diff --git a/assets/argo/argo-cd-5.42.0.tgz b/assets/argo/argo-cd-5.42.0.tgz index 530dc29d6..de0504454 100644 Binary files a/assets/argo/argo-cd-5.42.0.tgz and b/assets/argo/argo-cd-5.42.0.tgz differ diff --git a/assets/argo/argo-cd-5.42.1.tgz b/assets/argo/argo-cd-5.42.1.tgz new file mode 100644 index 000000000..59b157eaf Binary files /dev/null and b/assets/argo/argo-cd-5.42.1.tgz differ diff --git a/assets/bitnami/mariadb-13.0.0.tgz b/assets/bitnami/mariadb-13.0.0.tgz new file mode 100644 index 000000000..b430cf864 Binary files /dev/null and b/assets/bitnami/mariadb-13.0.0.tgz differ diff --git a/assets/bitnami/postgresql-12.8.0.tgz b/assets/bitnami/postgresql-12.8.0.tgz new file mode 100644 index 000000000..07ef528e5 Binary files /dev/null and b/assets/bitnami/postgresql-12.8.0.tgz differ diff --git a/assets/bitnami/redis-17.14.5.tgz b/assets/bitnami/redis-17.14.5.tgz new file mode 100644 index 000000000..341b09431 Binary files /dev/null and b/assets/bitnami/redis-17.14.5.tgz differ diff --git a/assets/bitnami/wordpress-17.0.1.tgz b/assets/bitnami/wordpress-17.0.1.tgz new file mode 100644 index 000000000..7581243d8 Binary files /dev/null and b/assets/bitnami/wordpress-17.0.1.tgz differ diff --git a/assets/clastix/kamaji-0.12.3.tgz b/assets/clastix/kamaji-0.12.3.tgz new file mode 100644 index 000000000..4e270817b Binary files /dev/null and b/assets/clastix/kamaji-0.12.3.tgz differ diff --git a/assets/cockroach-labs/cockroachdb-11.1.4.tgz b/assets/cockroach-labs/cockroachdb-11.1.4.tgz new file mode 100644 index 000000000..6a80745c6 Binary files /dev/null and b/assets/cockroach-labs/cockroachdb-11.1.4.tgz differ diff --git a/assets/datadog/datadog-3.33.7.tgz b/assets/datadog/datadog-3.33.7.tgz new file mode 100644 index 000000000..eaaf2a95d Binary files /dev/null and b/assets/datadog/datadog-3.33.7.tgz differ diff --git a/assets/dell/csi-vxflexos-2.7.1.tgz b/assets/dell/csi-vxflexos-2.7.1.tgz new file mode 100644 index 000000000..4df6cd039 Binary files /dev/null and b/assets/dell/csi-vxflexos-2.7.1.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.63.9.tgz b/assets/jfrog/artifactory-ha-107.63.9.tgz new file mode 100644 index 000000000..483e8b37e Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.63.9.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.63.9.tgz b/assets/jfrog/artifactory-jcr-107.63.9.tgz new file mode 100644 index 000000000..93b50f89a Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.63.9.tgz differ diff --git a/assets/kasten/k10-6.0.401.tgz b/assets/kasten/k10-6.0.401.tgz new file mode 100644 index 000000000..d65a457ec Binary files /dev/null and b/assets/kasten/k10-6.0.401.tgz differ diff --git a/assets/mongodb/community-operator-0.8.1.tgz b/assets/mongodb/community-operator-0.8.1.tgz new file mode 100644 index 000000000..fd8cad655 Binary files /dev/null and b/assets/mongodb/community-operator-0.8.1.tgz differ diff --git a/assets/nats/nats-1.0.0.tgz b/assets/nats/nats-1.0.0.tgz new file mode 100644 index 000000000..755ba82c0 Binary files /dev/null and b/assets/nats/nats-1.0.0.tgz differ diff --git a/assets/new-relic/nri-bundle-5.0.25.tgz b/assets/new-relic/nri-bundle-5.0.25.tgz new file mode 100644 index 000000000..eee1bdbd3 Binary files /dev/null and b/assets/new-relic/nri-bundle-5.0.25.tgz differ diff --git a/assets/prophetstor/federatorai-5.1.3.tgz b/assets/prophetstor/federatorai-5.1.3.tgz new file mode 100644 index 000000000..d789cca15 Binary files /dev/null and b/assets/prophetstor/federatorai-5.1.3.tgz differ diff --git a/assets/redpanda/redpanda-5.0.7.tgz b/assets/redpanda/redpanda-5.0.7.tgz new file mode 100644 index 000000000..f66c9bfa5 Binary files /dev/null and b/assets/redpanda/redpanda-5.0.7.tgz differ diff --git a/assets/speedscale/speedscale-operator-1.3.24.tgz b/assets/speedscale/speedscale-operator-1.3.24.tgz new file mode 100644 index 000000000..fcd74ed51 Binary files /dev/null and b/assets/speedscale/speedscale-operator-1.3.24.tgz differ diff --git a/assets/sysdig/sysdig-1.16.5.tgz b/assets/sysdig/sysdig-1.16.5.tgz new file mode 100644 index 000000000..59adf8ba3 Binary files /dev/null and b/assets/sysdig/sysdig-1.16.5.tgz differ diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index 8dccdc72f..eb64a142f 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/changes: | - - kind: added - description: Extra secret labels with .Values.notifications.secret.labels + - kind: changed + description: Upgrade Argo CD to v2.7.10 artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 -appVersion: v2.7.9 +appVersion: v2.7.10 dependencies: - condition: redis-ha.enabled name: redis-ha @@ -33,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 5.42.0 +version: 5.42.1 diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index ef541191d..2bf2264a0 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -6,7 +6,7 @@ annotations: category: Database licenses: Apache-2.0 apiVersion: v2 -appVersion: 10.11.4 +appVersion: 11.0.2 dependencies: - name: common repository: file://./charts/common @@ -30,4 +30,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 12.2.9 +version: 13.0.0 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index 9bbd74f29..30d25b37c 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -82,28 +82,28 @@ The command removes all the Kubernetes components associated with the chart and ### MariaDB common parameters -| Name | Description | Value | -| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | MariaDB image registry | `docker.io` | -| `image.repository` | MariaDB image repository | `bitnami/mariadb` | -| `image.tag` | MariaDB image tag (immutable tags are recommended) | `10.11.4-debian-11-r46` | -| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | -| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | -| `auth.database` | Name for a custom database to create | `my_database` | -| `auth.username` | Name for a custom user to create | `""` | -| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | -| `auth.replicationUser` | MariaDB replication user | `replicator` | -| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | -| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | -| `auth.forcePassword` | Force users to specify required passwords | `false` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | -| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | -| `initdbScripts` | Dictionary of initdb scripts | `{}` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | +| Name | Description | Value | +| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `image.registry` | MariaDB image registry | `docker.io` | +| `image.repository` | MariaDB image repository | `bitnami/mariadb` | +| `image.tag` | MariaDB image tag (immutable tags are recommended) | `11.0.2-debian-11-r2` | +| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | +| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | +| `auth.database` | Name for a custom database to create | `my_database` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | +| `auth.replicationUser` | MariaDB replication user | `replicator` | +| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | +| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | +| `auth.forcePassword` | Force users to specify required passwords | `false` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | +| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | ### MariaDB Primary parameters @@ -308,7 +308,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r16` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r22` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -322,7 +322,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Exporter image registry | `docker.io` | | `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | -| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.15.0-debian-11-r0` | +| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.15.0-debian-11-r5` | | `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index 815dfae2b..398f67280 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 10.11.4-debian-11-r46 + tag: 11.0.2-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1004,7 +1004,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r16 + tag: 11-debian-11-r22 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1040,7 +1040,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.0-debian-11-r0 + tag: 0.15.0-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index fd99a7503..638ebfaca 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -31,4 +31,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 12.7.1 +version: 12.8.0 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index 9a45833d7..c6b400eb3 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -100,7 +100,7 @@ kubectl delete pvc -l release=my-release | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | `image.registry` | PostgreSQL image registry | `docker.io` | | `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | -| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r75` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r77` | | `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | | `image.pullSecrets` | Specify image pull secrets | `[]` | @@ -361,6 +361,38 @@ kubectl delete pvc -l release=my-release | `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | | `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.containerSecurityContext.runAsUser` | User ID for the backup container | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Group ID for the backup container | `0` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set backup container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `true` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate backup pod(s) privileges | `false` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set backup container's Security Context seccompProfile type | `RuntimeDefault` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | Set backup container's Security Context capabilities to drop | `["ALL"]` | +| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | + ### NetworkPolicy parameters | Name | Description | Value | @@ -387,7 +419,7 @@ kubectl delete pvc -l release=my-release | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r19` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r22` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | @@ -418,7 +450,7 @@ kubectl delete pvc -l release=my-release | `metrics.enabled` | Start a prometheus exporter | `false` | | `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | | `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.13.2-debian-11-r1` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.13.2-debian-11-r4` | | `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | diff --git a/charts/bitnami/postgresql/templates/_helpers.tpl b/charts/bitnami/postgresql/templates/_helpers.tpl index 1f0695f18..368a0c67d 100644 --- a/charts/bitnami/postgresql/templates/_helpers.tpl +++ b/charts/bitnami/postgresql/templates/_helpers.tpl @@ -161,8 +161,7 @@ Return true if a secret object should be created {{- define "postgresql.createSecret" -}} {{- $customUser := include "postgresql.username" . -}} {{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}} -{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) - (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}} +{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}} {{- true -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/postgresql/templates/backup/cronjob.yaml b/charts/bitnami/postgresql/templates/backup/cronjob.yaml new file mode 100644 index 000000000..2f43584f4 --- /dev/null +++ b/charts/bitnami/postgresql/templates/backup/cronjob.yaml @@ -0,0 +1,126 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.enabled }} +{{- $customUser := include "postgresql.username" . }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "postgresql.primary.fullname" . }}-pgdumpall + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + schedule: {{ quote .Values.backup.cronjob.schedule }} + concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} + {{- if .Values.backup.cronjob.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} + {{- end }} + jobTemplate: + spec: + {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 12 }} + app.kubernetes.io/component: pg_dumpall + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + spec: + containers: + - name: {{ include "postgresql.primary.fullname" . }}-pgdumpall + image: {{ include "postgresql.image" . }} + env: + - name: PGUSER + {{- if .Values.auth.enablePostgresUser }} + value: postgres + {{- else }} + value: {{ $customUser | quote }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: PGPASSFILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }} + {{- else }} + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.adminPasswordKey" . }} + {{- end }} + - name: PGHOST + value: {{ include "postgresql.primary.fullname" . }} + - name: PGPORT + value: {{ .Values.containerPorts.postgresql | quote }} + - name: PGDUMP_DIR + value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if .Values.tls.enabled }} + - name: PGSSLROOTCERT + {{- if .Values.tls.autoGenerated -}} + value: /tmp/certs/ca.crt + {{- else }} + value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} + {{- end }} + {{- end }} + command: + {{- range .Values.backup.cronjob.command }} + - {{ . }} + {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: datadir + mountPath: {{ .Values.backup.cronjob.storage.mountPath }} + subPath: {{ .Values.backup.cronjob.storage.subPath }} + securityContext: + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} + restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} + volumes: + {{- if .Values.tls.enabled }} + - name: raw-certificates + emptyDir: /tmp/certs + {{- end }} + {{- if .Values.backup.cronjob.storage.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} + {{- else }} + - name: datadir + persistentVolumeClaim: + claimName: {{ include "postgresql.primary.fullname" . }}-pgdumpall + {{- end }} +{{- end }} diff --git a/charts/bitnami/postgresql/templates/backup/pvc.yaml b/charts/bitnami/postgresql/templates/backup/pvc.yaml new file mode 100644 index 000000000..6cd6d64d3 --- /dev/null +++ b/charts/bitnami/postgresql/templates/backup/pvc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "postgresql.primary.fullname" . }}-pgdumpall + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy}} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.backup.cronjob.storage.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} + {{- end }} +spec: + accessModes: + {{- range .Values.backup.cronjob.storage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.backup.cronjob.storage.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }} +{{- end }} diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index d16d9d517..93cc8637e 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -98,7 +98,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 15.3.0-debian-11-r75 + tag: 15.3.0-debian-11-r77 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1049,6 +1049,101 @@ readReplicas: ## dataSource: {} + +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + enabled: false + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + schedule: "@daily" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + restartPolicy: OnFailure + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.runAsUser User ID for the backup container + ## @param backup.cronjob.containerSecurityContext.runAsGroup Group ID for the backup container + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set backup container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Is the container itself readonly + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate backup pod(s) privileges + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set backup container's Security Context seccompProfile type + ## @param backup.cronjob.containerSecurityContext.capabilities.drop Set backup container's Security Context capabilities to drop + containerSecurityContext: + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ## @param backup.cronjob.command Set backup container's command to run + command: + - /bin/sh + - -c + - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" + + ## @param backup.cronjob.labels Set the cronjob labels + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + annotations: {} + storage: + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 8Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/pgdump + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @section NetworkPolicy parameters ## @@ -1165,7 +1260,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r19 + tag: 11-debian-11-r22 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1266,7 +1361,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.13.2-debian-11-r1 + tag: 0.13.2-debian-11-r4 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index cf8cf358c..61eaae283 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -28,4 +28,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 17.14.3 +version: 17.14.5 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index ed10a7964..0e43d41fb 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -101,7 +101,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------- | | `image.registry` | Redis® image registry | `docker.io` | | `image.repository` | Redis® image repository | `bitnami/redis` | -| `image.tag` | Redis® image tag (immutable tags are recommended) | `7.0.12-debian-11-r15` | +| `image.tag` | Redis® image tag (immutable tags are recommended) | `7.0.12-debian-11-r19` | | `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | | `image.pullSecrets` | Redis® image pull secrets | `[]` | @@ -345,7 +345,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | | `sentinel.image.registry` | Redis® Sentinel image registry | `docker.io` | | `sentinel.image.repository` | Redis® Sentinel image repository | `bitnami/redis-sentinel` | -| `sentinel.image.tag` | Redis® Sentinel image tag (immutable tags are recommended) | `7.0.12-debian-11-r13` | +| `sentinel.image.tag` | Redis® Sentinel image tag (immutable tags are recommended) | `7.0.12-debian-11-r18` | | `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | | `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | @@ -353,7 +353,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | | `sentinel.masterSet` | Master set name | `mymaster` | | `sentinel.quorum` | Sentinel Quorum | `2` | -| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `220` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `200` | | `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | | `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | | `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | @@ -468,7 +468,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | | `metrics.image.registry` | Redis® Exporter image registry | `docker.io` | | `metrics.image.repository` | Redis® Exporter image repository | `bitnami/redis-exporter` | -| `metrics.image.tag` | Redis® Exporter image tag (immutable tags are recommended) | `1.52.0-debian-11-r0` | +| `metrics.image.tag` | Redis® Exporter image tag (immutable tags are recommended) | `1.52.0-debian-11-r5` | | `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | @@ -541,7 +541,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | OS Shell + Utility image registry | `docker.io` | | `volumePermissions.image.repository` | OS Shell + Utility image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r19` | +| `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r25` | | `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | @@ -551,7 +551,7 @@ The command removes all the Kubernetes components associated with the chart and | `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | | `sysctl.image.registry` | OS Shell + Utility image registry | `docker.io` | | `sysctl.image.repository` | OS Shell + Utility image repository | `bitnami/os-shell` | -| `sysctl.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r19` | +| `sysctl.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r25` | | `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index 9f430095c..ed62b66fc 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -91,7 +91,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.0.12-debian-11-r15 + tag: 7.0.12-debian-11-r19 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1030,7 +1030,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.0.12-debian-11-r13 + tag: 7.0.12-debian-11-r18 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1058,9 +1058,8 @@ sentinel: ## quorum: 2 ## @param sentinel.getMasterTimeout Amount of time to allow before get_sentinel_master_info() times out. - ## NOTE: This is directly related to the startupProbes which are configured to run every 10 seconds for a total of 22 failures. If adjusting this value, also adjust the startupProbes. ## - getMasterTimeout: 220 + getMasterTimeout: 200 ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. @@ -1485,7 +1484,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.52.0-debian-11-r0 + tag: 1.52.0-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1759,7 +1758,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r19 + tag: 11-debian-11-r25 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1807,7 +1806,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r19 + tag: 11-debian-11-r25 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 44fc54beb..77049e061 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 6.5.6 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 12.2.9 + version: 13.0.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.6.0 -digest: sha256:00b9c8659345fc1a9be28d3f337b01c614c4c93fdda2234aa3b6fbc947601879 -generated: "2023-07-26T23:52:22.277029253Z" +digest: sha256:9d4361c9b5bc1818c9378577fbebe155e3fb9e04fcafee3c3f8f38fdf3644a01 +generated: "2023-08-01T13:37:46.5926+02:00" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index eb5b7c48b..624f05ef8 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -15,7 +15,7 @@ dependencies: - condition: mariadb.enabled name: mariadb repository: file://./charts/mariadb - version: 12.x.x + version: 13.x.x - name: common repository: file://./charts/common tags: @@ -40,4 +40,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 16.1.34 +version: 17.0.1 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index 9c0c80716..593d2f9d1 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -82,7 +82,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- | | `image.registry` | WordPress image registry | `docker.io` | | `image.repository` | WordPress image repository | `bitnami/wordpress` | -| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r72` | +| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r75` | | `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | | `image.pullSecrets` | WordPress image pull secrets | `[]` | @@ -249,7 +249,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | OS Shell + Utility image registry | `docker.io` | | `volumePermissions.image.repository` | OS Shell + Utility image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r19` | +| `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r25` | | `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | @@ -281,7 +281,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | | `metrics.image.registry` | Apache exporter image registry | `docker.io` | | `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` | -| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.13.4-debian-11-r55` | +| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.13.4-debian-11-r60` | | `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | @@ -513,6 +513,10 @@ To enable the new features, it is not possible to do it by upgrading an existing ## Upgrading +### To 17.0.0 + +This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade. + ### To 16.0.0 This major release bumps the MariaDB version to 10.11. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for upgrading from MariaDB 10.6 to 10.11. No major issues are expected during the upgrade. diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index 781038c0d..dfb4db08e 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Database licenses: Apache-2.0 apiVersion: v2 -appVersion: 10.11.4 +appVersion: 11.0.2 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -26,4 +26,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 12.2.9 +version: 13.0.0 diff --git a/charts/bitnami/wordpress/charts/mariadb/README.md b/charts/bitnami/wordpress/charts/mariadb/README.md index 9bbd74f29..30d25b37c 100644 --- a/charts/bitnami/wordpress/charts/mariadb/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/README.md @@ -82,28 +82,28 @@ The command removes all the Kubernetes components associated with the chart and ### MariaDB common parameters -| Name | Description | Value | -| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | MariaDB image registry | `docker.io` | -| `image.repository` | MariaDB image repository | `bitnami/mariadb` | -| `image.tag` | MariaDB image tag (immutable tags are recommended) | `10.11.4-debian-11-r46` | -| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | -| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | -| `auth.database` | Name for a custom database to create | `my_database` | -| `auth.username` | Name for a custom user to create | `""` | -| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | -| `auth.replicationUser` | MariaDB replication user | `replicator` | -| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | -| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | -| `auth.forcePassword` | Force users to specify required passwords | `false` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | -| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | -| `initdbScripts` | Dictionary of initdb scripts | `{}` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | +| Name | Description | Value | +| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `image.registry` | MariaDB image registry | `docker.io` | +| `image.repository` | MariaDB image repository | `bitnami/mariadb` | +| `image.tag` | MariaDB image tag (immutable tags are recommended) | `11.0.2-debian-11-r2` | +| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | +| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | +| `auth.database` | Name for a custom database to create | `my_database` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | +| `auth.replicationUser` | MariaDB replication user | `replicator` | +| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | +| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | +| `auth.forcePassword` | Force users to specify required passwords | `false` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | +| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | ### MariaDB Primary parameters @@ -308,7 +308,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r16` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r22` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -322,7 +322,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Exporter image registry | `docker.io` | | `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | -| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.15.0-debian-11-r0` | +| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.15.0-debian-11-r5` | | `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index 815dfae2b..398f67280 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 10.11.4-debian-11-r46 + tag: 11.0.2-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1004,7 +1004,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r16 + tag: 11-debian-11-r22 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1040,7 +1040,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.0-debian-11-r0 + tag: 0.15.0-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index 106e9bbf3..d2e04effb 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -76,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.2.2-debian-11-r72 + tag: 6.2.2-debian-11-r75 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -766,7 +766,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r19 + tag: 11-debian-11-r25 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -860,7 +860,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 0.13.4-debian-11-r55 + tag: 0.13.4-debian-11-r60 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/clastix/kamaji/Chart.yaml b/charts/clastix/kamaji/Chart.yaml index b79a85f5c..3a4ac37df 100644 --- a/charts/clastix/kamaji/Chart.yaml +++ b/charts/clastix/kamaji/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.3.1 +appVersion: v0.3.2 description: Kamaji deploys and operates Kubernetes at scale with a fraction of the operational burden. Kamaji turns any Kubernetes cluster into an “admin cluster” to orchestrate other Kubernetes clusters called “tenant clusters”. Kamaji is special @@ -25,4 +25,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.12.2 +version: 0.12.3 diff --git a/charts/clastix/kamaji/README.md b/charts/clastix/kamaji/README.md index 03f664bca..13f3df478 100644 --- a/charts/clastix/kamaji/README.md +++ b/charts/clastix/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.12.2](https://img.shields.io/badge/Version-0.12.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.1](https://img.shields.io/badge/AppVersion-v0.3.1-informational?style=flat-square) +![Version: 0.12.3](https://img.shields.io/badge/Version-0.12.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.2](https://img.shields.io/badge/AppVersion-v0.3.2-informational?style=flat-square) Kamaji deploys and operates Kubernetes at scale with a fraction of the operational burden. Kamaji turns any Kubernetes cluster into an “admin cluster” to orchestrate other Kubernetes clusters called “tenant clusters”. Kamaji is special because the Control Plane components are running in a single pod instead of dedicated machines. This solution makes running multiple Control Planes cheaper and easier to deploy and operate. diff --git a/charts/cockroach-labs/cockroachdb/Chart.yaml b/charts/cockroach-labs/cockroachdb/Chart.yaml index d4d68c4b7..3edbd8d06 100644 --- a/charts/cockroach-labs/cockroachdb/Chart.yaml +++ b/charts/cockroach-labs/cockroachdb/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.8-0' catalog.cattle.io/release-name: cockroachdb apiVersion: v1 -appVersion: 23.1.6 +appVersion: 23.1.7 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. home: https://www.cockroachlabs.com icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png @@ -14,4 +14,4 @@ maintainers: name: cockroachdb sources: - https://github.com/cockroachdb/cockroach -version: 11.1.3 +version: 11.1.4 diff --git a/charts/cockroach-labs/cockroachdb/README.md b/charts/cockroach-labs/cockroachdb/README.md index 9eb752408..e4f6b03aa 100644 --- a/charts/cockroach-labs/cockroachdb/README.md +++ b/charts/cockroach-labs/cockroachdb/README.md @@ -229,10 +229,10 @@ kubectl get pods \ ``` ``` -my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.6 -my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.6 -my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.6 -my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.6 +my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.7 +my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.7 +my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.7 +my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.7 ``` Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade: @@ -316,7 +316,7 @@ For details see the [`values.yaml`](values.yaml) file. | `conf.store.size` | CockroachDB storage size | `""` | | `conf.store.attrs` | CockroachDB storage attributes | `""` | | `image.repository` | Container image name | `cockroachdb/cockroach` | -| `image.tag` | Container image tag | `v23.1.6` | +| `image.tag` | Container image tag | `v23.1.7` | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | | `statefulset.replicas` | StatefulSet replicas number | `3` | diff --git a/charts/cockroach-labs/cockroachdb/values.yaml b/charts/cockroach-labs/cockroachdb/values.yaml index 252ab2214..73d9e4146 100644 --- a/charts/cockroach-labs/cockroachdb/values.yaml +++ b/charts/cockroach-labs/cockroachdb/values.yaml @@ -1,7 +1,7 @@ # Generated file, DO NOT EDIT. Source: build/templates/values.yaml image: repository: cockroachdb/cockroach - tag: v23.1.6 + tag: v23.1.7 pullPolicy: IfNotPresent credentials: {} # registry: docker.io diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index fde25954b..80231a666 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.33.7 + +* Add additional intakes into `CiliumNetworkPolicy` for node Agent and Cluster Check Runner for profiling, network monitoring, dbm, and remote config + ## 3.33.6 * Ensure the core agent is aware that CSPM is enabled (for inventories purposes). diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index aa9bc0262..7eef633ef 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.33.6 +version: 3.33.7 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index cbd01ee6d..c2e1218e2 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.33.6](https://img.shields.io/badge/Version-3.33.6-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.33.7](https://img.shields.io/badge/Version-3.33.7-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). diff --git a/charts/datadog/datadog/templates/agent-cilium-network-policy.yaml b/charts/datadog/datadog/templates/agent-cilium-network-policy.yaml index c7d4e1a4d..7e7a4c09a 100644 --- a/charts/datadog/datadog/templates/agent-cilium-network-policy.yaml +++ b/charts/datadog/datadog/templates/agent-cilium-network-policy.yaml @@ -92,6 +92,13 @@ specs: - matchName: "process.{{ $.Values.datadog.site }}" - matchName: "orchestrator.{{ $.Values.datadog.site }}" - matchName: "instrumentation-telemetry-intake.{{ $.Values.datadog.site }}" + - matchName: "intake.profile.{{ $.Values.datadog.site }}" + - matchName: "ndm-intake.{{ $.Values.datadog.site }}" + - matchName: "snmp-traps-intake.{{ $.Values.datadog.site }}" + - matchName: "ndmflow-intake.{{ $.Values.datadog.site }}" + - matchName: "config.{{ $.Values.datadog.site }}" + - matchName: "dbm-metrics-intake.{{ $.Values.datadog.site }}" + - matchName: "dbquery-intake.{{ $.Values.datadog.site }}" {{- else}} - matchPattern: "*-app.agent.datadoghq.com" - matchName: "app.datadoghq.com" @@ -101,6 +108,13 @@ specs: - matchName: "process.datadoghq.com" - matchName: "orchestrator.datadoghq.com" - matchName: "instrumentation-telemetry-intake.datadoghq.com" + - matchName: "intake.profile.datadoghq.com" + - matchName: "ndm-intake.datadoghq.com" + - matchName: "snmp-traps-intake.datadoghq.com" + - matchName: "ndmflow-intake.datadoghq.com" + - matchName: "config.datadoghq.com" + - matchName: "dbm-metrics-intake.datadoghq.com" + - matchName: "dbquery-intake.datadoghq.com" {{- end}} toPorts: - ports: diff --git a/charts/datadog/datadog/templates/agent-clusterchecks-cilium-network-policy.yaml b/charts/datadog/datadog/templates/agent-clusterchecks-cilium-network-policy.yaml index e45bc9e0e..51e261dc4 100644 --- a/charts/datadog/datadog/templates/agent-clusterchecks-cilium-network-policy.yaml +++ b/charts/datadog/datadog/templates/agent-clusterchecks-cilium-network-policy.yaml @@ -41,11 +41,27 @@ specs: - matchName: {{ trimPrefix "https://" $.Values.datadog.dd_url }} {{- end}} {{- if $.Values.datadog.site}} - - matchName: "app.{{ $.Values.datadog.site }}" - matchPattern: "*-app.agent.{{ $.Values.datadog.site }}" + - matchName: "app.{{ $.Values.datadog.site }}" + - matchName: "api.{{ $.Values.datadog.site }}" + - matchName: "orchestrator.{{ $.Values.datadog.site }}" + - matchName: "ndm-intake.{{ $.Values.datadog.site }}" + - matchName: "snmp-traps-intake.{{ $.Values.datadog.site }}" + - matchName: "ndmflow-intake.{{ $.Values.datadog.site }}" + - matchName: "config.{{ $.Values.datadog.site }}" + - matchName: "dbm-metrics-intake.{{ $.Values.datadog.site }}" + - matchName: "dbquery-intake.{{ $.Values.datadog.site }}" {{- else}} - - matchName: "app.datadoghq.com" - matchPattern: "*-app.agent.datadoghq.com" + - matchName: "app.datadoghq.com" + - matchName: "api.datadoghq.com" + - matchName: "orchestrator.datadoghq.com" + - matchName: "ndm-intake.datadoghq.com" + - matchName: "snmp-traps-intake.datadoghq.com" + - matchName: "ndmflow-intake.datadoghq.com" + - matchName: "config.datadoghq.com" + - matchName: "dbm-metrics-intake.datadoghq.com" + - matchName: "dbquery-intake.datadoghq.com" {{- end}} toPorts: - ports: diff --git a/charts/dell/csi-vxflexos/Chart.yaml b/charts/dell/csi-vxflexos/Chart.yaml index 0070812fd..83f5a781e 100644 --- a/charts/dell/csi-vxflexos/Chart.yaml +++ b/charts/dell/csi-vxflexos/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: vxflexos catalog.cattle.io/release-name: vxflexos apiVersion: v2 -appVersion: 2.7.0 +appVersion: 2.7.1 description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a VxFlex OS StorageClass. ' @@ -19,4 +19,4 @@ maintainers: name: csi-vxflexos sources: - https://github.com/dell/csi-vxflexos -version: 2.7.0 +version: 2.7.1 diff --git a/charts/dell/csi-vxflexos/values.yaml b/charts/dell/csi-vxflexos/values.yaml index 3efb8d38b..fb4da903e 100644 --- a/charts/dell/csi-vxflexos/values.yaml +++ b/charts/dell/csi-vxflexos/values.yaml @@ -3,7 +3,7 @@ # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.7.0 +version: v2.7.1 images: # "driver" defines the container image, used for the driver container. diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index 4d59352c7..f83a0d900 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.63.8] - Jul 20, 2023 +## [107.63.9] - Jul 20, 2023 * Added support for Openshift by adding the securityContext in container level. * **IMPORTANT** * Nginx deployment is disabled on openshift. diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index ff624f4dc..ad8c60bd3 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.63.8 +appVersion: 7.63.9 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.63.8 +version: 107.63.9 diff --git a/charts/jfrog/artifactory-jcr/CHANGELOG.md b/charts/jfrog/artifactory-jcr/CHANGELOG.md index 3bb7c11c8..b066ce3f5 100644 --- a/charts/jfrog/artifactory-jcr/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.63.8] - Aug 25, 2022 +## [107.63.9] - Aug 25, 2022 * Included event service as mandatory and remove the flag from values.yaml ## [107.41.0] - Jul 22, 2022 diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index cb0a0239e..a8284cdde 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -4,11 +4,11 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.63.8 +appVersion: 7.63.9 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.63.8 + version: 107.63.9 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.63.8 +version: 107.63.9 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index 0c757469a..ae54fd384 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.63.8] - Jul 20, 2023 +## [107.63.9] - Jul 20, 2023 * Added support for Openshift by adding the securityContext in container level. * **IMPORTANT** * Nginx deployment is disabled on openshift. diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index 8fcd8dd61..e7b5b825c 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.63.8 +appVersion: 7.63.9 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.63.8 +version: 107.63.9 diff --git a/charts/kasten/k10/Chart.lock b/charts/kasten/k10/Chart.lock index 5884d3666..39645869d 100644 --- a/charts/kasten/k10/Chart.lock +++ b/charts/kasten/k10/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: "" version: 15.8.5 digest: sha256:4399c78f4e445e4fbb26151707c9b481fece2002ac02ae20612d9f26e6b66643 -generated: "2023-07-15T05:48:19.983972564Z" +generated: "2023-08-01T11:04:57.116820404Z" diff --git a/charts/kasten/k10/Chart.yaml b/charts/kasten/k10/Chart.yaml index 5784fdc3e..c25eddfe0 100644 --- a/charts/kasten/k10/Chart.yaml +++ b/charts/kasten/k10/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 6.0.3 +appVersion: 6.0.4 dependencies: - name: grafana repository: file://./charts/grafana @@ -19,4 +19,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 6.0.301 +version: 6.0.401 diff --git a/charts/kasten/k10/README.md b/charts/kasten/k10/README.md index 861a29fe3..9aa562bf9 100644 --- a/charts/kasten/k10/README.md +++ b/charts/kasten/k10/README.md @@ -88,7 +88,8 @@ Parameter | Description | Default `secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None` `secrets.awsSecretAccessKey` | AWS access key secret | `None` `secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None` -`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key file | `None` +`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key | `None` +`secrets.googleProjectId` | Sets Google Project ID other than the one used in the GCP Service Account | `None` `secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None` `secrets.azureClientId` | Azure Service App ID | `None` `secrets.azureClientSecret` | Azure Service APP secret | `None` @@ -243,7 +244,7 @@ Parameter | Description | Default `garbagecollector.importRunActions.enabled` | Enables ``importRunActions`` collector | `false` `garbagecollector.retireActions.enabled` | Enables ``retireActions`` collector | `false` `kubeVirtVMs.snapshot.unfreezeTimeout` | Defines the time duration within which the VMs must be unfrozen while backing them up. To know more about format [go doc](https://pkg.go.dev/time#ParseDuration) can be followed | `5m` -`excludedApps` | Specifies a list of applications to be excluded from the dashboard & compliance considerations. Format should be a :ref:`YAML array` | `None` +`excludedApps` | Specifies a list of applications to be excluded from the dashboard & compliance considerations. Format should be a :ref:`YAML array` | `["kube-system", "kube-ingress", "kube-node-lease", "kube-public", "kube-rook-ceph"]` `kanisterPodMetricSidecar.enabled` | Enable the sidecar container to gather metrics from ephemeral pods | `true` `kanisterPodMetricSidecar.metricLifetime` | Check periodically for metrics that should be removed | `2m` `kanisterPodMetricSidecar.pushGatewayInterval` | Set the interval for sending metrics into the Prometheus | `30s` @@ -274,9 +275,17 @@ To set a single value from a file, `--set-file` may be used over `--set`: To use non-default GCP ServiceAccount (SA) credentials, the credentials JSON file needs to be encoded into a base64 -string. +string: ```bash sa_key=$(base64 -w0 sa-key.json) helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key ``` + +If the Google Service Account belongs to a project other than the one in which the cluster +is located, then the project's ID of the cluster must be also provided during the installation: + +```bash + sa_key=$(base64 -w0 sa-key.json) + helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key --set secrets.googleProjectId= +``` \ No newline at end of file diff --git a/charts/kasten/k10/charts/grafana/values.yaml b/charts/kasten/k10/charts/grafana/values.yaml index b5fce07d0..a442fa977 100644 --- a/charts/kasten/k10/charts/grafana/values.yaml +++ b/charts/kasten/k10/charts/grafana/values.yaml @@ -5099,7 +5099,195 @@ dashboards: ], "title": "Execution Control", "type": "row" - } + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 54 + }, + "id": 84, + "panels": [ + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 55 + }, + "id": 86, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_export_transferred_bytes[30m]))/sum((rate(action_export_processed_bytes[30m])>0))", + "legendFormat": "Transferred/Processed across all actions", + "range": true, + "refId": "A" + } + ], + "title": "Transferred/Processed Ratio", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 55 + }, + "id": 88, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "(rate(action_export_transferred_bytes[30m])/(rate(action_export_processed_bytes[30m])>0))", + "legendFormat": "{{policy}}:{{app}}", + "range": true, + "refId": "A" + } + ], + "title": "Transferred/Processed Ratio per policy:app", + "type": "timeseries" + } + ], + "title": "Data reduction", + "type": "row" + } ], "schemaVersion": 37, "style": "dark", diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index 6400cc5dc..63024505a 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -31,9 +31,9 @@ vbrintegrationapi: {{- end -}} {{- define "k10.colocatedServiceLookup" -}} crypto: +- bloblifecyclemanager - events - garbagecollector -- bloblifecyclemanager dashboardbff: - vbrintegrationapi state: diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 7fd98d6d8..42fae1e37 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -500,7 +500,22 @@ Check if Google creds are specified */}} {{- define "check.googlecreds" -}} {{- if .Values.secrets.googleApiKey -}} -{{- print true -}} + {{- if eq (include "check.isBase64" .Values.secrets.googleApiKey) "false" -}} + {{- fail "secrets.googleApiKey must be base64 encoded" -}} + {{- end -}} + {{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Google Project ID is specified +*/}} +{{- define "check.googleproject" -}} +{{- if .Values.secrets.googleProjectId -}} + {{- if not .Values.secrets.googleApiKey -}} + {{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}} + {{- end -}} + {{- print true -}} {{- end -}} {{- end -}} diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index 17b06fec6..bfc6b39f4 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -83,6 +83,13 @@ stating that types are not same for the equality check - name: GOOGLE_APPLICATION_CREDENTIALS value: "/var/run/secrets/kasten.io/kasten-gke-sa.json" {{- end }} +{{- if eq (include "check.googleproject" .) "true" }} + - name: projectID + valueFrom: + secretKeyRef: + name: google-secret + key: kasten-gke-project +{{- end }} {{- if eq (include "check.ibmslcreds" .) "true" }} - name: IBM_SL_API_KEY valueFrom: @@ -374,7 +381,7 @@ stating that types are not same for the equality check configMapKeyRef: name: k10-config key: AWSAssumeRoleDuration -{{- if (list "dashboardbff" "catalog" | has $service) }} +{{- if (list "dashboardbff" "catalog" "executor" | has $service) }} {{- if .Values.metering.mode }} - name: K10REPORTMODE value: {{ .Values.metering.mode }} diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index 83e029206..a7c16386a 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}6.0.3{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}6.0.4{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/secrets.yaml b/charts/kasten/k10/templates/secrets.yaml index 2324b52d2..b333496f7 100644 --- a/charts/kasten/k10/templates/secrets.yaml +++ b/charts/kasten/k10/templates/secrets.yaml @@ -42,6 +42,9 @@ metadata: type: Opaque data: kasten-gke-sa.json: {{ .Values.secrets.googleApiKey }} +{{- if eq (include "check.googleproject" .) "true" }} + kasten-gke-project: {{ .Values.secrets.googleProjectId | b64enc }} +{{- end }} {{- end }} {{- if eq (include "check.ibmslcreds" .) "true" }} --- diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index e46517c27..442423fd7 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -1146,7 +1146,13 @@ "type": "string", "default": "", "title": "Google API Key", - "description": "Non-default base64 encoded GCP Service Account key file" + "description": "Non-default base64 encoded GCP Service Account key" + }, + "googleProjectId": { + "type": "string", + "default": "", + "title": "Google Project ID", + "description": "Set Google Project ID other than the one in the GCP Service Account" }, "ibmSoftLayerApiKey": { "type": "string", @@ -2615,7 +2621,7 @@ "items": { "type": "string" }, - "default": [], + "default": ["kube-system", "kube-ingress", "kube-node-lease", "kube-public", "kube-rook-ceph"], "title": "List of applications to be excluded", "description": "List of applications to be excluded from the dashboard & compliance considerations" }, diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index 8cd24a0f8..6c45b2d99 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -228,6 +228,7 @@ secrets: awsSecretAccessKey: '' awsIamRole: '' googleApiKey: '' + googleProjectId: '' dockerConfig: '' dockerConfigPath: '' azureTenantId: '' @@ -456,7 +457,7 @@ awsConfig: assumeRoleDuration: "" efsBackupVaultName: "k10vault" -excludedApps: [] +excludedApps: ["kube-system", "kube-ingress", "kube-node-lease", "kube-public", "kube-rook-ceph"] grafana: enabled: true diff --git a/charts/mongodb/community-operator/Chart.lock b/charts/mongodb/community-operator/Chart.lock index 17e9a7a82..fa6e49505 100644 --- a/charts/mongodb/community-operator/Chart.lock +++ b/charts/mongodb/community-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: community-operator-crds repository: https://mongodb.github.io/helm-charts - version: 0.8.0 -digest: sha256:0269f3a1c42f288a4b21afb4ad5a0ad5044b87525bc9176891538785f9f8c9f4 -generated: "2023-05-16T09:59:08.976230041Z" + version: 0.8.1 +digest: sha256:cda6f5b7bcff0acff268d6280b2106411c814c046889d90c22b3810e2dcf9bb2 +generated: "2023-07-31T14:53:29.831699918Z" diff --git a/charts/mongodb/community-operator/Chart.yaml b/charts/mongodb/community-operator/Chart.yaml index 31c6cb66a..9f011d71d 100644 --- a/charts/mongodb/community-operator/Chart.yaml +++ b/charts/mongodb/community-operator/Chart.yaml @@ -4,12 +4,12 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: community-operator apiVersion: v2 -appVersion: 0.8.0 +appVersion: 0.8.1 dependencies: - condition: community-operator-crds.enabled name: community-operator-crds repository: file://./charts/community-operator-crds - version: 0.8.0 + version: 0.8.1 description: MongoDB Kubernetes Community Operator home: https://github.com/mongodb/mongodb-kubernetes-operator icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png @@ -23,4 +23,4 @@ maintainers: name: MongoDB name: community-operator type: application -version: 0.8.0 +version: 0.8.1 diff --git a/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml b/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml index adfa1228e..ed84775db 100644 --- a/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml +++ b/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.8.0 +appVersion: 0.8.1 description: MongoDB Kubernetes Community Operator - CRDs home: https://github.com/mongodb/mongodb-kubernetes-operator icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png @@ -13,4 +13,4 @@ maintainers: name: MongoDB name: community-operator-crds type: application -version: 0.8.0 +version: 0.8.1 diff --git a/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml b/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml index 5114f2823..f49535452 100644 --- a/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml +++ b/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml @@ -52,6 +52,12 @@ spec: spec: description: MongoDBCommunitySpec defines the desired state of MongoDB properties: + additionalConnectionStringConfig: + description: Additional options to be appended to the connection string. + These options apply to the entire resource and to each user. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true additionalMongodConfig: description: 'AdditionalMongodConfig is additional configuration that can be passed to each data-bearing mongod at runtime. Uses the same @@ -331,6 +337,19 @@ spec: description: StatefulSetConfiguration holds the optional custom StatefulSet that should be merged into the operator created one. properties: + metadata: + description: StatefulSetMetadataWrapper is a wrapper around Labels + and Annotations + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object spec: type: object x-kubernetes-preserve-unknown-fields: true @@ -348,6 +367,13 @@ spec: in your deployment items: properties: + additionalConnectionStringConfig: + description: Additional options to be appended to the connection + string. These options apply only to this user and will override + any existing options in the resource. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true connectionStringSecretName: description: ConnectionStringSecretName is the name of the secret object created by the operator which exposes the connection diff --git a/charts/mongodb/community-operator/templates/mongodbcommunity_cr_with_tls.yaml b/charts/mongodb/community-operator/templates/mongodbcommunity_cr_with_tls.yaml index 4680fd780..623b13fb9 100644 --- a/charts/mongodb/community-operator/templates/mongodbcommunity_cr_with_tls.yaml +++ b/charts/mongodb/community-operator/templates/mongodbcommunity_cr_with_tls.yaml @@ -75,5 +75,8 @@ spec: {{- end }} authentication: modes: ["SCRAM"] - users: [] + {{- with .Values.resource.users }} + users: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/mongodb/community-operator/templates/operator.yaml b/charts/mongodb/community-operator/templates/operator.yaml index 14814dee2..3db8f7744 100644 --- a/charts/mongodb/community-operator/templates/operator.yaml +++ b/charts/mongodb/community-operator/templates/operator.yaml @@ -22,6 +22,10 @@ spec: labels: name: {{ .Values.operator.name }} spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -68,7 +72,12 @@ spec: name: {{ .Values.operator.deploymentName }} resources: {{- toYaml .Values.operator.resources | nindent 12 }} + {{- if .Values.operator.securityContext }} securityContext: - readOnlyRootFilesystem: true - runAsUser: 2000 + {{- toYaml .Values.operator.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.operator.podSecurityContext }} + securityContext: + {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} + {{- end }} serviceAccountName: {{ .Values.operator.name }} diff --git a/charts/mongodb/community-operator/values.yaml b/charts/mongodb/community-operator/values.yaml index 91fab0d3c..5a6c8ace1 100644 --- a/charts/mongodb/community-operator/values.yaml +++ b/charts/mongodb/community-operator/values.yaml @@ -1,3 +1,8 @@ +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: "image-pull-secret" + ## Operator operator: # Name that will be assigned to most of internal Kubernetes objects like @@ -11,7 +16,7 @@ operator: deploymentName: mongodb-kubernetes-operator # Version of mongodb-kubernetes-operator - version: 0.8.0 + version: 0.8.1 # Uncomment this line to watch all namespaces # watchNamespace: "*" @@ -31,6 +36,12 @@ operator: # - name: CLUSTER_DOMAIN # value: my-cluster.domain + podSecurityContext: + runAsNonRoot: true + runAsUser: 2000 + + securityContext: {} + ## Operator's database database: name: mongodb-database @@ -45,13 +56,13 @@ database: agent: name: mongodb-agent - version: 12.0.21.7698-1 + version: 12.0.24.7719-1 versionUpgradeHook: name: mongodb-kubernetes-operator-version-upgrade-post-start-hook version: 1.0.7 readinessProbe: name: mongodb-kubernetes-readinessprobe - version: 1.0.14 + version: 1.0.15 mongodb: name: mongo repo: docker.io @@ -85,3 +96,21 @@ resource: certManager: certDuration: 8760h # 365 days renewCertBefore: 720h # 30 days + + users: [] + # if using the MongoDBCommunity Resource, list any users to be added to the resource + # users: + # - name: my-user + # db: admin + # passwordSecretRef: # a reference to the secret that will be used to generate the user's password + # name: + # roles: + # - name: clusterAdmin + # db: admin + # - name: userAdminAnyDatabase + # db: admin + # - name: readWriteAnyDatabase + # db: admin + # - name: dbAdminAnyDatabase + # db: admin + # scramCredentialsSecretName: my-scram diff --git a/charts/nats/nats/.helmignore b/charts/nats/nats/.helmignore index 50af03172..240dfde2a 100644 --- a/charts/nats/nats/.helmignore +++ b/charts/nats/nats/.helmignore @@ -14,9 +14,13 @@ *.swp *.bak *.tmp +*.orig *~ # Various IDEs .project .idea/ *.tmproj .vscode/ + +# template tests +/test diff --git a/charts/nats/nats/Chart.yaml b/charts/nats/nats/Chart.yaml index a3486b2c9..251443699 100644 --- a/charts/nats/nats/Chart.yaml +++ b/charts/nats/nats/Chart.yaml @@ -18,4 +18,4 @@ maintainers: name: The NATS Authors url: https://github.com/nats-io name: nats -version: 0.19.17 +version: 1.0.0 diff --git a/charts/nats/nats/README.md b/charts/nats/nats/README.md index 14e0ec2e1..b596a67cc 100644 --- a/charts/nats/nats/README.md +++ b/charts/nats/nats/README.md @@ -1,918 +1,329 @@ # NATS Server -[NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. NATS can secure and simplify design and operation of modern distributed systems. +--- -## TL;DR; +[NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. +NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). +NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. +NATS can secure and simplify design and operation of modern distributed systems. -```console +```shell helm repo add nats https://nats-io.github.io/k8s/helm/charts/ -helm install my-nats nats/nats +helm upgrade --install nats nats/nats ``` -## Breaking Change Log +## Upgrade Nodes -- **0.15.0**: For users with JetStream enabled (`nats.jetstream.enabled = true`): `nats.jetstream.fileStorage.enabled` now defaults to `true` and `nats.jetstream.fileStorage.size` now defaults to `10Gi`. This updates the StatefulSet `spec.volumeClaimTemplates` field, which is immutable and cannot be changed on an existing StatefulSet; to upgrade from an older chart version, add the value: - ```yaml - nats: - jetstream: - fileStorage: - # add if enabled was previously the default setting - # not recommended; it would be better to migrate to a StatefulSet with storage enabled - enabled: false - # add if size was previously the default setting - size: 1Gi - ``` -- **0.12.0**: The `podManagementPolicy` value was introduced and set to `Parallel` by default, which controls the StatefulSet `spec.podManagementPolicy` field. This field is immutable and cannot be changed on an existing StatefulSet; to upgrade from an older chart version, add the value: - ```yaml - podManagementPolicy: OrderedReady - ``` +- **Upgrading from 0.x**: The `values.yaml` schema changed significantly from 0.x to 1.x. Read [UPGRADING.md](UPGRADING.md) for instructions on upgrading a 0.x release to 1.x. -## Configuration +## Values -### Server Image +There are a handful of explicitly defined options which are documented with comments in the [values.yaml](values.yaml) file. + +Everything in the NATS Config or Kubernetes Resources can be overridden by `merge` and `patch`, which is supported for the following values: + +| key | type | enabled by default | +|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------| +| `config` | [NATS Config](https://docs.nats.io/running-a-nats-service/configuration) | yes | +| `config.cluster` | [NATS Cluster](https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config) | no | +| `config.cluster.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.jetstream` | [NATS JetStream](https://docs.nats.io/running-a-nats-service/configuration#jetstream) | no | +| `config.jetstream.fileStore.pvc` | [k8s PVC](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core) | yes, when `config.jetstream` is enabled | +| `config.nats.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.leafnodes` | [NATS LeafNodes](https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnodes_conf) | no | +| `config.leafnodes.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.websocket` | [NATS WebSocket](https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf) | no | +| `config.websocket.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.websocket.ingress` | [k8s Ingress](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io) | no | +| `config.mqtt` | [NATS MQTT](https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config) | no | +| `config.mqtt.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.gateway` | [NATS Gateway](https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block) | no | +| `config.gateway.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.resolver` | [NATS Resolver](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver) | no | +| `config.resolver.pvc` | [k8s PVC](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core) | yes, when `config.resolver` is enabled | +| `container` | nats [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `reloader` | config reloader [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `promExporter` | prometheus exporter [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | no | +| `promExporter.podMonitor` | [prometheus PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) | no | +| `service` | [k8s Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core) | yes | +| `statefulSet` | [k8s StatefulSet](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps) | yes | +| `podTemplate` | [k8s PodTemplate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core) | yes | +| `headlessService` | [k8s Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core) | yes | +| `configMap` | [k8s ConfiegMap](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core) | yes | +| `natsBox.context.default` | [NATS Context](https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts) | yes | +| `natsBox.context.[name]` | [NATS Context](https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts) | no | +| `natsBox.container` | nats-box [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `natsBox.deployment` | [k8s Deployment](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps) | yes | +| `natsBox.podTemplate` | [k8s PodTemplate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core) | yes | +| `natsBox.contextsSecret` | [k8s Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core) | yes | +| `natsBox.contentsSecret` | [k8s Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core) | yes | + +### Merge + +Merging is performed using the Helm `merge` function. Example - add NATS accounts and container resources: ```yaml -# use a specific versions -nats: +config: + merge: + accounts: + A: + users: + - {user: a, password: a} + B: + users: + - {user: b, password: b} +natsBox: + contexts: + a: + merge: {user: a, password: a} + b: + merge: {user: b, password: b} + defaultContextName: a +``` + +## Patch + +Patching is performed using [JSON Patch](https://jsonpatch.com/). Example - add additional route to end of route list: + +```yaml +config: + cluster: + enabled: true + patch: + - op: add + path: /routes/- + value: nats://demo.nats.io:6222 +``` + +## Common Configurations + +### JetStream Cluster on 3 separate hosts + +```yaml +config: + cluster: + enabled: true + replicas: 3 + jetstream: + enabled: true + fileStore: + pvc: + size: 10Gi + +podTemplate: + topologySpreadConstraints: + kubernetes.io/hostname: + maxSkew: 1 + whenUnsatisfiable: DoNotSchedule +``` + +### NATS Container Resources + +```yaml +container: + env: + # different from k8s units, suffix must be B, KiB, MiB, GiB, or TiB + # should be ~90% of memory limit + GOMEMLIMIT: 7GiB + merge: + # recommended limit is at least 2 CPU cores and 8Gi Memory for production JetStream clusters + resources: + requests: + cpu: "2" + memory: 8Gi + limits: + cpu: "2" + memory: 8Gi +``` + +### Specify Image Version + +```yaml +container: image: - tag: X.Y.Z-alpine - -# fully custom location -nats: - image: - registry: my.custom.registry - repository: my-nats - tag: latest - pullPolicy: Always + tag: x.y.z-alpine ``` -### Limits +### Operator Mode with NATS Resolver + +Run `nsc generate config --nats-resolver` and replace the `OPERATOR_JWT`, `SYS_ACCOUNT_ID`, and `SYS_ACCOUNT_JWT` with your values. +Make sure that you do not include the trailing `,` in the `SYS_ACCOUNT_JWT`. + +``` +config: + resolver: + enabled: true + merge: + type: full + interval: 2m + timeout: 1.9s + merge: + operator: OPERATOR_JWT + system_account: SYS_ACCOUNT_ID + resolver_preload: + SYS_ACCOUNT_ID: SYS_ACCOUNT_JWT +``` + + +## Accessing NATS + +The chart contains 2 services by default, `service` and `headlessService`. + +### `service` + +The `service` is intended to be accessed by NATS Clients. It is a `ClusterIP` service by default, however it can easily be changed to a different service type. + +The `nats`, `websocket`, `leafnodes`, and `mqtt` ports will be exposed through this service by default if they are enabled. + +Example: change this service type to a `LoadBalancer`: ```yaml -nats: - # The number of connect attempts against discovered routes. - connectRetries: 30 - - # How many seconds should pass before sending a PING - # to a client that has no activity. - pingInterval: - - # Server settings. - limits: - maxConnections: - maxSubscriptions: - maxControlLine: - maxPayload: - - writeDeadline: - maxPending: - maxPings: - lameDuckDuration: - - # Number of seconds to wait for client connections to end after the pod termination is requested - terminationGracePeriodSeconds: 60 -``` - -#### Setting Go Memory Limit (Recommended) - -Since NATS Server v2.9 release, it is possible to use the `GOMEMLIMIT` environment variable to signal memory limits to the Go runtime (which is by default unaware of cgroups memory limits). You should set this to about 90% of the intended available memory resources for the NATS Server container. - -```yaml -nats: - gomemlimit: "4GiB" -``` - -### Logging - -*Note*: It is not recommended to enable trace or debug in production since enabling it will significantly degrade performance. - -```yaml -nats: - logging: - debug: - trace: - logtime: - connectErrorReports: - reconnectErrorReports: -``` - -### TLS setup for client connections - -You can find more on how to setup and trouble shoot TLS connnections at: -https://docs.nats.io/nats-server/configuration/securing_nats/tls - -```yaml -nats: - tls: - secret: - name: nats-client-tls - ca: "ca.crt" - cert: "tls.crt" - key: "tls.key" -``` - -## Clustering - -If clustering is enabled, then a 3-node cluster will be setup. More info at: -https://docs.nats.io/nats-server/configuration/clustering#nats-server-clustering - -```yaml -cluster: - enabled: true - replicas: 3 - - tls: - secret: - name: nats-server-tls - ca: "ca.crt" - cert: "tls.crt" - key: "tls.key" -``` - -Example: - -```sh -$ helm install nats nats/nats --set cluster.enabled=true -``` - -## Leafnodes - -Leafnode connections to extend a cluster. More info at: -https://docs.nats.io/nats-server/configuration/leafnodes - -```yaml -leafnodes: - enabled: true - remotes: - - url: "tls://connect.ngs.global:7422" - # credentials: - # secret: - # name: leafnode-creds - # key: TA.creds - # tls: - # secret: - # name: nats-leafnode-tls - # ca: "ca.crt" - # cert: "tls.crt" - # key: "tls.key" - - ####################### - # # - # TLS Configuration # - # # - ####################### - # - # # You can find more on how to setup and trouble shoot TLS connnections at: - # - # # https://docs.nats.io/nats-server/configuration/securing_nats/tls - # - tls: - secret: - name: nats-client-tls - ca: "ca.crt" - cert: "tls.crt" - key: "tls.key" -``` - -## Setting up External Access - -### Using HostPorts - -In case of both external access and advertisements being enabled, an -initializer container will be used to gather the public ips. This -container will required to have enough RBAC policy to be able to make a -look up of the public ip of the node where it is running. - -For example, to setup external access for a cluster and advertise the public ip to clients: - -```yaml -nats: - # Toggle whether to enable external access. - # This binds a host port for clients, gateways and leafnodes. - externalAccess: true - - # Toggle to disable client advertisements (connect_urls), - # in case of running behind a load balancer - # it might be required to disable advertisements. - advertise: true - - # In case both external access and advertise are enabled - # then a service account would be required to be able to - # gather the public ip from a node. - serviceAccount: "nats-server" -``` - -Where the service account named `nats-server` has the following RBAC policy for example: - -```yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nats-server - namespace: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: nats-server -rules: -- apiGroups: [""] - resources: - - nodes - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nats-server-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nats-server -subjects: -- kind: ServiceAccount - name: nats-server - namespace: default -``` - -The container image of the initializer can be customized via: - -```yaml -bootconfig: - image: - tag: X.Y.Z -``` - -### Using LoadBalancers - -In case of using a load balancer for external access, it is recommended to disable advertise -so that internal ips from the NATS Servers are not advertised to the clients connecting through -the load balancer. - -```yaml -cluster: - enabled: true - noAdvertise: true - -leafnodes: - enabled: true - noAdvertise: true - -natsbox: - enabled: true -``` - -Then could use an L4 enabled load balancer to connect to NATS, for example: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: nats-lb -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: nats - ports: - - protocol: TCP - port: 4222 - targetPort: 4222 - name: nats - - protocol: TCP - port: 7422 - targetPort: 7422 - name: leafnodes - - protocol: TCP - port: 7522 - targetPort: 7522 - name: gateways -``` - -### Using NATS Chart as a Dependency - -In order to fully manage your deployment through Helm, you can use `nats` as a [helm dependency](https://helm.sh/docs/helm/helm_dependency/#helm-dependency). This is our recommend approach for exposing your NATS deployment with Services or WebSocket Ingresses. - -1. Example uses a helm chart named `mynats` (example: `helm create mynats`) -2. In `Chart.yaml` add the following dependencies block - ```yaml - dependencies: - - name: nats - version: 0.18.0 - repository: https://nats-io.github.io/k8s/helm/charts/ - ``` -3. Run `helm dep update` now (and any time you update the `nats` dependency version) -4. Add `nats` settings to the `values.yaml` file: - ```yaml - # notice the extra nats key here, must match the dependency name in Chart.yaml - nats: - nats: - jetstream: - enabled: true - cluster: - enabled: true - # disable cluster advertisements when running behind a load balancer - noAdvertise: true - - # add whatever other nats settings you need here - ``` -5. Add a template for your service to `templates/service-lb.yaml`: - ```yaml - apiVersion: v1 - kind: Service - metadata: - name: {{ include "mynats.fullname" . }}-lb - labels: - {{- include "mynats.labels" . | nindent 4 }} +service: + merge: spec: type: LoadBalancer - selector: - {{- include "nats.selectorLabels" .Subcharts.nats | nindent 4 }} - ports: - - name: nats - port: 4222 - protocol: TCP - targetPort: 4222 - ``` +``` -## Gateways +### `headlessService` -A super cluster can be formed by pointing to remote gateways. -You can find more about gateways in the NATS documentation: -https://docs.nats.io/nats-server/configuration/gateways +The `headlessService` is used for NATS Servers in the Stateful Set to discover one another. It is primarily intended to be used for Cluster Route connections. -> ⚠️ Note: When using Gateways and JetStream make sure that the deployment name is different so that the generated server names do not collide. +### TLS Considerations + +The TLS Certificate used for Client Connections should have a SAN covering DNS Name that clients access the `service` at. + +The TLS Certificate used for Cluster Route Connections should have a SAN covering the DNS Name that routes access each other on the `headlessService` at. This is `*.` by default. + +## Advanced Features + +### Templating Values + +Anything in `values.yaml` can be templated: + +- maps matching the following syntax will be templated and parsed as YAML: + ```yaml + $tplYaml: | + yaml template + ``` +- maps matching the follow syntax will be templated, parsed as YAML, and spread into the parent map/slice + ```yaml + $tplYamlSpread: | + yaml template + ``` + +Example - change service name: ```yaml -gateway: - enabled: false - name: 'default' - - ############################# - # # - # List of remote gateways # - # # - ############################# - # gateways: - # - name: other - # url: nats://my-gateway-url:7522 - - ####################### - # # - # TLS Configuration # - # # - ####################### - # - # # You can find more on how to setup and trouble shoot TLS connnections at: - # - # # https://docs.nats.io/nats-server/configuration/securing_nats/tls - # - # tls: - # secret: - # name: nats-client-tls - # ca: "ca.crt" - # cert: "tls.crt" - # key: "tls.key" +service: + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-svc ``` -## Auth setup +### NATS Config Units and Variables -### Auth with a Memory Resolver +NATS configuration extends JSON, and can represent Units and Variables. They must be wrapped in `<< >>` in order to template correctly. Example: ```yaml -auth: - enabled: true - - # Reference to the Operator JWT. - operatorjwt: - configMap: - name: operator-jwt - key: KO.jwt - - # Public key of the System Account - systemAccount: - - resolver: - ############################ - # # - # Memory resolver settings # - # # - ############################## - type: memory - - # - # Use a configmap reference which will be mounted - # into the container. - # - configMap: - name: nats-accounts - key: resolver.conf +config: + merge: + authorization: + # variable + token: << $TOKEN >> + # units + max_payload: << 2MB >> ``` -### Auth using an Account Server Resolver +templates to the `nats.conf`: -```yaml -auth: - enabled: true - - # Reference to the Operator JWT. - operatorjwt: - configMap: - name: operator-jwt - key: KO.jwt - - # Public key of the System Account - systemAccount: - - resolver: - ########################## - # # - # URL resolver settings # - # # - ########################## - type: URL - url: "http://nats-account-server:9090/jwt/v1/accounts/" ``` - -## JetStream - -### Setting up Memory and File Storage - -File Storage is **always** recommended, since JetStream's RAFT Meta Group will be persisted to file storage. The Storage Class used should be block storage. NFS is not recommended. - -```yaml -nats: - jetstream: - enabled: true - - memStorage: - enabled: true - size: 2Gi - - fileStorage: - enabled: true - size: 10Gi - # storageClassName: gp2 # NOTE: AWS setup but customize as needed for your infra. -``` - -### Using with an existing PersistentVolumeClaim - -For example, given the following `PersistentVolumeClaim`: - -```yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: nats-js-disk - annotations: - volume.beta.kubernetes.io/storage-class: "default" -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 3Gi -``` - -You can start JetStream so that one pod is bounded to it: - -```yaml -nats: - jetstream: - enabled: true - - fileStorage: - enabled: true - storageDirectory: /data/ - existingClaim: nats-js-disk - claimStorageSize: 3Gi -``` - -### Clustering example - -```yaml - -nats: - jetstream: - enabled: true - - memStorage: - enabled: true - size: "2Gi" - - fileStorage: - enabled: true - size: "10Gi" - -cluster: - enabled: true - # Cluster name is required, by default will be release name. - # name: "nats" - replicas: 3 -``` - -### Basic Authentication and JetStream - -```yaml -nats: - jetstream: - enabled: true - - memStorage: - enabled: true - size: "2Gi" - - fileStorage: - enabled: true - size: "10Gi" - # storageClassName: gp2 # NOTE: AWS setup but customize as needed for your infra. - -cluster: - enabled: true - # Can set a custom cluster name - # name: "nats" - replicas: 3 - -auth: - enabled: true - - systemAccount: "$SYS" - - basic: - accounts: - $SYS: - users: - - user: sys - pass: sys - js: - jetstream: true - users: - - user: foo -``` - -### NATS Resolver setup example - -As of NATS v2.2, the server now has a built-in NATS resolver of accounts. -The following is an example guide of how to get it configured. - -```sh -# Create a working directory to keep the creds. -mkdir nats-creds -cd nats-creds - -# This just creates some accounts for you to get started. -curl -fSl https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh -source .nsc.env - -# You should have some accounts now, at least the following. -nsc list accounts -+-------------------------------------------------------------------+ -| Accounts | -+--------+----------------------------------------------------------+ -| Name | Public Key | -+--------+----------------------------------------------------------+ -| A | ABJ4OIKBBFCNXZDP25C7EWXCXOVCYYAGBEHFAG7F5XYCOYPHZLNSJYDF | -| B | ACVRK7GFBRQUCB3NEABGQ7XPNED2BSPT27GOX5QBDYW2NOFMQKK755DJ | -| SYS | ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N | -+--------+----------------------------------------------------------+ - -# Now create an account with JetStream support -export account=JS1 -nsc add account --name $account -nsc edit account --name $account --js-disk-storage -1 --js-consumer -1 --js-streams -1 -nsc add user -a $account js-user -``` - -Next, generate the NATS resolver config. This will be used to fill in the values of the YAML in the Helm template. -For example the result of generating this: - -```sh -nsc generate config --sys-account SYS --nats-resolver - -# Operator named KO -operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDRlozRlE0WURNTUc1Q1UzU0FUWVlHWUdQUDJaQU1QUzVNRUdNWFdWTUJFWUdIVzc2WEdBIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJLTyIsInN1YiI6Ik9DSVYyUUZKV0lOWlVBVDVUMllKQklSQzNCNkpLTVNaS1FORjVLR1A0TjNLWjRGRkRWQVdZWENMIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.e3gvJ-C1IBznmbUljeT_wbLRl1akv5IGBS3rbxs6mzzTvf3zlqQI4wDKVE8Gvb8qfTX6TIwocClfOqNaN3k3CQ - -# System Account named SYS -system_account: ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N - -resolver_preload: { - ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDR0tWVzJGQUszUE5XQTRBWkhHT083UTdZWUVPQkJYNDZaTU1VSFc1TU5QSUFVSFE0RVRRIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBREdGSDROWVY1Vjc1U1ZNNURZU1c1QVdPRDdIMk5SVVdBTU82WExaS0lER1VXWUVYQ1pHNUQ2TiIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.J7g73TEn-ZT13owq4cVWl4l0hZnGK4DJtH2WWOZmGbefcCQ1xsx4cIagKc1cZTCwUpELVAYnSkmPp4LsQOspBg, +{ + "authorization": { + "token": $TOKEN + }, + "max_payload": 2MB, + "port": 4222, + ... } ``` -In the YAML would be configured as follows: +### NATS Config Includes -``` -auth: - enabled: true - - timeout: "5s" - - resolver: - type: full - - operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDRlozRlE0WURNTUc1Q1UzU0FUWVlHWUdQUDJaQU1QUzVNRUdNWFdWTUJFWUdIVzc2WEdBIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJLTyIsInN1YiI6Ik9DSVYyUUZKV0lOWlVBVDVUMllKQklSQzNCNkpLTVNaS1FORjVLR1A0TjNLWjRGRkRWQVdZWENMIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.e3gvJ-C1IBznmbUljeT_wbLRl1akv5IGBS3rbxs6mzzTvf3zlqQI4wDKVE8Gvb8qfTX6TIwocClfOqNaN3k3CQ - - systemAccount: ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N - - store: - dir: "/etc/nats-config/accounts/jwt" - size: "1Gi" - - resolverPreload: - ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDR0tWVzJGQUszUE5XQTRBWkhHT083UTdZWUVPQkJYNDZaTU1VSFc1TU5QSUFVSFE0RVRRIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBREdGSDROWVY1Vjc1U1ZNNURZU1c1QVdPRDdIMk5SVVdBTU82WExaS0lER1VXWUVYQ1pHNUQ2TiIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.J7g73TEn-ZT13owq4cVWl4l0hZnGK4DJtH2WWOZmGbefcCQ1xsx4cIagKc1cZTCwUpELVAYnSkmPp4LsQOspBg -``` - -Now we start the server with the NATS Account Resolver (`auth.resolver.type=full`): +Any NATS Config key ending in `$include` will be replaced with an include directive. Included files should be in paths relative to `/etc/nats-config`. Multiple `$include` keys are supported by using a prefix, and will be sorted alphabetically. Example: ```yaml -nats: - logging: - debug: false - trace: false +config: + merge: + 00$include: auth.conf + 01$include: params.conf +configMap: + merge: + data: + auth.conf: | + accounts: { + A: { + users: [ + {user: a, password: a} + ] + }, + B: { + users: [ + {user: b, password: b} + ] + }, + } + params.conf: | + max_payload: 2MB +``` - jetstream: +templates to the `nats.conf`: + +``` +include auth.conf; +"port": 4222, +... +include params.conf; +``` + +### Extra Resources + +Enables adding additional arbitrary resources. Example - expose WebSocket via VirtualService in Istio: + +```yaml +config: + websocket: enabled: true - - memStorage: - enabled: true - size: "2Gi" - - fileStorage: - enabled: true - size: "10Gi" - # storageClassName: gp2 # NOTE: AWS setup but customize as needed for your infra. - -cluster: - enabled: true - # Can set a custom cluster name - name: "nats" - replicas: 3 - -auth: - enabled: true - - timeout: "5s" - - resolver: - type: full - - operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDRlozRlE0WURNTUc1Q1UzU0FUWVlHWUdQUDJaQU1QUzVNRUdNWFdWTUJFWUdIVzc2WEdBIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJLTyIsInN1YiI6Ik9DSVYyUUZKV0lOWlVBVDVUMllKQklSQzNCNkpLTVNaS1FORjVLR1A0TjNLWjRGRkRWQVdZWENMIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.e3gvJ-C1IBznmbUljeT_wbLRl1akv5IGBS3rbxs6mzzTvf3zlqQI4wDKVE8Gvb8qfTX6TIwocClfOqNaN3k3CQ - - systemAccount: ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N - - store: - dir: "/etc/nats-config/accounts/jwt" - size: "1Gi" - - resolverPreload: - ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDR0tWVzJGQUszUE5XQTRBWkhHT083UTdZWUVPQkJYNDZaTU1VSFc1TU5QSUFVSFE0RVRRIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBREdGSDROWVY1Vjc1U1ZNNURZU1c1QVdPRDdIMk5SVVdBTU82WExaS0lER1VXWUVYQ1pHNUQ2TiIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.J7g73TEn-ZT13owq4cVWl4l0hZnGK4DJtH2WWOZmGbefcCQ1xsx4cIagKc1cZTCwUpELVAYnSkmPp4LsQOspBg -``` - -Finally, using a local port-forward make it possible to establish a connection to one of the servers and upload the accounts. - -```sh -nsc push --system-account SYS -u nats://localhost:4222 -A -[ OK ] push to nats-server "nats://localhost:4222" using system account "SYS": - [ OK ] push JS1 to nats-server with nats account resolver: - [ OK ] pushed "JS1" to nats-server nats-0: jwt updated - [ OK ] pushed "JS1" to nats-server nats-1: jwt updated - [ OK ] pushed "JS1" to nats-server nats-2: jwt updated - [ OK ] pushed to a total of 3 nats-server -``` - -Now you should be able to use JetStream and the NATS based account resolver: - -```sh -nats stream ls -s localhost --creds ./nsc/nkeys/creds/KO/JS1/js-user.creds -No Streams defined -``` - -## Misc - -### NATS Box - -A lightweight container with NATS and NATS Streaming utilities that is deployed along the cluster to confirm the setup. -You can find the image at: https://github.com/nats-io/nats-box - -```yaml -natsbox: - enabled: true - image: - tag: X.Y.Z - - # credentials: - # secret: - # name: nats-sys-creds - # key: sys.creds -``` - -You can also add volumes to nats-box, for example given a PVC like: - -```yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nsc-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi -``` - -You can give state to nats-box by using the `extraVolumes` and `extraVolumeMounts` options: - -```yaml -natsbox: - enabled: true - extraVolumes: - - name: nsc - persistentVolumeClaim: - claimName: nsc-pvc - extraVolumeMounts: - - mountPath: /nsc - name: nsc -``` - -example: - -```sh -$ helm install nats-nsc nats/nats -f examples/nats-box-persistent.yaml -$ kubectl exec -it deployment/nats-nsc-box -- /bin/sh - -# cd /nsc -/nsc # curl -fSl https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh -/nsc # source .nsc.env -/nsc # nsc list accounts -``` - -### Configuration Checksum - -A configuration checksum annotation is enabled by default on StatefulSet Pods in order to force a rollout when the NATS configuration changes. This checksum is only applied by `helm` commands, and will not change if configuration is modified outside of setting `helm` values. - -```yaml -nats: - configChecksumAnnotation: true -``` - -### Configuration Reload sidecar - -The NATS configuration reload sidecar is enabled by default; it passes the configuration reload signal to the NATS server when it detects configuration changes: - -```yaml -reloader: - enabled: true - image: - tag: X.Y.Z -``` - -### Prometheus Exporter sidecar - -The Prometheus Exporter sidecar is enabled by default; it can be used to feed metrics to Prometheus: - -```yaml -exporter: - enabled: true - image: - tag: X.Y.Z -``` - -### Prometheus operator ServiceMonitor support - -You can enable prometheus operator ServiceMonitor: - -```yaml -exporter: - # You have to enable exporter first - enabled: true - serviceMonitor: - enabled: true - ## Specify the namespace where Prometheus Operator is running - # namespace: monitoring - # ... -``` - -### Pod Customizations - -#### Security Context - -```yaml - # Toggle whether to use setup a Pod Security Context - # ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -securityContext: - fsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true -``` - -#### Affinity - - - -`matchExpressions` must be configured according to your setup - -```yaml -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.kubernetes.io/purpose - operator: In - values: - - nats - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - nats - - stan - topologyKey: "kubernetes.io/hostname" -``` - -#### Service topology - -[Service topology](https://kubernetes.io/docs/concepts/services-networking/service-topology/) is disabled by default, but can be enabled by setting `topologyKeys`. For example: - -```yaml -topologyKeys: - - "kubernetes.io/hostname" - - "topology.kubernetes.io/zone" - - "topology.kubernetes.io/region" -``` - -#### CPU/Memory Resource Requests/Limits -Sets the pods cpu/memory requests/limits - -```yaml -nats: - resources: - requests: - cpu: 4 - memory: 8Gi - limits: - cpu: 6 - memory: 10Gi -``` - -No resources are set by default. It is recommended for NATS JetStream deployments to allocate at least 8Gi of memory and 4 cpus. - -#### Annotations - - - -```yaml -podAnnotations: - key1 : "value1", - key2 : "value2" -``` - -### Name Overides - -Can change the name of the resources as needed with: - -```yaml -nameOverride: "my-nats" -``` - -### Image Pull Secrets - -```yaml -imagePullSecrets: -- name: myRegistry -``` - -Adds this to the StatefulSet: - -```yaml -spec: - imagePullSecrets: - - name: myRegistry -``` - -### Mixed TLS and non TLS mode - -You can use the `nats.tls.allowNonTLS` option to allow a cluster to use TLS connections -and plain connections: - -```yaml -nats: - client: - port: 4222 - - tls: - allowNonTLS: true - secret: - name: nats-server-tls - ca: "ca.crt" - cert: "tls.crt" - key: "tls.key" - timeout: "5s" +extraResources: +- apiVersion: networking.istio.io/v1beta1 + kind: VirtualService + metadata: + namespace: + $tplYamlSpread: > + {{ include "nats.metadataNamespace" $ }} + name: + $tplYaml: > + {{ include "nats.fullname" $ | quote }} + labels: + $tplYaml: | + {{ include "nats.labels" $ }} + spec: + hosts: + - demo.nats.io + gateways: + - my-gateway + http: + - name: default + match: + - name: root + uri: + exact: / + route: + - destination: + host: + $tplYaml: > + {{ .Values.service.name | quote }} + port: + number: + $tplYaml: > + {{ .Values.config.websocket.port }} ``` diff --git a/charts/nats/nats/UPGRADING.md b/charts/nats/nats/UPGRADING.md new file mode 100644 index 000000000..9cc177991 --- /dev/null +++ b/charts/nats/nats/UPGRADING.md @@ -0,0 +1,155 @@ +# Upgrading from 0.x to 1.x + +Instructions for upgrading an existing `nats` 0.x release to 1.x. + +## Rename Immutable Fields + +There are a number of immutable fields in the NATS Stateful Set and NATS Box deployment. All 1.x `values.yaml` files targeting an existing 0.x release will require some or all of these settings: + +```yaml +config: + # required if using JetStream file storage + jetstream: + # uncomment the next line if using JetStream file storage + # enabled: true + fileStore: + pvc: + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-js-pvc + # set other PVC options here to make it match 0.x, refer to values.yaml for schema + + # required if using a full or cache resolver + resolver: + # uncomment the next line if using a full or cache resolver + # enabled: true + pvc: + name: nats-jwt-pvc + # set other PVC options here to make it match 0.x, refer to values.yaml for schema + +# required +statefulSet: + patch: + - op: remove + path: /spec/selector/matchLabels/app.kubernetes.io~1component + - $tplYamlSpread: |- + {{- if and + .Values.config.jetstream.enabled + .Values.config.jetstream.fileStore.enabled + .Values.config.jetstream.fileStore.pvc.enabled + .Values.config.resolver.enabled + .Values.config.resolver.pvc.enabled + }} + - op: move + from: /spec/volumeClaimTemplates/0 + path: /spec/volumeClaimTemplates/1 + {{- else}} + [] + {{- end }} + +# required +headlessService: + name: + $tplYaml: >- + {{ include "nats.fullname" . }} + +# required unless 0.x values explicitly set nats.serviceAccount.create=false +serviceAccount: + enabled: true + +# required to use new ClusterIP service for Clients accessing NATS +# if using TLS, this may require adding another SAN +service: + # uncomment the next line to disable the new ClusterIP service + # enabled: false + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-svc + +# required if using NatsBox +natsBox: + deployment: + patch: + - op: replace + path: /spec/selector/matchLabels + value: + app: nats-box + - op: add + path: /spec/template/metadata/labels/app + value: nats-box +``` + +## Update NATS Config to new values.yaml schema + +Most values that control the NATS Config have changed and moved under the `config` key. Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema. + +After migrating to the new values schema, ensure that changes you expect in the NATS Config files match by templating the old and new config files. + +Template your old 0.x Config Map, this example uses a file called `values-old.yaml`: + +```sh +helm template \ + --version "0.x" \ + -f values-old.yaml \ + -s templates/configmap.yaml \ + nats \ + nats/nats +``` + +Template your new 1.x Config Map, this example uses a file called `values.yaml`: + +```sh +helm template \ + --version "^1-beta" \ + -f values.yaml \ + -s templates/config-map.yaml \ + nats \ + nats/nats +``` + +## Update Kubernetes Resources to new values.yaml schema + +Most values that control Kubernetes Resources have been changed. Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema. + +After migrating to the new values schema, ensure that changes you expect in resources match by templating the old and new resources. + +| Resource | 0.x Template File | 1.x Template File | +|-------------------------|---------------------------------|-------------------------------------------| +| Config Map | `templates/configmap.yaml` | `templates/config-map.yaml` | +| Stateful Set | `templates/statefulset.yaml` | `templates/stateful-set.yaml` | +| Headless Service | `templates/service.yaml` | `templates/headless-service.yaml` | +| ClusterIP Service | N/A | `templates/service.yaml` | +| Network Policy | `templates/networkpolicy.yaml` | N/A | +| Pod Disruption Budget | `templates/pdb.yaml` | `templates/pod-disruption-budget.yaml` | +| Service Account | `templates/rbac.yaml` | `templates/service-account.yaml` | +| Resource | `templates/` | `templates/` | +| Resource | `templates/` | `templates/` | +| Prometheus Monitor | `templates/serviceMonitor.yaml` | `templates/pod-monitor.yaml` | +| NatsBox Deployment | `templates/nats-box.yaml` | `templates/nats-box/deployment.yaml` | +| NatsBox Service Account | N/A | `templates/nats-box/service-account.yaml` | +| NatsBox Contents Secret | N/A | `templates/nats-box/contents-secret.yaml` | +| NatsBox Contexts Secret | N/A | `templates/nats-box/contexts-secret.yaml` | + +For example, to check that the Stateful Set matches: + +Template your old 0.x Stateful Set, this example uses a file called `values-old.yaml`: + +```sh +helm template \ + --version "0.x" \ + -f values-old.yaml \ + -s templates/statefulset.yaml \ + nats \ + nats/nats +``` + +Template your new 1.x Stateful Set, this example uses a file called `values.yaml`: + +```sh +helm template \ + --version "^1-beta" \ + -f values.yaml \ + -s templates/stateful-set.yaml \ + nats \ + nats/nats +``` diff --git a/charts/nats/nats/files/config-map.yaml b/charts/nats/nats/files/config-map.yaml new file mode 100644 index 000000000..89ee3c281 --- /dev/null +++ b/charts/nats/nats/files/config-map.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.configMap.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +data: + nats.conf: | + {{- include "nats.formatConfig" .config | nindent 4 }} diff --git a/charts/nats/nats/files/config/cluster.yaml b/charts/nats/nats/files/config/cluster.yaml new file mode 100644 index 000000000..719cb8ade --- /dev/null +++ b/charts/nats/nats/files/config/cluster.yaml @@ -0,0 +1,32 @@ +{{- with .Values.config.cluster }} +name: {{ $.Values.statefulSet.name }} +port: {{ .port }} +no_advertise: true +routes: +{{- $proto := ternary "tls" "nats" .tls.enabled }} +{{- $auth := "" }} +{{- if and .routeURLs.user .routeURLs.password }} + {{- $auth = printf "%s:%s@" (urlquery .routeURLs.user) (urlquery .routeURLs.password) -}} +{{- end }} +{{- $domain := $.Values.headlessService.name }} +{{- if .routeURLs.useFQDN }} + {{- $domain = printf "%s.%s.svc.%s" $domain (include "nats.namespace" $) .routeURLs.k8sClusterDomain }} +{{- end }} +{{- $port := (int .port) }} +{{- range $i, $_ := until (int .replicas) }} +- {{ printf "%s://%s%s-%d.%s:%d" $proto $auth $.Values.statefulSet.name $i $domain $port }} +{{- end }} + +{{- if and .routeURLs.user .routeURLs.password }} +authorization: + user: {{ .routeURLs.user | quote }} + password: {{ .routeURLs.password | quote }} +{{- end }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/config.yaml b/charts/nats/nats/files/config/config.yaml new file mode 100644 index 000000000..cc1849a89 --- /dev/null +++ b/charts/nats/nats/files/config/config.yaml @@ -0,0 +1,115 @@ +{{- $pidFile := ternary "/var/run/nats/nats.pid" "/var/run/nats.pid" .Values.reloader.enabled }} +{{- with .Values.config }} + +server_name: << $SERVER_NAME >> +lame_duck_grace_period: 10s +lame_duck_duration: 30s +pid_file: {{ $pidFile }} + +######################################## +# NATS +######################################## +{{- with .nats }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} + +######################################## +# leafnodes +######################################## +{{- with .leafnodes }} +{{- if .enabled }} +leafnodes: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/leafnodes.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# websocket +######################################## +{{- with .websocket }} +{{- if .enabled }} +websocket: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/websocket.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# MQTT +######################################## +{{- with .mqtt }} +{{- if .enabled }} +mqtt: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/mqtt.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# cluster +######################################## +{{- with .cluster }} +{{- if .enabled }} +cluster: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/cluster.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# gateway +######################################## +{{- with .gateway }} +{{- if .enabled }} +gateway: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/gateway.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# monitor +######################################## +{{- with .monitor }} +{{- if .enabled }} +{{- if .tls.enabled }} +https_port: {{ .port }} +{{- else }} +http_port: {{ .port }} +{{- end }} +{{- end }} +{{- end }} + +######################################## +# profiling +######################################## +{{- with .profiling }} +{{- if .enabled }} +prof_port: {{ .port }} +{{- end }} +{{- end }} + +######################################## +# jetstream +######################################## +{{- with $.Values.config.jetstream -}} +{{- if .enabled }} +jetstream: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/jetstream.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# resolver +######################################## +{{- with $.Values.config.resolver -}} +{{- if .enabled }} +resolver: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/resolver.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/nats/nats/files/config/gateway.yaml b/charts/nats/nats/files/config/gateway.yaml new file mode 100644 index 000000000..32d4ed9f7 --- /dev/null +++ b/charts/nats/nats/files/config/gateway.yaml @@ -0,0 +1,11 @@ +{{- with .Values.config.gateway }} +name: {{ $.Values.statefulSet.name }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/jetstream.yaml b/charts/nats/nats/files/config/jetstream.yaml new file mode 100644 index 000000000..17262f643 --- /dev/null +++ b/charts/nats/nats/files/config/jetstream.yaml @@ -0,0 +1,23 @@ +{{- with .Values.config.jetstream }} +{{- with .memoryStore }} +{{- if .enabled }} +{{- with .maxSize }} +max_memory_store: << {{ . }} >> +{{- end }} +{{- else }} +max_memory_store: 0 +{{- end }} +{{- end }} +{{- with .fileStore }} +{{- if .enabled }} +store_dir: {{ .dir }} +{{- if .maxSize }} +max_file_store: << {{ .maxSize }} >> +{{- else if .pvc.enabled }} +max_file_store: << {{ .pvc.size }} >> +{{- end }} +{{- else }} +max_file_store: 0 +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/leafnodes.yaml b/charts/nats/nats/files/config/leafnodes.yaml new file mode 100644 index 000000000..3a1d9a14a --- /dev/null +++ b/charts/nats/nats/files/config/leafnodes.yaml @@ -0,0 +1,11 @@ +{{- with .Values.config.leafnodes }} +port: {{ .port }} +no_advertise: true + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/mqtt.yaml b/charts/nats/nats/files/config/mqtt.yaml new file mode 100644 index 000000000..e25d8a3e0 --- /dev/null +++ b/charts/nats/nats/files/config/mqtt.yaml @@ -0,0 +1,10 @@ +{{- with .Values.config.mqtt }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/protocol.yaml b/charts/nats/nats/files/config/protocol.yaml new file mode 100644 index 000000000..288c80d75 --- /dev/null +++ b/charts/nats/nats/files/config/protocol.yaml @@ -0,0 +1,10 @@ +{{- with .protocol }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/resolver.yaml b/charts/nats/nats/files/config/resolver.yaml new file mode 100644 index 000000000..a6761c403 --- /dev/null +++ b/charts/nats/nats/files/config/resolver.yaml @@ -0,0 +1,3 @@ +{{- with .Values.config.resolver }} +dir: {{ .dir }} +{{- end }} diff --git a/charts/nats/nats/files/config/tls.yaml b/charts/nats/nats/files/config/tls.yaml new file mode 100644 index 000000000..26aee0155 --- /dev/null +++ b/charts/nats/nats/files/config/tls.yaml @@ -0,0 +1,16 @@ +# tls +{{- with .tls }} +{{- if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +cert_file: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }} +key_file: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} +{{- end }} +{{- end }} + +# tlsCA +{{- with $.Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +{{- $dir := trimSuffix "/" .dir }} +ca_file: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/config/websocket.yaml b/charts/nats/nats/files/config/websocket.yaml new file mode 100644 index 000000000..e3cdd4cc4 --- /dev/null +++ b/charts/nats/nats/files/config/websocket.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.websocket }} +port: {{ .port }} +compression: true + +{{- if .tls.enabled }} +{{- with .tls }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- else }} +no_tls: true +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/headless-service.yaml b/charts/nats/nats/files/headless-service.yaml new file mode 100644 index 000000000..da6552b37 --- /dev/null +++ b/charts/nats/nats/files/headless-service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.headlessService.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + {{- include "nats.selectorLabels" $ | nindent 4 }} + clusterIP: None + publishNotReadyAddresses: true + ports: + {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- if or (eq $protocol "nats") $configProtocol.enabled }} + {{- $tlsEnabled := false }} + {{- if hasKey $configProtocol "tls" }} + {{- $tlsEnabled = $configProtocol.tls.enabled }} + {{- end }} + {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }} + - {{ dict "name" $protocol "port" $configProtocol.port "targetPort" $protocol "appProtocol" $appProtocol | toYaml | nindent 4 }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/files/ingress.yaml b/charts/nats/nats/files/ingress.yaml new file mode 100644 index 000000000..b59f0fa5f --- /dev/null +++ b/charts/nats/nats/files/ingress.yaml @@ -0,0 +1,34 @@ +{{- with .Values.config.websocket.ingress }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + {{- with .className }} + ingressClassName: {{ . | quote }} + {{- end }} + rules: + {{- $path := .path }} + {{- $pathType := .pathType }} + {{- range .hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $path | quote }} + pathType: {{ $pathType | quote }} + backend: + service: + name: {{ $.Values.service.name }} + port: + name: websocket + {{- end }} + {{- if .tlsSecretName }} + tls: + - secretName: {{ .tlsSecretName | quote }} + hosts: + {{- toYaml .hosts | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/files/nats-box/contents-secret.yaml b/charts/nats/nats/files/nats-box/contents-secret.yaml new file mode 100644 index 000000000..6e8fdb26f --- /dev/null +++ b/charts/nats/nats/files/nats-box/contents-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.contentsSecret.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +type: Opaque +stringData: + {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + {{- range $secretKey, $secretVal := dict "creds" "creds" "nkey" "nk" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if and $secret $secret.contents }} + "{{ $ctxKey }}.{{ $secretVal }}": {{ $secret.contents | quote }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/files/nats-box/contexts-secret/context.yaml b/charts/nats/nats/files/nats-box/contexts-secret/context.yaml new file mode 100644 index 000000000..97e4671b5 --- /dev/null +++ b/charts/nats/nats/files/nats-box/contexts-secret/context.yaml @@ -0,0 +1,49 @@ +{{- $contextName := .contextName }} + +# url +{{- if .Values.service.enabled }} +url: nats://{{ .Values.service.name }} +{{- else }} +url: nats://{{ .Values.headlessService.name }} +{{- end }} + +{{- with .context }} + +# creds +{{- with .creds}} +{{- if .contents }} +creds: /etc/nats-contents/{{ $contextName }}.creds +{{- else if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +creds: {{ printf "%s/%s" $dir (.key | default "nats.creds") | quote }} +{{- end }} +{{- end }} + +# nkey +{{- with .nkey}} +{{- if .contents }} +nkey: /etc/nats-contents/{{ $contextName }}.nk +{{- else if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +nkey: {{ printf "%s/%s" $dir (.key | default "nats.nk") | quote }} +{{- end }} +{{- end }} + +# tls +{{- with .tls }} +{{- if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +cert: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }} +key: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} +{{- end }} +{{- end }} + +# tlsCA +{{- with $.Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +{{- $dir := trimSuffix "/" .dir }} +ca: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/nats/nats/files/nats-box/contexts-secret/contexts-secret.yaml b/charts/nats/nats/files/nats-box/contexts-secret/contexts-secret.yaml new file mode 100644 index 000000000..0ce8d1d87 --- /dev/null +++ b/charts/nats/nats/files/nats-box/contexts-secret/contexts-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.contextsSecret.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +type: Opaque +stringData: +{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + "{{ $ctxKey }}.json": | + {{- include "toPrettyRawJson" (include "nats.loadMergePatch" (dict "file" "nats-box/contexts-secret/context.yaml" "merge" (.merge | default dict) "patch" (.patch | default list) "ctx" (merge (dict "contextName" $ctxKey "context" $ctxVal) $)) | fromYaml) | nindent 4 }} +{{- end }} diff --git a/charts/nats/nats/files/nats-box/deployment/container.yaml b/charts/nats/nats/files/nats-box/deployment/container.yaml new file mode 100644 index 000000000..9c99959f9 --- /dev/null +++ b/charts/nats/nats/files/nats-box/deployment/container.yaml @@ -0,0 +1,43 @@ +name: nats-box +{{ include "nats.image" (merge (pick $.Values "global") .Values.natsBox.container.image) }} + +{{- with .Values.natsBox.container.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +command: +- sh +- -ec +- | + work_dir="$(pwd)" + mkdir -p "$XDG_CONFIG_HOME/nats" + cd "$XDG_CONFIG_HOME/nats" + if ! [ -s context ]; then + ln -s /etc/nats-contexts context + fi + {{- if .Values.natsBox.defaultContextName }} + if ! [ -f context.txt ]; then + echo -n {{ .Values.natsBox.defaultContextName | quote }} > context.txt + fi + {{- end }} + cd "$work_dir" + exec sh -ec "$0" +args: +- trap true INT TERM; sleep infinity & wait +volumeMounts: +# contexts secret +- name: contexts + mountPath: /etc/nats-contexts +# contents secret +{{- if .hasContentsSecret }} +- name: contents + mountPath: /etc/nats-contents +{{- end }} +# tlsCA +{{- include "nats.tlsCAVolumeMount" $ }} +# secrets +{{- range (include "natsBox.secretNames" $ | fromJson).secretNames }} +- name: {{ .name | quote }} + mountPath: {{ .dir | quote }} +{{- end }} diff --git a/charts/nats/nats/files/nats-box/deployment/deployment.yaml b/charts/nats/nats/files/nats-box/deployment/deployment.yaml new file mode 100644 index 000000000..bf39dd8d5 --- /dev/null +++ b/charts/nats/nats/files/nats-box/deployment/deployment.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.deployment.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "natsBox.selectorLabels" $ | nindent 6 }} + replicas: 1 + template: + {{- with .Values.natsBox.podTemplate }} + {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} diff --git a/charts/nats/nats/files/nats-box/deployment/pod-template.yaml b/charts/nats/nats/files/nats-box/deployment/pod-template.yaml new file mode 100644 index 000000000..47e6fbbbe --- /dev/null +++ b/charts/nats/nats/files/nats-box/deployment/pod-template.yaml @@ -0,0 +1,37 @@ +metadata: + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +spec: + containers: + {{- with .Values.natsBox.container }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/container.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + + # service discovery uses DNS; don't need service env vars + enableServiceLinks: false + + {{- with .Values.natsBox.serviceAccount }} + {{- if .enabled }} + serviceAccountName: {{ .name | quote }} + {{- end }} + {{- end }} + + volumes: + # contexts secret + - name: contexts + secret: + secretName: {{ .Values.natsBox.contextsSecret.name }} + # contents secret + {{- if .hasContentsSecret }} + - name: contents + secret: + secretName: {{ .Values.natsBox.contentsSecret.name }} + {{- end }} + # tlsCA + {{- include "nats.tlsCAVolume" $ | nindent 2 }} + # secrets + {{- range (include "natsBox.secretNames" $ | fromJson).secretNames }} + - name: {{ .name | quote }} + secret: + secretName: {{ .secretName | quote }} + {{- end }} diff --git a/charts/nats/nats/files/nats-box/service-account.yaml b/charts/nats/nats/files/nats-box/service-account.yaml new file mode 100644 index 000000000..c31e52f18 --- /dev/null +++ b/charts/nats/nats/files/nats-box/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.serviceAccount.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} diff --git a/charts/nats/nats/files/pod-disruption-budget.yaml b/charts/nats/nats/files/pod-disruption-budget.yaml new file mode 100644 index 000000000..fd1fdead5 --- /dev/null +++ b/charts/nats/nats/files/pod-disruption-budget.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.podDisruptionBudget.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} diff --git a/charts/nats/nats/files/pod-monitor.yaml b/charts/nats/nats/files/pod-monitor.yaml new file mode 100644 index 000000000..c6c8eae06 --- /dev/null +++ b/charts/nats/nats/files/pod-monitor.yaml @@ -0,0 +1,13 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.promExporter.podMonitor.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} + podMetricsEndpoints: + - port: prom-metrics diff --git a/charts/nats/nats/files/service-account.yaml b/charts/nats/nats/files/service-account.yaml new file mode 100644 index 000000000..22c18cc70 --- /dev/null +++ b/charts/nats/nats/files/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.serviceAccount.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} diff --git a/charts/nats/nats/files/service.yaml b/charts/nats/nats/files/service.yaml new file mode 100644 index 000000000..db08fe5b5 --- /dev/null +++ b/charts/nats/nats/files/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.service.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + {{- include "nats.selectorLabels" $ | nindent 4 }} + ports: + {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- $servicePort := get $.Values.service.ports $protocol }} + {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $servicePort.enabled }} + {{- $tlsEnabled := false }} + {{- if hasKey $configProtocol "tls" }} + {{- $tlsEnabled = $configProtocol.tls.enabled }} + {{- end }} + {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }} + - {{ merge (dict "name" $protocol "targetPort" $protocol "appProtocol" $appProtocol) (omit $servicePort "enabled") (dict "port" $configProtocol.port) | toYaml | nindent 4 }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/files/stateful-set/jetstream-pvc.yaml b/charts/nats/nats/files/stateful-set/jetstream-pvc.yaml new file mode 100644 index 000000000..a43f20059 --- /dev/null +++ b/charts/nats/nats/files/stateful-set/jetstream-pvc.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.jetstream.fileStore.pvc }} +metadata: + name: {{ .name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size | quote }} + {{- with .storageClassName }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/files/stateful-set/nats-container.yaml b/charts/nats/nats/files/stateful-set/nats-container.yaml new file mode 100644 index 000000000..b89d20e04 --- /dev/null +++ b/charts/nats/nats/files/stateful-set/nats-container.yaml @@ -0,0 +1,98 @@ +{{- $pidFile := ternary "/var/run/nats/nats.pid" "/var/run/nats.pid" .Values.reloader.enabled }} +name: nats +{{ include "nats.image" (merge (pick $.Values "global") .Values.container.image) }} + +ports: +{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} +{{- $configProtocol := get $.Values.config $protocol }} +{{- $containerPort := get $.Values.container.ports $protocol }} +{{- if or (eq $protocol "nats") $configProtocol.enabled }} +- {{ merge (dict "name" $protocol "containerPort" $configProtocol.port) $containerPort | toYaml | nindent 2 }} +{{- end }} +{{- end }} + +args: +- --config +- /etc/nats-config/nats.conf + +env: +- name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: SERVER_NAME + value: {{ printf "%s$(POD_NAME)" .Values.config.serverNamePrefix | quote }} +{{- with .Values.container.env }} +{{- include "nats.env" . }} +{{- end }} + +lifecycle: + preStop: + exec: + # send the lame duck shutdown signal to trigger a graceful shutdown + command: + - nats-server + - -sl=ldm={{ $pidFile }} + +{{- if .Values.config.monitor.enabled }} +startupProbe: + httpGet: + path: /healthz + port: monitor + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 90 +readinessProbe: + httpGet: + path: /healthz?js-server-only=true + port: monitor + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 +livenessProbe: + httpGet: + path: /healthz?js-enabled-only=true + port: monitor + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 30 + successThreshold: 1 + failureThreshold: 3 +{{- end }} + +volumeMounts: +# nats config +- name: config + mountPath: /etc/nats-config +# PID volume +{{- if .Values.reloader.enabled }} +- name: pid + mountPath: /var/run/nats +{{- end}} +# JetStream PVC +{{- with .Values.config.jetstream }} +{{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }} +{{- with .fileStore }} +- name: {{ .pvc.name }} + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +{{- end }} +# resolver PVC +{{- with .Values.config.resolver }} +{{- if and .enabled .pvc.enabled }} +- name: {{ .pvc.name }} + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +# tlsCA +{{- include "nats.tlsCAVolumeMount" $ }} +# secrets +{{- range (include "nats.secretNames" $ | fromJson).secretNames }} +- name: {{ .name | quote }} + mountPath: {{ .dir | quote }} +{{- end }} diff --git a/charts/nats/nats/files/stateful-set/pod-template.yaml b/charts/nats/nats/files/stateful-set/pod-template.yaml new file mode 100644 index 000000000..afff14edc --- /dev/null +++ b/charts/nats/nats/files/stateful-set/pod-template.yaml @@ -0,0 +1,66 @@ +metadata: + labels: + {{- include "nats.labels" $ | nindent 4 }} + annotations: + {{- if .Values.podTemplate.configChecksumAnnotation }} + {{- $configMap := include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) $.Values.configMap) }} + checksum/config: {{ sha256sum $configMap }} + {{- end }} +spec: + containers: + # nats + {{- $nats := dict }} + {{- with .Values.container }} + {{- $nats = include "nats.loadMergePatch" (merge (dict "file" "stateful-set/nats-container.yaml" "ctx" $) .) | fromYaml }} + - {{ toYaml $nats | nindent 4 }} + {{- end }} + # reloader + {{- with .Values.reloader }} + {{- if .enabled }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/reloader-container.yaml" "ctx" (merge (dict "natsVolumeMounts" $nats.volumeMounts) $)) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.promExporter }} + {{- if .enabled }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/prom-exporter-container.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + + # service discovery uses DNS; don't need service env vars + enableServiceLinks: false + + {{- with .Values.serviceAccount }} + {{- if .enabled }} + serviceAccountName: {{ .name | quote }} + {{- end }} + {{- end }} + + {{- if .Values.reloader.enabled }} + shareProcessNamespace: true + {{- end }} + + volumes: + # nats config + - name: config + configMap: + name: {{ .Values.configMap.name }} + # PID volume + {{- if .Values.reloader.enabled }} + - name: pid + emptyDir: {} + {{- end }} + # tlsCA + {{- include "nats.tlsCAVolume" $ | nindent 2 }} + # secrets + {{- range (include "nats.secretNames" $ | fromJson).secretNames }} + - name: {{ .name | quote }} + secret: + secretName: {{ .secretName | quote }} + {{- end }} + + {{- with .Values.podTemplate.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $k, $v := . }} + - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} + {{- end }} + {{- end}} diff --git a/charts/nats/nats/files/stateful-set/prom-exporter-container.yaml b/charts/nats/nats/files/stateful-set/prom-exporter-container.yaml new file mode 100644 index 000000000..c3e1b6fbe --- /dev/null +++ b/charts/nats/nats/files/stateful-set/prom-exporter-container.yaml @@ -0,0 +1,30 @@ +name: prom-exporter +{{ include "nats.image" (merge (pick $.Values "global") .Values.promExporter.image) }} + +ports: +- name: prom-metrics + containerPort: {{ .Values.promExporter.port }} + +{{- with .Values.promExporter.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +args: +- -port={{ .Values.promExporter.port }} +- -connz +- -routez +- -subz +- -varz +- -prefix=nats +- -use_internal_server_id +{{- if .Values.config.jetstream.enabled }} +- -jsz=all +{{- end }} +{{- if .Values.config.leafnodes.enabled }} +- -leafz +{{- end }} +{{- if .Values.config.gateway.enabled }} +- -gatewayz +{{- end }} +- http://localhost:{{ .Values.config.monitor.port }}/ diff --git a/charts/nats/nats/files/stateful-set/reloader-container.yaml b/charts/nats/nats/files/stateful-set/reloader-container.yaml new file mode 100644 index 000000000..96722045f --- /dev/null +++ b/charts/nats/nats/files/stateful-set/reloader-container.yaml @@ -0,0 +1,27 @@ +name: reloader +{{ include "nats.image" (merge (pick $.Values "global") .Values.reloader.image) }} + +{{- with .Values.reloader.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +args: +- -pid +- /var/run/nats/nats.pid +- -config +- /etc/nats-config/nats.conf +{{ include "nats.reloaderConfig" (dict "config" .config "dir" "/etc/nats-config") }} + +volumeMounts: +- name: pid + mountPath: /var/run/nats +{{- range $mnt := .natsVolumeMounts }} +{{- $found := false }} +{{- range $.Values.reloader.natsVolumeMountPrefixes }} +{{- if and (not $found) (hasPrefix . $mnt.mountPath) }} +{{- $found = true }} +- {{ toYaml $mnt | nindent 2}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/files/stateful-set/resolver-pvc.yaml b/charts/nats/nats/files/stateful-set/resolver-pvc.yaml new file mode 100644 index 000000000..3634cd826 --- /dev/null +++ b/charts/nats/nats/files/stateful-set/resolver-pvc.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.resolver.pvc }} +metadata: + name: {{ .name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size | quote }} + {{- with .storageClassName }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/files/stateful-set/stateful-set.yaml b/charts/nats/nats/files/stateful-set/stateful-set.yaml new file mode 100644 index 000000000..cd8082cbb --- /dev/null +++ b/charts/nats/nats/files/stateful-set/stateful-set.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.statefulSet.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} + {{- if .Values.config.cluster.enabled }} + replicas: {{ .Values.config.cluster.replicas }} + {{- else }} + replicas: 1 + {{- end }} + serviceName: {{ .Values.headlessService.name }} + podManagementPolicy: Parallel + template: + {{- with .Values.podTemplate }} + {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/pod-template.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + volumeClaimTemplates: + {{- with .Values.config.jetstream }} + {{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }} + {{- with .fileStore.pvc }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/jetstream-pvc.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.config.resolver }} + {{- if and .enabled .pvc.enabled }} + {{- with .pvc }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/resolver-pvc.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/templates/NOTES.txt b/charts/nats/nats/templates/NOTES.txt deleted file mode 100644 index 694dc67ce..000000000 --- a/charts/nats/nats/templates/NOTES.txt +++ /dev/null @@ -1,26 +0,0 @@ - -{{- if or .Values.nats.logging.debug .Values.nats.logging.trace }} -*WARNING*: Keep in mind that running the server with -debug and/or trace enabled significantly affects the -performance of the server! -{{- end }} - -You can find more information about running NATS on Kubernetes -in the NATS documentation website: - - https://docs.nats.io/nats-on-kubernetes/nats-kubernetes - -{{- if .Values.natsbox.enabled }} - -NATS Box has been deployed into your cluster, you can -now use the NATS tools within the container as follows: - - kubectl exec -n {{ template "nats.namespace" . }} -it deployment/{{ template "nats.fullname" . }}-box -- /bin/sh -l - - nats-box:~# nats sub test & - nats-box:~# nats pub test hi - nats-box:~# nc {{ template "nats.fullname" . }} {{ .Values.nats.client.port }} - -{{- end }} - -Thanks for using NATS! diff --git a/charts/nats/nats/templates/_helpers.tpl b/charts/nats/nats/templates/_helpers.tpl index 9f177b813..ba831397d 100644 --- a/charts/nats/nats/templates/_helpers.tpl +++ b/charts/nats/nats/templates/_helpers.tpl @@ -2,26 +2,26 @@ Expand the name of the chart. */}} {{- define "nats.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "nats.namespace" -}} -{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} {{- define "nats.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} {{/* Create chart name and version as used by the chart label. @@ -31,13 +31,78 @@ Create chart name and version as used by the chart label. {{- end }} {{/* -Common labels +Print the namespace +*/}} +{{- define "nats.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride }} +{{- end }} + +{{/* +Print the namespace for the metadata section +*/}} +{{- define "nats.metadataNamespace" -}} +{{- with .Values.namespaceOverride }} +namespace: {{ . | quote }} +{{- end }} +{{- end }} + +{{/* +Set default values. +*/}} +{{- define "nats.defaultValues" }} +{{- if not .defaultValuesSet }} + {{- $name := include "nats.fullname" . }} + {{- with .Values }} + {{- $_ := set .config.jetstream.fileStore.pvc "name" (.config.jetstream.fileStore.pvc.name | default (printf "%s-js" $name)) }} + {{- $_ := set .config.resolver.pvc "name" (.config.resolver.pvc.name | default (printf "%s-resolver" $name)) }} + {{- $_ := set .config.websocket.ingress "name" (.config.websocket.ingress.name | default (printf "%s-ws" $name)) }} + {{- $_ := set .configMap "name" (.configMap.name | default (printf "%s-config" $name)) }} + {{- $_ := set .headlessService "name" (.headlessService.name | default (printf "%s-headless" $name)) }} + {{- $_ := set .natsBox.contentsSecret "name" (.natsBox.contentsSecret.name | default (printf "%s-box-contents" $name)) }} + {{- $_ := set .natsBox.contextsSecret "name" (.natsBox.contextsSecret.name | default (printf "%s-box-contexts" $name)) }} + {{- $_ := set .natsBox.deployment "name" (.natsBox.deployment.name | default (printf "%s-box" $name)) }} + {{- $_ := set .natsBox.serviceAccount "name" (.natsBox.serviceAccount.name | default (printf "%s-box" $name)) }} + {{- $_ := set .podDisruptionBudget "name" (.podDisruptionBudget.name | default $name) }} + {{- $_ := set .service "name" (.service.name | default $name) }} + {{- $_ := set .serviceAccount "name" (.serviceAccount.name | default $name) }} + {{- $_ := set .statefulSet "name" (.statefulSet.name | default $name) }} + {{- $_ := set .promExporter.podMonitor "name" (.promExporter.podMonitor.name | default $name) }} + {{- end }} + + {{- $values := get (include "tplYaml" (dict "doc" .Values "ctx" $) | fromJson) "doc" }} + {{- $_ := set . "Values" $values }} + + {{- $hasContentsSecret := false }} + {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + {{- range $secretKey, $secretVal := dict "creds" "nats-creds" "nkey" "nats-nkeys" "tls" "nats-certs" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if $secret }} + {{- $_ := set $secret "dir" ($secret.dir | default (printf "/etc/%s/%s" $secretVal $ctxKey)) }} + {{- if and (ne $secretKey "tls") $secret.contents }} + {{- $hasContentsSecret = true }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- $_ := set $ "hasContentsSecret" $hasContentsSecret }} + + {{- with .Values.config }} + {{- $config := include "nats.loadMergePatch" (merge (dict "file" "config/config.yaml" "ctx" $) .) | fromYaml }} + {{- $_ := set $ "config" $config }} + {{- end }} + + {{- $_ := set . "defaultValuesSet" true }} +{{- end }} +{{- end }} + +{{/* +NATS labels */}} {{- define "nats.labels" -}} +{{- with .Values.global.labels -}} +{{ toYaml . }} +{{ end -}} helm.sh/chart: {{ include "nats.chart" . }} -{{- range $name, $value := .Values.commonLabels }} -{{ $name }}: {{ tpl $value $ }} -{{- end }} {{ include "nats.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} @@ -46,211 +111,171 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{/* -Selector labels +NATS selector labels */}} {{- define "nats.selectorLabels" -}} -{{- if .Values.nats.selectorLabels }} -{{ tpl (toYaml .Values.nats.selectorLabels) . }} -{{- else -}} app.kubernetes.io/name: {{ include "nats.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} -{{- end }} - - -{{/* -Return the proper NATS image name -*/}} -{{- define "nats.clusterAdvertise" -}} -{{- if $.Values.useFQDN }} -{{- printf "$(POD_NAME).%s.$(POD_NAMESPACE).svc.%s" (include "nats.fullname" . ) $.Values.k8sClusterDomain }} -{{- else }} -{{- printf "$(POD_NAME).%s.$(POD_NAMESPACE)" (include "nats.fullname" . ) }} -{{- end }} +app.kubernetes.io/component: nats {{- end }} {{/* -Return the NATS cluster auth. +NATS Box labels */}} -{{- define "nats.clusterAuth" -}} -{{- if $.Values.cluster.authorization }} -{{- printf "%s:%s@" (urlquery $.Values.cluster.authorization.user) (urlquery $.Values.cluster.authorization.password) -}} -{{- else }} +{{- define "natsBox.labels" -}} +{{- with .Values.global.labels -}} +{{ toYaml . }} +{{ end -}} +helm.sh/chart: {{ include "nats.chart" . }} +{{ include "natsBox.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{/* -Return the NATS cluster routes. +NATS Box selector labels */}} -{{- define "nats.clusterRoutes" -}} -{{- $name := (include "nats.fullname" . ) -}} -{{- $namespace := (include "nats.namespace" . ) -}} -{{- $clusterAuth := (include "nats.clusterAuth" . ) -}} -{{- range $i, $e := until (.Values.cluster.replicas | int) -}} -{{- if $.Values.useFQDN }} -{{- printf "nats://%s%s-%d.%s.%s.svc.%s:6222," $clusterAuth $name $i $name $namespace $.Values.k8sClusterDomain -}} -{{- else }} -{{- printf "nats://%s%s-%d.%s.%s:6222," $clusterAuth $name $i $name $namespace -}} -{{- end }} -{{- end -}} -{{- end }} - -{{- define "nats.extraRoutes" -}} -{{- range $i, $url := .Values.cluster.extraRoutes -}} -{{- printf "%s," $url -}} -{{- end -}} -{{- end }} - -{{- define "nats.tlsConfig" -}} -tls { -{{- if .cert }} - cert_file: {{ .secretPath }}/{{ .secret.name }}/{{ .cert }} -{{- end }} -{{- if .key }} - key_file: {{ .secretPath }}/{{ .secret.name }}/{{ .key }} -{{- end }} -{{- if .ca }} - ca_file: {{ .secretPath }}/{{ .secret.name }}/{{ .ca }} -{{- end }} -{{- if .insecure }} - insecure: {{ .insecure }} -{{- end }} -{{- if .verify }} - verify: {{ .verify }} -{{- end }} -{{- if .verifyAndMap }} - verify_and_map: {{ .verifyAndMap }} -{{- end }} -{{- if .verifyCertAndCheckKnownUrls }} - verify_cert_and_check_known_urls: {{ .verifyCertAndCheckKnownUrls }} -{{- end }} -{{- if .curvePreferences }} - curve_preferences: {{ .curvePreferences }} -{{- end }} -{{- if .timeout }} - timeout: {{ .timeout }} -{{- end }} -{{- if .cipherSuites }} - cipher_suites: {{ toRawJson .cipherSuites }} -{{- end }} -} -{{- end }} - -{{- define "nats.tlsReloaderArgs" -}} -{{ $secretName := .secret.name }} -{{ $secretPath := .secretPath }} -{{- with .ca }} -- -config -- {{ $secretPath }}/{{ $secretName }}/{{ . }} -{{- end }} -{{- with .cert }} -- -config -- {{ $secretPath }}/{{ $secretName }}/{{ . }} -{{- end }} -{{- with .key }} -- -config -- {{ $secretPath }}/{{ $secretName }}/{{ . }} -{{- end }} -{{- end }} - -{{- define "nats.tlsVolumeMounts" -}} -{{- with .Values.nats.tls }} -####################### -# # -# TLS Volumes Mounts # -# # -####################### -{{ $secretName := tpl .secret.name $ }} -- name: {{ $secretName }}-clients-volume - mountPath: /etc/nats-certs/clients/{{ $secretName }} -{{- end }} -{{- with .Values.mqtt.tls }} -{{ $secretName := tpl .secret.name $ }} -- name: {{ $secretName }}-mqtt-volume - mountPath: /etc/nats-certs/mqtt/{{ $secretName }} -{{- end }} -{{- with .Values.cluster.tls }} -{{- if not .custom }} -{{ $secretName := tpl .secret.name $ }} -- name: {{ $secretName }}-cluster-volume - mountPath: /etc/nats-certs/cluster/{{ $secretName }} -{{- end }} -{{- end }} -{{- with .Values.leafnodes.tls }} -{{- if not .custom }} -{{ $secretName := tpl .secret.name $ }} -- name: {{ $secretName }}-leafnodes-volume - mountPath: /etc/nats-certs/leafnodes/{{ $secretName }} -{{- end }} -{{- end }} -{{- with .Values.gateway.tls }} -{{ $secretName := tpl .secret.name $ }} -- name: {{ $secretName }}-gateways-volume - mountPath: /etc/nats-certs/gateways/{{ $secretName }} -{{- end }} -{{- with .Values.websocket.tls }} -{{ $secretName := tpl .secret.name $ }} -- name: {{ $secretName }}-ws-volume - mountPath: /etc/nats-certs/ws/{{ $secretName }} -{{- end }} -{{- end }} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Renders a value that contains template. -Usage: -{{ include "tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (toYaml .value) .context }} - {{- end }} -{{- end -}} - - -{{/* -Create the name of the service account to use -*/}} -{{- define "nats.serviceAccountName" -}} -{{- if .Values.nats.serviceAccount.create }} -{{- default (include "nats.fullname" .) .Values.nats.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.nats.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Fix image keys for chart versions <= 0.18.3 -*/}} -{{- define "nats.fixImage" -}} -{{- if kindIs "string" .image }} -{{- $_ := set . "image" (dict "repository" (split ":" .image)._0 "tag" ((split ":" .image)._1 | default "latest") "pullPolicy" "IfNotPresent") }} -{{- end }} -{{- if kindIs "string" .pullPolicy }} -{{- $_ := set .image "pullPolicy" .pullPolicy }} -{{- $_ := unset . "pullPolicy" }} -{{- end }} +{{- define "natsBox.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: nats-box {{- end }} {{/* Print the image */}} -{{- define "nats.image" -}} +{{- define "nats.image" }} {{- $image := printf "%s:%s" .repository .tag }} -{{- if .registry }} -{{- $image = printf "%s/%s" .registry $image }} +{{- if or .registry .global.image.registry }} +{{- $image = printf "%s/%s" (.registry | default .global.image.registry) $image }} +{{- end -}} +image: {{ $image }} +{{- if or .pullPolicy .global.image.pullPolicy }} +imagePullPolicy: {{ .pullPolicy | default .global.image.pullPolicy }} {{- end }} -{{- $image -}} {{- end }} + +{{- define "nats.secretNames" -}} +{{- $secrets := list }} +{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $configProtocol.tls.enabled $configProtocol.tls.secretName }} + {{- $secrets = append $secrets (merge (dict "name" (printf "%s-tls" $protocol)) $configProtocol.tls) }} + {{- end }} +{{- end }} +{{- toJson (dict "secretNames" $secrets) }} +{{- end }} + +{{- define "natsBox.secretNames" -}} +{{- $secrets := list }} +{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} +{{- range $secretKey, $secretVal := dict "creds" "nats-creds" "nkey" "nats-nkeys" "tls" "nats-certs" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if and $secret $secret.secretName }} + {{- $secrets = append $secrets (merge (dict "name" (printf "ctx-%s-%s" $ctxKey $secretKey)) $secret) }} + {{- end }} + {{- end }} +{{- end }} +{{- toJson (dict "secretNames" $secrets) }} +{{- end }} + +{{- define "nats.tlsCAVolume" -}} +{{- with .Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +- name: tls-ca +{{- if .configMapName }} + configMap: + name: {{ .configMapName | quote }} +{{- else if .secretName }} + secret: + secretName: {{ .secretName | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "nats.tlsCAVolumeMount" -}} +{{- with .Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +- name: tls-ca + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +translates env var map to list +*/}} +{{- define "nats.env" -}} +{{- range $k, $v := . }} +{{- if kindIs "string" $v }} +- name: {{ $k | quote }} + value: {{ $v | quote }} +{{- else if kindIs "map" $v }} +- {{ merge (dict "name" $k) $v | toYaml | nindent 2 }} +{{- else }} +{{- fail (cat "env var" $k "must be string or map, got" (kindOf $v)) }} +{{- end }} +{{- end }} +{{- end }} + +{{- /* +nats.loadMergePatch +input: map with 4 keys: +- file: name of file to load +- ctx: context to pass to tpl +- merge: interface{} to merge +- patch: []interface{} valid JSON Patch document +output: JSON encoded map with 1 key: +- doc: interface{} patched json result +*/}} +{{- define "nats.loadMergePatch" -}} +{{- $doc := tpl (.ctx.Files.Get (printf "files/%s" .file)) .ctx | fromYaml | default dict -}} +{{- $doc = mergeOverwrite $doc (deepCopy (.merge | default dict)) -}} +{{- get (include "jsonpatch" (dict "doc" $doc "patch" (.patch | default list)) | fromJson ) "doc" | toYaml -}} +{{- end }} + + +{{- /* +nats.reloaderConfig +input: map with 2 keys: +- config: interface{} nats config +- dir: dir config file is in +output: YAML list of reloader config files +*/}} +{{- define "nats.reloaderConfig" -}} + {{- $dir := trimSuffix "/" .dir -}} + {{- with .config -}} + {{- if kindIs "map" . -}} + {{- range $k, $v := . -}} + {{- if or (eq $k "cert_file") (eq $k "key_file") (eq $k "ca_file") }} +- -config +- {{ $v }} + {{- else if hasSuffix "$include" $k }} +- -config +- {{ clean (printf "%s/%s" $dir $v) }} + {{- else }} + {{- include "nats.reloaderConfig" (dict "config" $v "dir" $dir) }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + + +{{- /* +nats.formatConfig +input: map[string]interface{} +output: string with following format rules +1. keys ending in $natsRaw are unquoted +2. keys ending in $natsInclude are converted to include directives +*/}} +{{- define "nats.formatConfig" -}} + {{- + (regexReplaceAll "\"<<\\s+(.*)\\s+>>\"" + (regexReplaceAll "\".*\\$include\": \"(.*)\",?" (include "toPrettyRawJson" .) "include ${1};") + "${1}") + -}} +{{- end -}} diff --git a/charts/nats/nats/templates/_jsonpatch.tpl b/charts/nats/nats/templates/_jsonpatch.tpl new file mode 100644 index 000000000..cd42c3bbc --- /dev/null +++ b/charts/nats/nats/templates/_jsonpatch.tpl @@ -0,0 +1,219 @@ +{{- /* +jsonpatch +input: map with 2 keys: +- doc: interface{} valid JSON document +- patch: []interface{} valid JSON Patch document +output: JSON encoded map with 1 key: +- doc: interface{} patched json result +*/}} +{{- define "jsonpatch" -}} + {{- $params := fromJson (toJson .) -}} + {{- $patches := $params.patch -}} + {{- $docContainer := pick $params "doc" -}} + + {{- range $patch := $patches -}} + {{- if not (hasKey $patch "op") -}} + {{- fail "patch is missing op key" -}} + {{- end -}} + {{- if and (ne $patch.op "add") (ne $patch.op "remove") (ne $patch.op "replace") (ne $patch.op "copy") (ne $patch.op "move") (ne $patch.op "test") -}} + {{- fail (cat "patch has invalid op" $patch.op) -}} + {{- end -}} + {{- if not (hasKey $patch "path") -}} + {{- fail "patch is missing path key" -}} + {{- end -}} + {{- if and (or (eq $patch.op "add") (eq $patch.op "replace") (eq $patch.op "test")) (not (hasKey $patch "value")) -}} + {{- fail (cat "patch with op" $patch.op "is missing value key") -}} + {{- end -}} + {{- if and (or (eq $patch.op "copy") (eq $patch.op "move")) (not (hasKey $patch "from")) -}} + {{- fail (cat "patch with op" $patch.op "is missing from key") -}} + {{- end -}} + + {{- $opPathKeys := list "path" -}} + {{- if or (eq $patch.op "copy") (eq $patch.op "move") -}} + {{- $opPathKeys = append $opPathKeys "from" -}} + {{- end -}} + {{- $reSlice := list -}} + + {{- range $opPathKey := $opPathKeys -}} + {{- $obj := $docContainer -}} + {{- if and (eq $patch.op "copy") (eq $opPathKey "from") -}} + {{- $obj = (fromJson (toJson $docContainer)) -}} + {{- end -}} + {{- $key := "doc" -}} + {{- $lastMap := dict "root" $obj -}} + {{- $lastKey := "root" -}} + {{- $paths := (splitList "/" (get $patch $opPathKey)) -}} + {{- $firstPath := index $paths 0 -}} + {{- if ne (index $paths 0) "" -}} + {{- fail (cat "invalid" $opPathKey (get $patch $opPathKey) "must be empty string or start with /") -}} + {{- end -}} + {{- $paths = slice $paths 1 -}} + + {{- range $path := $paths -}} + {{- $path = replace "~1" "/" $path -}} + {{- $path = replace "~0" "~" $path -}} + + {{- if kindIs "slice" $obj -}} + {{- $mapObj := dict -}} + {{- range $i, $v := $obj -}} + {{- $_ := set $mapObj (toString $i) $v -}} + {{- end -}} + {{- $obj = $mapObj -}} + {{- $_ := set $lastMap $lastKey $obj -}} + {{- $reSlice = prepend $reSlice (dict "lastMap" $lastMap "lastKey" $lastKey "mapObj" $obj) -}} + {{- end -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat "key" $key "does not exist") -}} + {{- end -}} + {{- $lastKey = $key -}} + {{- $lastMap = $obj -}} + {{- $obj = index $obj $key -}} + {{- $key = $path -}} + {{- else -}} + {{- fail (cat "cannot iterate into path" $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- $_ := set $patch (printf "%sKey" $opPathKey) $key -}} + {{- $_ := set $patch (printf "%sLastKey" $opPathKey) $lastKey -}} + {{- $_ = set $patch (printf "%sLastMap" $opPathKey) $lastMap -}} + {{- end -}} + + {{- if eq $patch.op "move" }} + {{- if and (ne $patch.path $patch.from) (hasPrefix (printf "%s/" $patch.path) (printf "%s/" $patch.from)) -}} + {{- fail (cat "from" $patch.from "may not be a child of path" $patch.path) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "move") (eq $patch.op "copy") (eq $patch.op "test") }} + {{- $key := $patch.fromKey -}} + {{- $lastMap := $patch.fromLastMap -}} + {{- $lastKey := $patch.fromLastKey -}} + {{- $setKey := "value" -}} + {{- if eq $patch.op "test" }} + {{- $key = $patch.pathKey -}} + {{- $lastMap = $patch.pathLastMap -}} + {{- $lastKey = $patch.pathLastKey -}} + {{- $setKey = "testValue" -}} + {{- end -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat $key "does not exist") -}} + {{- end -}} + {{- $_ := set $patch $setKey (index $obj $key) -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if lt $i (len $obj) -}} + {{- $_ := set $patch $setKey (index $obj $i) -}} + {{- else -}} + {{- fail "slice index >= slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "remove") (eq $patch.op "replace") (eq $patch.op "move") }} + {{- $key := $patch.pathKey -}} + {{- $lastMap := $patch.pathLastMap -}} + {{- $lastKey := $patch.pathLastKey -}} + {{- if eq $patch.op "move" }} + {{- $key = $patch.fromKey -}} + {{- $lastMap = $patch.fromLastMap -}} + {{- $lastKey = $patch.fromLastKey -}} + {{- end -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat $key "does not exist") -}} + {{- end -}} + {{- $_ := unset $obj $key -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if eq $i 0 -}} + {{- $_ := set $lastMap $lastKey (slice $obj 1) -}} + {{- else if lt $i (sub (len $obj) 1) -}} + {{- $_ := set $lastMap $lastKey (concat (slice $obj 0 $i) (slice $obj (add $i 1) (len $obj))) -}} + {{- else if eq $i (sub (len $obj) 1) -}} + {{- $_ := set $lastMap $lastKey (slice $obj 0 (sub (len $obj) 1)) -}} + {{- else -}} + {{- fail "slice index >= slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "add") (eq $patch.op "replace") (eq $patch.op "move") (eq $patch.op "copy") }} + {{- $key := $patch.pathKey -}} + {{- $lastMap := $patch.pathLastMap -}} + {{- $lastKey := $patch.pathLastKey -}} + {{- $value := $patch.value -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- $_ := set $obj $key $value -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := 0 -}} + {{- if eq $key "-" -}} + {{- $i = len $obj -}} + {{- else -}} + {{- $i = atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if eq $i 0 -}} + {{- $_ := set $lastMap $lastKey (prepend $obj $value) -}} + {{- else if lt $i (len $obj) -}} + {{- $_ := set $lastMap $lastKey (concat (append (slice $obj 0 $i) $value) (slice $obj $i)) -}} + {{- else if eq $i (len $obj) -}} + {{- $_ := set $lastMap $lastKey (append $obj $value) -}} + {{- else -}} + {{- fail "slice index > slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if eq $patch.op "test" }} + {{- if not (deepEqual $patch.value $patch.testValue) }} + {{- fail (cat "test failed, expected" (toJson $patch.value) "but got" (toJson $patch.testValue)) -}} + {{- end -}} + {{- end -}} + + {{- range $reSliceOp := $reSlice -}} + {{- $sliceObj := list -}} + {{- range $i := until (len $reSliceOp.mapObj) -}} + {{- $sliceObj = append $sliceObj (index $reSliceOp.mapObj (toString $i)) -}} + {{- end -}} + {{- $_ := set $reSliceOp.lastMap $reSliceOp.lastKey $sliceObj -}} + {{- end -}} + + {{- end -}} + {{- toJson $docContainer -}} +{{- end -}} diff --git a/charts/nats/nats/templates/_toPrettyRawJson.tpl b/charts/nats/nats/templates/_toPrettyRawJson.tpl new file mode 100644 index 000000000..612a62f9c --- /dev/null +++ b/charts/nats/nats/templates/_toPrettyRawJson.tpl @@ -0,0 +1,28 @@ +{{- /* +toPrettyRawJson +input: interface{} valid JSON document +output: pretty raw JSON string +*/}} +{{- define "toPrettyRawJson" -}} + {{- include "toPrettyRawJsonStr" (toPrettyJson .) -}} +{{- end -}} + +{{- /* +toPrettyRawJsonStr +input: pretty JSON string +output: pretty raw JSON string +*/}} +{{- define "toPrettyRawJsonStr" -}} + {{- $s := + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u003e" + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u003c" + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u0026" . "${1}&") + "${1}<") + "${1}>") + -}} + {{- if regexMatch "([^\\\\](?:\\\\\\\\)*)\\\\u00(26|3c|3e)" $s -}} + {{- include "toPrettyRawJsonStr" $s -}} + {{- else -}} + {{- $s -}} + {{- end -}} +{{- end -}} diff --git a/charts/nats/nats/templates/_tplYaml.tpl b/charts/nats/nats/templates/_tplYaml.tpl new file mode 100644 index 000000000..f42b9c168 --- /dev/null +++ b/charts/nats/nats/templates/_tplYaml.tpl @@ -0,0 +1,114 @@ +{{- /* +tplYaml +input: map with 2 keys: +- doc: interface{} +- ctx: context to pass to tpl function +output: JSON encoded map with 1 key: +- doc: interface{} with any keys called tpl or tplSpread values templated and replaced + +maps matching the following syntax will be templated and parsed as YAML +{ + $tplYaml: string +} + +maps matching the follow syntax will be templated, parsed as YAML, and spread into the parent map/slice +{ + $tplYamlSpread: string +} +*/}} +{{- define "tplYaml" -}} + {{- $patch := get (include "tplYamlItr" (dict "ctx" .ctx "parentKind" "" "parentPath" "" "path" "/" "value" .doc) | fromJson) "patch" -}} + {{- include "jsonpatch" (dict "doc" .doc "patch" $patch) -}} +{{- end -}} + +{{- /* +tplYamlItr +input: map with 4 keys: +- path: string JSONPath to current element +- parentKind: string kind of parent element +- parentPath: string JSONPath to parent element +- value: interface{} +- ctx: context to pass to tpl function +output: JSON encoded map with 1 key: +- patch: list of patches to apply in order to template +*/}} +{{- define "tplYamlItr" -}} + {{- $params := . -}} + {{- $kind := kindOf $params.value -}} + {{- $patch := list -}} + {{- $joinPath := $params.path -}} + {{- if eq $params.path "/" -}} + {{- $joinPath = "" -}} + {{- end -}} + {{- $joinParentPath := $params.parentPath -}} + {{- if eq $params.parentPath "/" -}} + {{- $joinParentPath = "" -}} + {{- end -}} + + {{- if eq $kind "slice" -}} + {{- $iAdj := 0 -}} + {{- range $i, $v := $params.value -}} + {{- $iPath := printf "%s/%d" $joinPath (add $i $iAdj) -}} + {{- $itrPatch := get (include "tplYamlItr" (dict "ctx" $params.ctx "parentKind" $kind "parentPath" $params.path "path" $iPath "value" $v) | fromJson) "patch" -}} + {{- $itrLen := len $itrPatch -}} + {{- if gt $itrLen 0 -}} + {{- $patch = concat $patch $itrPatch -}} + {{- if eq (get (index $itrPatch 0) "op") "remove" -}} + {{- $iAdj = add $iAdj (sub $itrLen 2) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- else if eq $kind "map" -}} + {{- if and (eq (len $params.value) 1) (or (hasKey $params.value "$tplYaml") (hasKey $params.value "$tplYamlSpread")) -}} + {{- $tpl := get $params.value "$tplYaml" -}} + {{- $spread := false -}} + {{- if hasKey $params.value "$tplYamlSpread" -}} + {{- if eq $params.path "/" -}} + {{- fail "cannot $tplYamlSpread on root object" -}} + {{- end -}} + {{- $tpl = get $params.value "$tplYamlSpread" -}} + {{- $spread = true -}} + {{- end -}} + + {{- $res := tpl $tpl $params.ctx -}} + {{- $res = get (fromYaml (tpl "tpl: {{ nindent 2 .res }}" (merge (dict "res" $res) $params.ctx))) "tpl" -}} + + {{- if eq $spread false -}} + {{- $patch = append $patch (dict "op" "replace" "path" $params.path "value" $res) -}} + {{- else -}} + {{- $resKind := kindOf $res -}} + {{- if and (ne $resKind "invalid") (ne $resKind $params.parentKind) -}} + {{- fail (cat "can only $tplYamlSpread slice onto a slice or map onto a map; attempted to spread" $resKind "on" $params.parentKind "at path" $params.path) -}} + {{- end -}} + {{- $patch = append $patch (dict "op" "remove" "path" $params.path) -}} + {{- if eq $resKind "invalid" -}} + {{- /* no-op */ -}} + {{- else if eq $resKind "slice" -}} + {{- range $v := reverse $res -}} + {{- $patch = append $patch (dict "op" "add" "path" $params.path "value" $v) -}} + {{- end -}} + {{- else -}} + {{- range $k, $v := $res -}} + {{- $kPath := replace "~" "~0" $k -}} + {{- $kPath = replace "/" "~1" $kPath -}} + {{- $kPath = printf "%s/%s" $joinParentPath $kPath -}} + {{- $patch = append $patch (dict "op" "add" "path" $kPath "value" $v) -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- range $k, $v := $params.value -}} + {{- $kPath := replace "~" "~0" $k -}} + {{- $kPath = replace "/" "~1" $kPath -}} + {{- $kPath = printf "%s/%s" $joinPath $kPath -}} + {{- $itrPatch := get (include "tplYamlItr" (dict "ctx" $params.ctx "parentKind" $kind "parentPath" $params.path "path" $kPath "value" $v) | fromJson) "patch" -}} + {{- if gt (len $itrPatch) 0 -}} + {{- $patch = concat $patch $itrPatch -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- toJson (dict "patch" $patch) -}} +{{- end -}} diff --git a/charts/nats/nats/templates/config-map.yaml b/charts/nats/nats/templates/config-map.yaml new file mode 100644 index 000000000..b95afda20 --- /dev/null +++ b/charts/nats/nats/templates/config-map.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.configMap }} +{{- include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) .) }} +{{- end }} diff --git a/charts/nats/nats/templates/configmap.yaml b/charts/nats/nats/templates/configmap.yaml deleted file mode 100644 index da4959d94..000000000 --- a/charts/nats/nats/templates/configmap.yaml +++ /dev/null @@ -1,614 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nats.fullname" . }}-config - namespace: {{ include "nats.namespace" . }} - labels: - {{- include "nats.labels" . | nindent 4 }} -data: - nats.conf: | - # NATS Clients Port - port: {{ .Values.nats.client.port }} - - # PID file shared with configuration reloader. - pid_file: "/var/run/nats/nats.pid" - - {{- if .Values.nats.config }} - ########### - # # - # Imports # - # # - ########### - {{- range .Values.nats.config }} - include ./{{ .name }}/{{ .name }}.conf - {{- end}} - {{- end }} - - ############### - # # - # Monitoring # - # # - ############### - http: 8222 - server_name: {{ if .Values.nats.serverNamePrefix }}$SERVER_NAME{{ else }}$POD_NAME{{ end }} - - {{- if .Values.nats.serverTags }} - server_tags: [ - {{- range .Values.nats.serverTags }} - "{{ . }}", - {{- end }} - ] - {{- end }} - - {{- if .Values.nats.tls }} - ##################### - # # - # TLS Configuration # - # # - ##################### - {{- with .Values.nats.tls }} - {{- $nats_tls := merge (dict) . }} - {{- $_ := set $nats_tls "secretPath" "/etc/nats-certs/clients" }} - {{- tpl (include "nats.tlsConfig" $nats_tls) $ | nindent 4}} - {{- end }} - - {{- if .Values.nats.tls.allowNonTLS }} - allow_non_tls: {{ .Values.nats.tls.allowNonTLS }} - {{- end }} - - {{- end }} - - {{- if .Values.nats.jetstream.enabled }} - ################################### - # # - # NATS JetStream # - # # - ################################### - jetstream { - {{- if .Values.nats.jetstream.encryption }} - {{- if .Values.nats.jetstream.encryption.key }} - key: {{ .Values.nats.jetstream.encryption.key | quote }} - {{- else if .Values.nats.jetstream.encryption.secret }} - key: $JS_KEY - {{- end}} - {{- if .Values.nats.jetstream.encryption.cipher }} - cipher: {{ .Values.nats.jetstream.encryption.cipher }} - {{- end}} - {{- end}} - - {{- if .Values.nats.jetstream.memStorage.enabled }} - max_mem: {{ .Values.nats.jetstream.memStorage.size }} - {{- end }} - - {{- if .Values.nats.jetstream.domain }} - domain: {{ .Values.nats.jetstream.domain }} - {{- end }} - - {{- if .Values.nats.jetstream.fileStorage.enabled }} - store_dir: {{ .Values.nats.jetstream.fileStorage.storageDirectory }} - - max_file: - {{- if .Values.nats.jetstream.fileStorage.existingClaim }} - {{- .Values.nats.jetstream.fileStorage.claimStorageSize }} - {{- else }} - {{- .Values.nats.jetstream.fileStorage.size }} - {{- end }} - {{- else }} - {{- if .Values.nats.jetstream.store_dir }} - store_dir: {{ .Values.nats.jetstream.store_dir }} - {{- end }} - {{- if .Values.nats.jetstream.max_file }} - max_file: {{ .Values.nats.jetstream.max_file }} - {{- end }} - {{- end }} - - {{- if .Values.nats.jetstream.uniqueTag }} - unique_tag: {{ .Values.nats.jetstream.uniqueTag }} - {{- end }} - - {{- if .Values.nats.jetstream.maxOutstandingCatchup }} - max_outstanding_catchup: {{ .Values.nats.jetstream.maxOutstandingCatchup }} - {{- end }} - } - {{- end }} - - {{- if .Values.nats.mappings }} - ################################### - # # - # Mappings # - # # - ################################### - mappings: {{ toRawJson .Values.nats.mappings }} - {{- end }} - - {{- if .Values.mqtt.enabled }} - ################################### - # # - # NATS MQTT # - # # - ################################### - mqtt { - port: 1883 - - {{- with .Values.mqtt.tls }} - {{- $mqtt_tls := merge (dict) . }} - {{- $_ := set $mqtt_tls "secretPath" "/etc/nats-certs/mqtt" }} - {{- tpl (include "nats.tlsConfig" $mqtt_tls) $ | nindent 6}} - {{- end }} - - {{- if .Values.mqtt.noAuthUser }} - no_auth_user: {{ .Values.mqtt.noAuthUser | quote }} - {{- end }} - - ack_wait: {{ .Values.mqtt.ackWait | quote }} - max_ack_pending: {{ .Values.mqtt.maxAckPending }} - } - {{- end }} - - {{- if .Values.cluster.enabled }} - ################################### - # # - # NATS Full Mesh Clustering Setup # - # # - ################################### - cluster { - port: 6222 - - {{- if .Values.nats.jetstream.enabled }} - {{- if .Values.cluster.name }} - name: {{ .Values.cluster.name }} - {{- else }} - name: {{ template "nats.name" . }} - {{- end }} - {{- else }} - {{- with .Values.cluster.name }} - name: {{ . }} - {{- end }} - {{- end }} - - {{- with .Values.cluster.tls }} - {{- $cluster_tls := merge (dict) . }} - {{- $_ := set $cluster_tls "secretPath" "/etc/nats-certs/cluster" }} - {{- tpl (include "nats.tlsConfig" $cluster_tls) $ | nindent 6}} - {{- end }} - - {{- if .Values.cluster.authorization }} - authorization { - {{- with .Values.cluster.authorization.user }} - user: {{ . }} - {{- end }} - {{- with .Values.cluster.authorization.password }} - password: {{ . }} - {{- end }} - {{- with .Values.cluster.authorization.timeout }} - timeout: {{ . }} - {{- end }} - } - {{- end }} - - routes = [ - {{ include "nats.clusterRoutes" . }} - {{ include "nats.extraRoutes" . }} - ] - cluster_advertise: $CLUSTER_ADVERTISE - - {{- with .Values.cluster.noAdvertise }} - no_advertise: {{ . }} - {{- end }} - - connect_retries: {{ .Values.nats.connectRetries }} - } - {{- end }} - - {{- if and .Values.nats.advertise .Values.nats.externalAccess }} - include "advertise/client_advertise.conf" - {{- end }} - - {{- if or .Values.leafnodes.enabled .Values.leafnodes.remotes }} - ################# - # # - # NATS Leafnode # - # # - ################# - leafnodes { - {{- if .Values.leafnodes.enabled }} - listen: "0.0.0.0:{{ .Values.leafnodes.port }}" - {{- end }} - - {{- if and .Values.nats.advertise .Values.nats.externalAccess }} - include "advertise/gateway_advertise.conf" - {{- end }} - - {{- with .Values.leafnodes.noAdvertise }} - no_advertise: {{ . }} - {{- end }} - - {{- with .Values.leafnodes.authorization }} - authorization: { - {{- with .user }} - user: {{ . }} - {{- end }} - {{- with .password }} - password: {{ . }} - {{- end }} - {{- with .account }} - account: {{ . | quote }} - {{- end }} - {{- with .timeout }} - timeout: {{ . }} - {{- end }} - {{- with .users }} - users: [ - {{- range . }} - {{- toRawJson . | nindent 10 }}, - {{- end }} - ] - {{- end }} - } - {{- end }} - - {{- with .Values.leafnodes.tls }} - {{- if .custom }} - tls { - {{- .custom | nindent 8 }} - } - {{- else }} - {{- $leafnode_tls := merge (dict) . }} - {{- $_ := set $leafnode_tls "secretPath" "/etc/nats-certs/leafnodes" }} - {{- tpl (include "nats.tlsConfig" $leafnode_tls) $ | nindent 6}} - {{- end }} - {{- end }} - - remotes: [ - {{- range .Values.leafnodes.remotes }} - { - {{- with .url }} - url: {{ . | quote }} - {{- end }} - - {{- with .urls }} - urls: {{ toRawJson . }} - {{- end }} - - {{- with .account }} - account: {{ . | quote }} - {{- end }} - - {{- with .credentials }} - credentials: "/etc/nats-creds/{{ .secret.name }}/{{ .secret.key }}" - {{- end }} - - {{- with .tls }} - tls: { - {{- if .custom }} - {{- .custom | nindent 10 }} - {{- else }} - {{ $secretName := tpl .secret.name $ }} - {{- with .cert }} - cert_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} - {{- end }} - - {{- with .key }} - key_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} - {{- end }} - - {{- with .ca }} - ca_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} - {{- end }} - {{- end }} - } - {{- end }} - } - {{- end }} - ] - } - {{- end }} - - {{- if .Values.gateway.enabled }} - ################# - # # - # NATS Gateways # - # # - ################# - gateway { - name: {{ .Values.gateway.name }} - port: {{ .Values.gateway.port }} - - {{- if .Values.gateway.advertise }} - advertise: {{ .Values.gateway.advertise }} - {{- end }} - - {{- if .Values.gateway.rejectUnknownCluster }} - reject_unknown_cluster: {{ .Values.gateway.rejectUnknownCluster }} - {{- end }} - - {{- if .Values.gateway.authorization }} - authorization { - {{- with .Values.gateway.authorization.user }} - user: {{ . }} - {{- end }} - {{- with .Values.gateway.authorization.password }} - password: {{ . }} - {{- end }} - {{- with .Values.gateway.authorization.timeout }} - timeout: {{ . }} - {{- end }} - } - {{- end }} - - {{- if and .Values.nats.advertise .Values.nats.externalAccess }} - include "advertise/gateway_advertise.conf" - {{- end }} - - {{- if .Values.gateway.connectRetries }} - connect_retries: {{ .Values.gateway.connectRetries }} - {{- end }} - - {{- with .Values.gateway.tls }} - {{- $gateway_tls := merge (dict) . }} - {{- $_ := set $gateway_tls "secretPath" "/etc/nats-certs/gateways" }} - {{- tpl (include "nats.tlsConfig" $gateway_tls) $ | nindent 6}} - {{- end }} - - # Gateways array here - gateways: [ - {{- range .Values.gateway.gateways }} - { - {{- with .name }} - name: {{ . }} - {{- end }} - - {{- with .url }} - url: {{ . | quote }} - {{- end }} - - {{- with .urls }} - urls: [{{ join "," . }}] - {{- end }} - }, - {{- end }} - ] - } - {{- end }} - - {{- with .Values.nats.logging.debug }} - debug: {{ . }} - {{- end }} - - {{- with .Values.nats.logging.trace }} - trace: {{ . }} - {{- end }} - - {{- with .Values.nats.logging.logtime }} - logtime: {{ . }} - {{- end }} - - {{- with .Values.nats.logging.connectErrorReports }} - connect_error_reports: {{ . }} - {{- end }} - - {{- with .Values.nats.logging.reconnectErrorReports }} - reconnect_error_reports: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.maxConnections }} - max_connections: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.maxSubscriptions }} - max_subscriptions: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.maxPending }} - max_pending: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.maxControlLine }} - max_control_line: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.maxPayload }} - max_payload: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.pingInterval }} - ping_interval: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.maxPings }} - ping_max: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.writeDeadline }} - write_deadline: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.lameDuckGracePeriod }} - lame_duck_grace_period: {{ . }} - {{- end }} - - {{- with .Values.nats.limits.lameDuckDuration }} - lame_duck_duration: {{ . }} - {{- end }} - - {{- if .Values.websocket.enabled }} - ################## - # # - # Websocket # - # # - ################## - websocket { - port: {{ .Values.websocket.port }} - {{- with .Values.websocket.tls }} - {{ $secretName := tpl .secret.name $ }} - tls { - {{- with .cert }} - cert_file: /etc/nats-certs/ws/{{ $secretName }}/{{ . }} - {{- end }} - - {{- with .key }} - key_file: /etc/nats-certs/ws/{{ $secretName }}/{{ . }} - {{- end }} - - {{- with .ca }} - ca_file: /etc/nats-certs/ws/{{ $secretName }}/{{ . }} - {{- end }} - } - {{- else }} - no_tls: {{ .Values.websocket.noTLS }} - {{- end }} - same_origin: {{ .Values.websocket.sameOrigin }} - {{- with .Values.websocket.allowedOrigins }} - allowed_origins: {{ toRawJson . }} - {{- end }} - {{- with .Values.websocket.advertise }} - advertise: {{ . }} - {{- end }} - {{- with .Values.websocket.handshakeTimeout }} - handshake_timeout: {{ . | quote }} - {{- end }} - } - {{- end }} - - {{- if .Values.auth.enabled }} - ################## - # # - # Authorization # - # # - ################## - {{- if .Values.auth.resolver }} - {{- if eq .Values.auth.resolver.type "memory" }} - resolver: MEMORY - include "accounts/{{ .Values.auth.resolver.configMap.key }}" - {{- end }} - - {{- if eq .Values.auth.resolver.type "full" }} - {{- if .Values.auth.resolver.configMap }} - include "accounts/{{ .Values.auth.resolver.configMap.key }}" - {{- else }} - {{- with .Values.auth.resolver }} - {{- if $.Values.auth.timeout }} - authorization { - timeout: {{ $.Values.auth.timeout }} - } - {{- end }} - - {{- if .operator }} - operator: {{ .operator }} - {{- end }} - - {{- if .systemAccount }} - system_account: {{ .systemAccount | quote }} - {{- end }} - {{- end }} - - resolver: { - type: full - {{- with .Values.auth.resolver }} - dir: {{ .store.dir | quote }} - - allow_delete: {{ .allowDelete }} - - interval: {{ .interval | quote }} - {{- end }} - } - {{- end }} - {{- end }} - - {{- if .Values.auth.resolver.resolverPreload }} - resolver_preload: {{ toRawJson .Values.auth.resolver.resolverPreload }} - {{- end }} - - {{- if eq .Values.auth.resolver.type "URL" }} - {{- with .Values.auth.resolver.url }} - resolver: URL({{ . }}) - {{- end }} - operator: /etc/nats-config/operator/{{ .Values.auth.operatorjwt.configMap.key }} - {{- end }} - {{- end }} - - {{- with .Values.auth.systemAccount }} - system_account: {{ . | quote }} - {{- end }} - - {{- with .Values.auth.token }} - authorization { - token: "{{ . }}" - - - {{- if $.Values.auth.timeout }} - timeout: {{ $.Values.auth.timeout }} - {{- end }} - } - {{- end }} - - {{- with .Values.auth.nkeys }} - {{- with .users }} - authorization { - {{- if $.Values.auth.timeout }} - timeout: {{ $.Values.auth.timeout }} - {{- end }} - - users: [ - {{- range . }} - {{- toRawJson . | nindent 8 }}, - {{- end }} - ] - } - {{- end }} - {{- end }} - - {{- with .Values.auth.basic }} - - {{- with .noAuthUser }} - no_auth_user: {{ . }} - {{- end }} - - {{- if or .users (or .timeout .defaultPermissions) }} - authorization { - {{- if $.Values.auth.timeout }} - timeout: {{ $.Values.auth.timeout }} - {{- end }} - - {{- with .users }} - users: [ - {{- range . }} - {{- toRawJson . | nindent 8 }}, - {{- end }} - ] - {{- end }} - - {{- