context for the pods ## @param metrics.kafka.podSecurityContext.fsGroup Set Kafka exporter pod's Security Context fsGroup + ## @param metrics.kafka.podSecurityContext.seccompProfile.type Set Kafka exporter pod's Security Context seccomp profile ## podSecurityContext: enabled: true fsGroup: 1001 + seccompProfile: + type: "RuntimeDefault" ## Kafka exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.kafka.containerSecurityContext.enabled Enable Kafka exporter containers' Security Context ## @param metrics.kafka.containerSecurityContext.runAsUser Set Kafka exporter containers' Security Context runAsUser ## @param metrics.kafka.containerSecurityContext.runAsNonRoot Set Kafka exporter containers' Security Context runAsNonRoot + ## @param metrics.kafka.containerSecurityContext.allowPrivilegeEscalation Set Kafka exporter containers' Security Context allowPrivilegeEscalation + ## @param metrics.kafka.containerSecurityContext.readOnlyRootFilesystem Set Kafka exporter containers' Security Context readOnlyRootFilesystem + ## @param metrics.kafka.containerSecurityContext.capabilities.drop Set Kafka exporter containers' Security Context capabilities to be dropped ## e.g: ## containerSecurityContext: ## enabled: true @@ -1195,6 +1662,10 @@ metrics: enabled: true runAsUser: 1001 runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] ## @param metrics.kafka.hostAliases Kafka exporter pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1333,12 +1804,15 @@ metrics: ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## automountServiceAccountToken: true - ## Prometheus JMX exporter: exposes the majority of Kafkas metrics + ## Prometheus JMX exporter: exposes the majority of Kafka metrics ## jmx: ## @param metrics.jmx.enabled Whether or not to expose JMX metrics to Prometheus ## enabled: false + ## @param metrics.jmx.kafkaJmxPort JMX port where the exporter will collect metrics, exposed in the Kafka container. + ## + kafkaJmxPort: 5555 ## Bitnami JMX exporter image ## ref: https://hub.docker.com/r/bitnami/jmx-exporter/tags/ ## @param metrics.jmx.image.registry JMX exporter image registry @@ -1351,7 +1825,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.19.0-debian-11-r25 + tag: 0.19.0-debian-11-r33 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1370,6 +1844,9 @@ metrics: ## @param metrics.jmx.containerSecurityContext.enabled Enable Prometheus JMX exporter containers' Security Context ## @param metrics.jmx.containerSecurityContext.runAsUser Set Prometheus JMX exporter containers' Security Context runAsUser ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set Prometheus JMX exporter containers' Security Context runAsNonRoot + ## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation + ## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set Prometheus JMX exporter containers' Security Context readOnlyRootFilesystem + ## @param metrics.jmx.containerSecurityContext.capabilities.drop Set Prometheus JMX exporter containers' Security Context capabilities to be dropped ## e.g: ## containerSecurityContext: ## enabled: true @@ -1381,6 +1858,10 @@ metrics: enabled: true runAsUser: 1001 runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] ## @param metrics.jmx.containerPorts.metrics Prometheus JMX exporter metrics container port ## containerPorts: @@ -1433,7 +1914,7 @@ metrics: ## https://github.com/helm/charts/tree/master/incubator/kafka ## config: |- - jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:5555/jmxrmi + jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:{{ .Values.metrics.jmx.kafkaJmxPort }}/jmxrmi lowercaseOutputName: true lowercaseOutputLabelNames: true ssl: false @@ -1567,8 +2048,8 @@ provisioning: ## TLS configuration for kafka provisioning Job ## tls: - ## @param provisioning.auth.tls.type Format to use for TLS certificates. Allowed types: `jks` and `pem`. - ## Note: ignored if auth.tls.clientProtocol different from one of these values: "tls" "mtls" "sasl_tls". + ## @param provisioning.auth.tls.type Format to use for TLS certificates. Allowed types: `JKS` and `PEM`. + ## Note: ignored if auth.tls.client.protocol different from one of these values: "SSL" "SASL_SSL" ## type: jks ## @param provisioning.auth.tls.certificatesSecret Existing secret containing the TLS certificates for the Kafka provisioning Job. @@ -1672,15 +2153,21 @@ provisioning: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param provisioning.podSecurityContext.enabled Enable security context for the pods ## @param provisioning.podSecurityContext.fsGroup Set Kafka provisioning pod's Security Context fsGroup + ## @param provisioning.podSecurityContext.seccompProfile.type Set Kafka provisioning pod's Security Context seccomp profile ## podSecurityContext: enabled: true fsGroup: 1001 + seccompProfile: + type: "RuntimeDefault" ## Kafka provisioning containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param provisioning.containerSecurityContext.enabled Enable Kafka provisioning containers' Security Context ## @param provisioning.containerSecurityContext.runAsUser Set Kafka provisioning containers' Security Context runAsUser ## @param provisioning.containerSecurityContext.runAsNonRoot Set Kafka provisioning containers' Security Context runAsNonRoot + ## @param provisioning.containerSecurityContext.allowPrivilegeEscalation Set Kafka provisioning containers' Security Context allowPrivilegeEscalation + ## @param provisioning.containerSecurityContext.readOnlyRootFilesystem Set Kafka provisioning containers' Security Context readOnlyRootFilesystem + ## @param provisioning.containerSecurityContext.capabilities.drop Set Kafka provisioning containers' Security Context capabilities to be dropped ## e.g: ## containerSecurityContext: ## enabled: true @@ -1692,6 +2179,10 @@ provisioning: enabled: true runAsUser: 1001 runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] ## @param provisioning.schedulerName Name of the k8s scheduler (other than default) for kafka provisioning ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -1737,55 +2228,52 @@ provisioning: ## waitForKafka: true -## @section Kraft chart parameters +## @section KRaft chart parameters -## Kraft configuration +## KRaft configuration ## Kafka mode without Zookeeper. Kafka nodes can work as controllers in this mode. ## kraft: - ## @param kraft.enabled Switch to enable or disable the Kraft mode for Kafka + ## @param kraft.enabled Switch to enable or disable the KRaft mode for Kafka ## enabled: true - ## @param kraft.processRoles Roles of your Kafka nodes. Nodes can have 'broker', 'controller' roles or both of them. + ## @param kraft.clusterId Kafka Kraft cluster ID. If not set, a random cluster ID will be generated the first time Kraft is initialized. + ## NOTE: Already initialized Kafka nodes will use cluster ID stored in their persisted storage. + ## If reusing existing PVCs or migrating from Zookeeper mode, make sure the cluster ID is set matching the stored cluster ID, otherwise new nodes will fail to join the cluster. + ## In case the cluster ID stored in the secret does not match the value stored in /bitnami/kafka/data/meta.properties, remove the secret and upgrade the chart setting the correct value. ## - processRoles: broker,controller - ## @param kraft.controllerListenerNames Controller listener names - ## - controllerListenerNames: CONTROLLER - ## @param kraft.clusterId Kafka ClusterID. You must set it if your cluster contains more than one node. - ## Generate with `cat /proc/sys/kernel/random/uuid | tr -d '-' | base64 | cut -b 1-22`. Run `export LC_ALL=C` before if you generate it on MacOS. - ## Example: k2yipv1sRue7z2_Y3o976A - ## - clusterId: "kafka_cluster_id_test1" - ## @param kraft.controllerQuorumVoters Quorum voters of Kafka Kraft cluster. Use it for nodes with 'broker' role only. - ## Example: 1@controller1.example.com:9095,2@controller2.example.com:9095 + clusterId: "" + ## @param kraft.controllerQuorumVoters Override the Kafka controller quorum voters of the Kafka Kraft cluster. If not set, it will be automatically configured to use all controller-elegible nodes. ## controllerQuorumVoters: "" ## @section ZooKeeper chart parameters ## - +## @param zookeeperChrootPath Path which puts data under some path in the global ZooKeeper namespace +## ref: https://kafka.apache.org/documentation/#brokerconfigs_zookeeper.connect +## +zookeeperChrootPath: "" ## ZooKeeper chart configuration ## https://github.com/bitnami/charts/blob/main/bitnami/zookeeper/values.yaml ## zookeeper: - ## @param zookeeper.enabled Switch to enable or disable the ZooKeeper helm chart. Must be false if you use Kraft mode. + ## @param zookeeper.enabled Switch to enable or disable the ZooKeeper helm chart. Must be false if you use KRaft mode. ## enabled: false ## @param zookeeper.replicaCount Number of ZooKeeper nodes ## replicaCount: 1 - ## ZooKeeper authenticaiton + ## ZooKeeper authentication ## auth: client: ## @param zookeeper.auth.client.enabled Enable ZooKeeper auth ## enabled: false - ## @param zookeeper.auth.client.clientUser User that will use ZooKeeper clients to auth + ## @param zookeeper.auth.client.clientUser User that will use ZooKeeper client (zkCli.sh) to authenticate. Must exist in the serverUsers comma-separated list. ## clientUser: "" - ## @param zookeeper.auth.client.clientPassword Password that will use ZooKeeper clients to auth + ## @param zookeeper.auth.client.clientPassword Password that will use ZooKeeper client (zkCli.sh) to authenticate. Must exist in the serverPasswords comma-separated list. ## clientPassword: "" ## @param zookeeper.auth.client.serverUsers Comma, semicolon or whitespace separated list of user to be created. Specify them as a string, for example: "user1,user2,admin" @@ -1809,9 +2297,8 @@ zookeeper: size: 8Gi ## External Zookeeper Configuration -## All of these values are only used if `zookeeper.enabled=false` ## externalZookeeper: - ## @param externalZookeeper.servers List of external zookeeper servers to use. Typically used in combination with 'zookeeperChrootPath'. Must be empty if you use Kraft mode. + ## @param externalZookeeper.servers List of external zookeeper servers to use. Typically used in combination with 'zookeeperChrootPath'. Must be empty if you use KRaft mode. ## servers: [] diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index 2bf2264a0..0d77d42e5 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -30,4 +30,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 13.0.0 +version: 13.0.1 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index 30d25b37c..6e8c4c1aa 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -462,6 +462,10 @@ helm upgrade my-release oci://registry-1.docker.io/bitnamicharts/mariadb --set a | Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +### To 13.0.0 + +This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade. + ### To 11.0.0 This major release bumps default MariaDB branch to 10.6. Follow the [official instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/) from upgrading between 10.5 and 10.6. @@ -557,4 +561,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/mariadb/templates/primary/statefulset.yaml index d4648c945..0adbef16e 100644 --- a/charts/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/primary/statefulset.yaml @@ -306,7 +306,7 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics diff --git a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml index d680b97ff..3eb9f63f2 100644 --- a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -289,7 +289,7 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.secondary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics diff --git a/charts/bitnami/mysql/Chart.yaml b/charts/bitnami/mysql/Chart.yaml index b11e0020b..0d8a94c9b 100644 --- a/charts/bitnami/mysql/Chart.yaml +++ b/charts/bitnami/mysql/Chart.yaml @@ -29,4 +29,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 9.10.9 +version: 9.10.10 diff --git a/charts/bitnami/mysql/templates/primary/statefulset.yaml b/charts/bitnami/mysql/templates/primary/statefulset.yaml index 0aa7c1f11..e3c37cb7c 100644 --- a/charts/bitnami/mysql/templates/primary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/primary/statefulset.yaml @@ -296,7 +296,7 @@ spec: if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") fi - DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics diff --git a/charts/bitnami/mysql/templates/secondary/statefulset.yaml b/charts/bitnami/mysql/templates/secondary/statefulset.yaml index 56857f7fb..df7fa9b72 100644 --- a/charts/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/secondary/statefulset.yaml @@ -280,7 +280,7 @@ spec: if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") fi - DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.secondary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index 624f05ef8..f68b2c723 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -4,6 +4,13 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: wordpress category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.1-debian-11-r5 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r25 + - name: wordpress + image: docker.io/bitnami/wordpress:6.2.2-debian-11-r78 licenses: Apache-2.0 apiVersion: v2 appVersion: 6.2.2 @@ -40,4 +47,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 17.0.1 +version: 17.0.4 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index 593d2f9d1..6b8ad8cfd 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -82,7 +82,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- | | `image.registry` | WordPress image registry | `docker.io` | | `image.repository` | WordPress image repository | `bitnami/wordpress` | -| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r75` | +| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r78` | | `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | | `image.pullSecrets` | WordPress image pull secrets | `[]` | @@ -281,7 +281,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | | `metrics.image.registry` | Apache exporter image registry | `docker.io` | | `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` | -| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.13.4-debian-11-r60` | +| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `1.0.1-debian-11-r5` | | `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index d2e04effb..33ca1387a 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -76,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.2.2-debian-11-r75 + tag: 6.2.2-debian-11-r78 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -860,7 +860,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 0.13.4-debian-11-r60 + tag: 1.0.1-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/external-secrets/external-secrets/Chart.yaml b/charts/external-secrets/external-secrets/Chart.yaml index 7324487ec..467636ab1 100644 --- a/charts/external-secrets/external-secrets/Chart.yaml +++ b/charts/external-secrets/external-secrets/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: external-secrets apiVersion: v2 -appVersion: v0.9.1 +appVersion: v0.9.2 description: External secret management for Kubernetes home: https://github.com/external-secrets/external-secrets icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png @@ -17,4 +17,4 @@ maintainers: name: mcavoyk name: external-secrets type: application -version: 0.9.1 +version: 0.9.2 diff --git a/charts/external-secrets/external-secrets/README.md b/charts/external-secrets/external-secrets/README.md index f7dc03de9..68c74cd66 100644 --- a/charts/external-secrets/external-secrets/README.md +++ b/charts/external-secrets/external-secrets/README.md @@ -4,7 +4,7 @@ [//]: # (README.md generated by gotmpl. DO NOT EDIT.) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.2](https://img.shields.io/badge/Version-0.9.2-informational?style=flat-square) External secret management for Kubernetes @@ -61,6 +61,8 @@ The command removes all the Kubernetes components associated with the chart and | certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | +| certController.readinessProbe.address | string | `""` | Address for readiness probe | +| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet | | certController.replicaCount | int | `1` | | | certController.requeueInterval | string | `"5m"` | | | certController.resources | object | `{}` | | @@ -115,6 +117,7 @@ The command removes all the Kubernetes components associated with the chart and | priorityClassName | string | `""` | Pod priority class name. | | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. | | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. | +| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. | | prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. | | prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. | | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml index a9a6dee8b..1be682ca0 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml @@ -54,6 +54,8 @@ spec: - --service-namespace={{ .Release.Namespace }} - --secret-name={{ include "external-secrets.fullname" . }}-webhook - --secret-namespace={{ .Release.Namespace }} + - --metrics-addr=:{{ .Values.certController.prometheus.service.port }} + - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }} {{ if not .Values.crds.createClusterSecretStore -}} - --crd-names=externalsecrets.external-secrets.io - --crd-names=secretstores.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml index 644070e6b..c1812138b 100644 --- a/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml index 234549820..15d9a9720 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml index 54fa96f63..3ecb163ac 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -2574,6 +2574,33 @@ spec: description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. type: string type: object + userPass: + description: UserPass authenticates with Vault by passing username/password pair + properties: + path: + default: user + description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + type: string + secretRef: + description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + username: + description: Username is a user name used to authenticate using the UserPass Vault authentication method + type: string + required: + - path + - username + type: object type: object caBundle: description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. diff --git a/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml b/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml index 900f4b647..6e1e42db9 100644 --- a/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml index 4b29ad957..3b37870d1 100644 --- a/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: externalsecrets.external-secrets.io spec: group: external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/fake.yaml b/charts/external-secrets/external-secrets/templates/crds/fake.yaml index 36c6aeab1..9e2a206cf 100644 --- a/charts/external-secrets/external-secrets/templates/crds/fake.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/fake.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml index 2587be73f..1d5a9a13f 100644 --- a/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/password.yaml b/charts/external-secrets/external-secrets/templates/crds/password.yaml index f6b5e8511..ccfa1f039 100644 --- a/charts/external-secrets/external-secrets/templates/crds/password.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/password.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml index 6c0a603f3..1eeffe2c1 100644 --- a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: pushsecrets.external-secrets.io spec: group: external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml index 6badb83ef..2b24a826b 100644 --- a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -2574,6 +2574,33 @@ spec: description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. type: string type: object + userPass: + description: UserPass authenticates with Vault by passing username/password pair + properties: + path: + default: user + description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + type: string + secretRef: + description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + username: + description: Username is a user name used to authenticate using the UserPass Vault authentication method + type: string + required: + - path + - username + type: object type: object caBundle: description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. diff --git a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml index e02194c0c..7c52f0af0 100644 --- a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -356,6 +356,33 @@ spec: description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. type: string type: object + userPass: + description: UserPass authenticates with Vault by passing username/password pair + properties: + path: + default: user + description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + type: string + secretRef: + description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + username: + description: Username is a user name used to authenticate using the UserPass Vault authentication method + type: string + required: + - path + - username + type: object type: object caBundle: description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. diff --git a/charts/external-secrets/external-secrets/templates/deployment.yaml b/charts/external-secrets/external-secrets/templates/deployment.yaml index 6db2fc403..d0d6ecf70 100644 --- a/charts/external-secrets/external-secrets/templates/deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/deployment.yaml @@ -65,6 +65,9 @@ spec: {{- if not .Values.processClusterExternalSecret }} - --enable-cluster-external-secret-reconciler=false {{- end }} + {{- if not .Values.processPushSecret }} + - --enable-push-secret-reconciler=false + {{- end }} {{- end }} {{- if .Values.controllerClass }} - --controller-class={{ .Values.controllerClass }} diff --git a/charts/external-secrets/external-secrets/templates/webhook-poddisruptionbudget.yaml b/charts/external-secrets/external-secrets/templates/webhook-poddisruptionbudget.yaml index 279a6c5ba..665de97a5 100644 --- a/charts/external-secrets/external-secrets/templates/webhook-poddisruptionbudget.yaml +++ b/charts/external-secrets/external-secrets/templates/webhook-poddisruptionbudget.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "external-secrets-webhook.labels" . | nindent 4 }} - external-secrets.io/component : webhook + external-secrets.io/component: webhook spec: {{- if .Values.webhook.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }} diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap index 9ea3eaf7a..9ea29ca68 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.1 - helm.sh/chart: external-secrets-0.9.1 + app.kubernetes.io/version: v0.9.2 + helm.sh/chart: external-secrets-0.9.2 name: RELEASE-NAME-external-secrets-cert-controller namespace: NAMESPACE spec: @@ -33,7 +33,9 @@ should match snapshot of default values: - --service-namespace=NAMESPACE - --secret-name=RELEASE-NAME-external-secrets-webhook - --secret-namespace=NAMESPACE - image: ghcr.io/external-secrets/external-secrets:v0.9.1 + - --metrics-addr=:8080 + - --healthz-addr=:8081 + image: ghcr.io/external-secrets/external-secrets:v0.9.2 imagePullPolicy: IfNotPresent name: cert-controller ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap index b6dceba39..0749c5250 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.1 - helm.sh/chart: external-secrets-0.9.1 + app.kubernetes.io/version: v0.9.2 + helm.sh/chart: external-secrets-0.9.2 name: RELEASE-NAME-external-secrets namespace: NAMESPACE spec: @@ -28,7 +28,7 @@ should match snapshot of default values: containers: - args: - --concurrent=1 - image: ghcr.io/external-secrets/external-secrets:v0.9.1 + image: ghcr.io/external-secrets/external-secrets:v0.9.2 imagePullPolicy: IfNotPresent name: external-secrets ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap index 1699ced70..7cb3a5500 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap @@ -4,7 +4,7 @@ should match snapshot of default values: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.12.1 name: secretstores.external-secrets.io spec: conversion: @@ -2579,6 +2579,33 @@ should match snapshot of default values: description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. type: string type: object + userPass: + description: UserPass authenticates with Vault by passing username/password pair + properties: + path: + default: user + description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + type: string + secretRef: + description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + username: + description: Username is a user name used to authenticate using the UserPass Vault authentication method + type: string + required: + - path + - username + type: object type: object caBundle: description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap index eb87e93bb..989d840fa 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.1 - helm.sh/chart: external-secrets-0.9.1 + app.kubernetes.io/version: v0.9.2 + helm.sh/chart: external-secrets-0.9.2 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE spec: @@ -34,7 +34,7 @@ should match snapshot of default values: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.1 + image: ghcr.io/external-secrets/external-secrets:v0.9.2 imagePullPolicy: IfNotPresent name: webhook ports: @@ -78,8 +78,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.1 + app.kubernetes.io/version: v0.9.2 external-secrets.io/component: webhook - helm.sh/chart: external-secrets-0.9.1 + helm.sh/chart: external-secrets-0.9.2 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE diff --git a/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml b/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml index 5d66e32df..b2398c844 100644 --- a/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml +++ b/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml @@ -47,3 +47,17 @@ tests: - equal: path: spec.template.spec.hostNetwork value: true + - it: should override readinessProbe port + set: + certController.readinessProbe.port: 8082 + asserts: + - equal: + path: spec.template.spec.containers[0].args[7] + value: "--healthz-addr=:8082" + - it: should override metrics port + set: + certController.prometheus.service.port: 8888 + asserts: + - equal: + path: spec.template.spec.containers[0].args[6] + value: "--metrics-addr=:8888" diff --git a/charts/external-secrets/external-secrets/values.yaml b/charts/external-secrets/external-secrets/values.yaml index f8178c63f..66f68b25a 100644 --- a/charts/external-secrets/external-secrets/values.yaml +++ b/charts/external-secrets/external-secrets/values.yaml @@ -59,6 +59,9 @@ processClusterExternalSecret: true # -- if true, the operator will process cluster store. Else, it will ignore them. processClusterStore: true +# -- if true, the operator will process push secret. Else, it will ignore them. +processPushSecret: true + # -- Specifies whether an external secret operator deployment be created. createOperator: true @@ -433,6 +436,12 @@ certController: # -- Additional service annotations annotations: {} + readinessProbe: + # -- Address for readiness probe + address: "" + # -- ReadinessProbe port for kubelet + port: 8081 + ## -- Extra environment variables to add to container. extraEnv: [] diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index f83a0d900..1e7289e7d 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.63.9] - Jul 20, 2023 +## [107.63.10] - Jul 20, 2023 * Added support for Openshift by adding the securityContext in container level. * **IMPORTANT** * Nginx deployment is disabled on openshift. diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index ad8c60bd3..d39327a29 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.63.9 +appVersion: 7.63.10 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.63.9 +version: 107.63.10 diff --git a/charts/jfrog/artifactory-jcr/CHANGELOG.md b/charts/jfrog/artifactory-jcr/CHANGELOG.md index b066ce3f5..0703e6899 100644 --- a/charts/jfrog/artifactory-jcr/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.63.9] - Aug 25, 2022 +## [107.63.10] - Aug 25, 2022 * Included event service as mandatory and remove the flag from values.yaml ## [107.41.0] - Jul 22, 2022 diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index a8284cdde..5e21ecc2b 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -4,11 +4,11 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.63.9 +appVersion: 7.63.10 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.63.9 + version: 107.63.10 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.63.9 +version: 107.63.10 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index ae54fd384..562afed6d 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.63.9] - Jul 20, 2023 +## [107.63.10] - Jul 20, 2023 * Added support for Openshift by adding the securityContext in container level. * **IMPORTANT** * Nginx deployment is disabled on openshift. diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index e7b5b825c..0109011e3 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.63.9 +appVersion: 7.63.10 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.63.9 +version: 107.63.10 diff --git a/charts/kuma/kuma/Chart.yaml b/charts/kuma/kuma/Chart.yaml index a4411597f..d5ba4ccf0 100644 --- a/charts/kuma/kuma/Chart.yaml +++ b/charts/kuma/kuma/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/namespace: kuma-system catalog.cattle.io/release-name: kuma apiVersion: v2 -appVersion: 2.3.1 +appVersion: 2.3.2 description: A Helm chart for the Kuma Control Plane home: https://github.com/kumahq/kuma icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg @@ -20,4 +20,4 @@ maintainers: name: nickolaev name: kuma type: application -version: 2.3.1 +version: 2.3.2 diff --git a/charts/kuma/kuma/README.md b/charts/kuma/kuma/README.md index 2c0268940..938ded5a5 100644 --- a/charts/kuma/kuma/README.md +++ b/charts/kuma/kuma/README.md @@ -2,7 +2,7 @@ A Helm chart for the Kuma Control Plane -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.3.1](https://img.shields.io/badge/Version-2.3.1-informational?style=flat-square) ![AppVersion: 2.3.1](https://img.shields.io/badge/AppVersion-2.3.1-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.3.2](https://img.shields.io/badge/Version-2.3.2-informational?style=flat-square) ![AppVersion: 2.3.2](https://img.shields.io/badge/AppVersion-2.3.2-informational?style=flat-square) **Homepage:** diff --git a/charts/loft/loft/Chart.yaml b/charts/loft/loft/Chart.yaml index 2acfb8841..cba5f5b98 100644 --- a/charts/loft/loft/Chart.yaml +++ b/charts/loft/loft/Chart.yaml @@ -28,4 +28,4 @@ name: loft sources: - https://github.com/loft-sh/loft type: application -version: 3.2.0 +version: 3.2.1 diff --git a/charts/percona/pxc-operator/Chart.yaml b/charts/percona/pxc-operator/Chart.yaml index ef757c0c9..bf5e18aac 100644 --- a/charts/percona/pxc-operator/Chart.yaml +++ b/charts/percona/pxc-operator/Chart.yaml @@ -18,4 +18,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: pxc-operator -version: 1.13.0 +version: 1.13.1 diff --git a/charts/percona/pxc-operator/README.md b/charts/percona/pxc-operator/README.md index ac5e178f3..75b4acbe5 100644 --- a/charts/percona/pxc-operator/README.md +++ b/charts/percona/pxc-operator/README.md @@ -28,6 +28,7 @@ The chart can be customized using the following configurable parameters: | ------------------------------- | -----------------------------------------------------------------------------------------------| -------------------------------------------------| | `image` | PXC Operator Container image full path | `percona/percona-xtradb-cluster-operator:1.13.0` | | `imagePullPolicy` | PXC Operator Container pull policy | `Always` | +| `containerSecurityContext` | PXC Operator Container securityContext | `{}` | | `imagePullSecrets` | PXC Operator Pod pull secret | `[]` | | `replicaCount` | PXC Operator Pod quantity | `1` | | `tolerations` | List of node taints to tolerate | `[]` | diff --git a/charts/percona/pxc-operator/templates/deployment.yaml b/charts/percona/pxc-operator/templates/deployment.yaml index 5f70d75c1..2a2dc98d1 100644 --- a/charts/percona/pxc-operator/templates/deployment.yaml +++ b/charts/percona/pxc-operator/templates/deployment.yaml @@ -67,6 +67,10 @@ spec: scheme: HTTP resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/percona/pxc-operator/values.yaml b/charts/percona/pxc-operator/values.yaml index 24c3f506b..725945f05 100644 --- a/charts/percona/pxc-operator/values.yaml +++ b/charts/percona/pxc-operator/values.yaml @@ -45,6 +45,8 @@ resources: cpu: 100m memory: 20Mi +containerSecurityContext: {} + nodeSelector: {} tolerations: [] diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index eb84ec1df..f1886e007 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://charts.redpanda.com version: 0.6.9 digest: sha256:fe29342975df64efd6eb1eb5697bd132f3617b694ea6f6c7998565a74934aa4f -generated: "2023-08-01T09:43:43.810836355Z" +generated: "2023-08-04T15:36:17.135151776Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 2bb831148..e91a36573 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -33,4 +33,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.0.7 +version: 5.0.8 diff --git a/charts/redpanda/redpanda/templates/console/deployment.yaml b/charts/redpanda/redpanda/templates/console/deployment.yaml index 5b418d7c8..91eb135ff 100644 --- a/charts/redpanda/redpanda/templates/console/deployment.yaml +++ b/charts/redpanda/redpanda/templates/console/deployment.yaml @@ -20,7 +20,7 @@ limitations under the License. {{ $extraVolumeMounts := list }} {{ $command := list }} {{ if (include "sasl-enabled" . | fromJson).bool }} - {{ $command = concat $command (list "sh" "-xc") }} + {{ $command = concat $command (list "sh" "-c") }} {{ $consoleSASLConfig := (printf "set -e; IFS=: read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < $(find /mnt/users/* -print); KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s}; export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;" ( include "sasl-mechanism" . )) }} {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;" }} {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;" }} diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index 7abfd1f4c..f98fea331 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 1.3.245 +appVersion: 1.3.254 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 1.3.24 +version: 1.3.25 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index 4444675c4..07e787aab 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 1.3.24 +### Upgrade to 1.3.25 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.24/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.25/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index 4444675c4..07e787aab 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 1.3.24 +### Upgrade to 1.3.25 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.24/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.25/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 04a83c0bb..f01197e2f 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v1.3.245 + tag: v1.3.254 pullPolicy: Always # Log level for Speedscale components. diff --git a/charts/sysdig/sysdig/CHANGELOG.md b/charts/sysdig/sysdig/CHANGELOG.md index bc110e443..1225fb43e 100644 --- a/charts/sysdig/sysdig/CHANGELOG.md +++ b/charts/sysdig/sysdig/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.16.6 +### New Features +* **node-analyzer** [0ad8696a](https://github.com/sysdiglabs/charts/commit/0ad8696a0b38d2564121e6e798589f568e3547a8): Release eveconnector 1.1.2 ([#1280](https://github.com/sysdiglabs/charts/issues/1280)) # v1.16.5 ### Chores * **sysdig,node-analyzer** [00316d04](https://github.com/sysdiglabs/charts/commit/00316d042378fa75ac0ed9277b547236766ce816): bumped RuntimeScanner to 1.5.2 version ([#1275](https://github.com/sysdiglabs/charts/issues/1275)) diff --git a/charts/sysdig/sysdig/Chart.yaml b/charts/sysdig/sysdig/Chart.yaml index f2bdeb666..ea2df0719 100644 --- a/charts/sysdig/sysdig/Chart.yaml +++ b/charts/sysdig/sysdig/Chart.yaml @@ -19,4 +19,4 @@ name: sysdig sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig -version: 1.16.5 +version: 1.16.6 diff --git a/charts/sysdig/sysdig/RELEASE-NOTES.md b/charts/sysdig/sysdig/RELEASE-NOTES.md index 6365cf813..df29142ca 100644 --- a/charts/sysdig/sysdig/RELEASE-NOTES.md +++ b/charts/sysdig/sysdig/RELEASE-NOTES.md @@ -1,10 +1,5 @@ # What's Changed -### Chores -- **sysdig,node-analyzer** [00316d04](https://github.com/sysdiglabs/charts/commit/00316d042378fa75ac0ed9277b547236766ce816): bumped RuntimeScanner to 1.5.2 version ([#1275](https://github.com/sysdiglabs/charts/issues/1275)) - - * * Added env var flag for internal timeout on scheduled operations -* Added fallback when connection to detected container runtime fails -* Security updates (July 2023). Fixed CVE - * CVE-2023-33199 -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.15.5...sysdig-1.16.5 +### New Features +- **node-analyzer** [0ad8696a](https://github.com/sysdiglabs/charts/commit/0ad8696a0b38d2564121e6e798589f568e3547a8): Release eveconnector 1.1.2 ([#1280](https://github.com/sysdiglabs/charts/issues/1280)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.17.2...sysdig-1.16.6 diff --git a/charts/sysdig/sysdig/values.yaml b/charts/sysdig/sysdig/values.yaml index 1780c61d3..ee822bc96 100644 --- a/charts/sysdig/sysdig/values.yaml +++ b/charts/sysdig/sysdig/values.yaml @@ -542,7 +542,7 @@ nodeAnalyzer: deploy: false image: repository: sysdig/eveclient-api - tag: 1.1.0 + tag: 1.1.2 digest: pullPolicy: IfNotPresent diff --git a/index.yaml b/index.yaml index 25dcf4887..170e1efe8 100644 --- a/index.yaml +++ b/index.yaml @@ -4027,6 +4027,39 @@ entries: - assets/argo/argo-cd-5.8.0.tgz version: 5.8.0 artifactory-ha: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.63.10 + created: "2023-08-04T18:30:10.485098349Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 1cf375b7a0f43dcb9d538b692119bcc76c0fb36dcfed52ef0a69e73914e30c31 + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.14.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.63.10.tgz + version: 107.63.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA @@ -5077,6 +5110,40 @@ entries: - assets/jfrog/artifactory-ha-3.0.1400.tgz version: 3.0.1400 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.63.10 + created: "2023-08-04T18:30:10.846154683Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.63.10 + description: JFrog Container Registry + digest: 61daad770879906ec6f675a01dea6509aec2e5599885466284c3b5fe71b161a3 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.14.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.63.10.tgz + version: 107.63.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -16707,6 +16774,30 @@ entries: - assets/elastic/elasticsearch-7.17.3.tgz version: 7.17.3 external-secrets: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: External Secrets Operator + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: external-secrets + apiVersion: v2 + appVersion: v0.9.2 + created: "2023-08-04T18:30:09.536169975Z" + description: External secret management for Kubernetes + digest: 0113962059559f0f1ad40600101cb5b341ccc5a3a0ca4a16de74940046ea4758 + home: https://github.com/external-secrets/external-secrets + icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png + keywords: + - kubernetes-external-secrets + - secrets + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: kellinmcavoy@gmail.com + name: mcavoyk + name: external-secrets + type: application + urls: + - assets/external-secrets/external-secrets-0.9.2.tgz + version: 0.9.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: External Secrets Operator @@ -24569,6 +24660,58 @@ entries: - assets/kasten/k10-4.5.900.tgz version: 4.5.900 kafka: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Kafka + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: kafka + category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.19.0-debian-11-r33 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r69 + - name: kafka + image: docker.io/bitnami/kafka:3.5.1-debian-11-r11 + - name: kubectl + image: docker.io/bitnami/kubectl:1.25.12-debian-11-r14 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r25 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.1 + created: "2023-08-04T18:30:06.882311548Z" + dependencies: + - condition: zookeeper.enabled + name: zookeeper + repository: file://./charts/zookeeper + version: 11.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Kafka is a distributed streaming platform designed to build + real-time pipelines and can be used as a message broker or as a replacement + for a log aggregation solution for big data applications. + digest: 11604420895976e7bba562f0a4c33bf59f0754a9776bf21c157e5daaba086c5e + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg + keywords: + - kafka + - zookeeper + - streaming + - producer + - consumer + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: kafka + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/kafka + urls: + - assets/bitnami/kafka-24.0.3.tgz + version: 24.0.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Kafka @@ -27906,6 +28049,33 @@ entries: - assets/avesha/kubeslice-worker-0.4.5.tgz version: 0.4.5 kuma: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma + apiVersion: v2 + appVersion: 2.3.2 + created: "2023-08-04T18:30:12.027723527Z" + description: A Helm chart for the Kuma Control Plane + digest: 9175a25482cc87144b544765d65e3e9010b1e11d9bb83e913153b2a5fafd9fa9 + home: https://github.com/kumahq/kuma + icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg + keywords: + - service mesh + - control plane + maintainers: + - email: austin.cawley@gmail.com + name: austince + - email: jakub.dyszkiewicz@konghq.com + name: jakubdyszkiewicz + - email: nikolay.nikolaev@konghq.com + name: nickolaev + name: kuma + type: application + urls: + - assets/kuma/kuma-2.3.2.tgz + version: 2.3.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kuma @@ -28265,6 +28435,41 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 loft: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Loft + catalog.cattle.io/kube-version: '>=1.22-0' + catalog.cattle.io/release-name: loft + apiVersion: v2 + created: "2023-08-04T18:30:12.036813524Z" + description: Secure Cluster Sharing, Self-Service Namespace Provisioning and Virtual + Clusters + digest: 80f3c99245ec42a6b308839e412590cd50a9de6ced290b7412a214f46dd99257 + home: https://loft.sh + icon: https://static.loft.sh/loft/logo/loft-logo.svg + keywords: + - developer + - development + - sharing + - share + - multi-tenancy + - tenancy + - cluster + - space + - namespace + - vcluster + - vclusters + maintainers: + - email: info@loft.sh + name: Loft Labs, Inc. + url: https://twitter.com/loft_sh + name: loft + sources: + - https://github.com/loft-sh/loft + type: application + urls: + - assets/loft/loft-3.2.1.tgz + version: 3.2.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Loft @@ -28589,6 +28794,43 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.0.2 + created: "2023-08-04T18:30:07.001815605Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: 5dd8fa6985bdb789fe277ec932bb9802002ace516aaa1e17181043650a13f5b0 + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-13.0.1.tgz + version: 13.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -30055,6 +30297,43 @@ entries: - assets/minio/minio-operator-4.4.1700.tgz version: 4.4.1700 mysql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MySQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mysql + category: Database + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 8.0.34 + created: "2023-08-04T18:30:07.010804099Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MySQL is a fast, reliable, scalable, and easy to use open source + relational database system. Designed to handle mission-critical, heavy-load + production applications. + digest: 12a3693187e3b097ad0493634f69c54aa495acffa6e1dc5d7268698018fb2239 + home: https://bitnami.com + icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png + keywords: + - mysql + - database + - sql + - cluster + - high availability + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mysql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mysql + urls: + - assets/bitnami/mysql-9.10.10.tgz + version: 9.10.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MySQL @@ -37705,6 +37984,31 @@ entries: - assets/percona/pxc-db-1.12.0.tgz version: 1.12.0 pxc-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona + XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-operator + apiVersion: v2 + appVersion: 1.13.0 + created: "2023-08-04T18:30:12.914561343Z" + description: A Helm chart for deploying the Percona Operator for MySQL (based + on Percona XtraDB Cluster) + digest: 976153cfc76af3f4435709073e7156e91222ecefa1843e4e8eabfa6ac33c1a41 + home: https://docs.percona.com/percona-operator-for-mysql/pxc/ + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: pxc-operator + urls: + - assets/percona/pxc-operator-1.13.1.tgz + version: 1.13.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona @@ -39326,6 +39630,46 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.2.3 + created: "2023-08-04T18:30:13.234848043Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 50a4b2b6dd6565d4de212fcda12524c8e358323add4a7f76c1445ff1d571d91a + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.0.8.tgz + version: 5.0.8 - annotations: artifacthub.io/images: | - name: redpanda @@ -41704,6 +42048,48 @@ entries: - assets/redpanda/redpanda-2.1.7.tgz version: 2.1.7 s3gw: + - annotations: + app.aquarist-labs.io/name: s3gw + artifacthub.io/category: storage + artifacthub.io/links: | + - name: homepage + url: https://s3gw.io/ + - name: support + url: https://github.com/aquarist-labs/s3gw/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: S3 Gateway + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>=1.14' + catalog.cattle.io/namespace: s3gw + catalog.cattle.io/release-name: s3gw + apiVersion: v2 + appVersion: latest + created: "2023-08-04T18:30:04.518668978Z" + description: 'Easy-to-use Open Source and Cloud Native S3 service for use on Rancher''s + Kubernetes. ' + digest: ae9ffedbaf1e8a6b48126a68e4a13e6389be38dae1d7a64425277dec1330121b + home: https://github.com/aquarist-labs/s3gw + icon: https://s3gw.io/img/logo-xl.png + keywords: + - storage + - s3 + kubeVersion: '>=1.14' + maintainers: + - email: s3gw@suse.com + name: s3gw maintainers + url: https://github.com/orgs/aquarist-labs/projects/5 + name: s3gw + sources: + - https://github.com/aquarist-labs/s3gw-charts + - https://github.com/aquarist-labs/s3gw + - https://github.com/aquarist-labs/ceph + - https://github.com/aquarist-labs/s3gw-ui + - https://github.com/aquarist-labs/s3gw-cosi-driver + - https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar + type: application + urls: + - assets/aquarist-labs/s3gw-0.19.0.tgz + version: 0.19.0 - annotations: app.aquarist-labs.io/name: s3gw artifacthub.io/category: storage @@ -43414,6 +43800,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 1.3.254 + created: "2023-08-04T18:30:13.328697639Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 45646143d8c850ec057c4e363446f963f46fa759f23536f5bee5a4b12abc87eb + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-1.3.25.tgz + version: 1.3.25 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -45078,6 +45495,32 @@ entries: - assets/sumologic/sumologic-2.17.0.tgz version: 2.17.0 sysdig: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Sysdig + catalog.cattle.io/release-name: sysdig + apiVersion: v1 + appVersion: 12.15.0 + created: "2023-08-04T18:30:13.63295697Z" + deprecated: true + description: Sysdig Monitor and Secure agent + digest: 7417780b1b7f63e5c82d234c8f29b6da80d7d7ba2e61fc170921d52f5903a85e + home: https://www.sysdig.com/ + icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 + keywords: + - monitoring + - security + - alerting + - metric + - troubleshooting + - run-time + name: sysdig + sources: + - https://app.sysdigcloud.com/#/settings/user + - https://github.com/draios/sysdig + urls: + - assets/sysdig/sysdig-1.16.6.tgz + version: 1.16.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Sysdig @@ -49354,6 +49797,60 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.1-debian-11-r5 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r25 + - name: wordpress + image: docker.io/bitnami/wordpress:6.2.2-debian-11-r78 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.2.2 + created: "2023-08-04T18:30:08.481598678Z" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 6.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 13.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: a2dd42bbfa8d550716a500d90c10b690f68079af2c27e857c6df229ff6688c1f + home: https://bitnami.com + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress + urls: + - assets/bitnami/wordpress-17.0.4.tgz + version: 17.0.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress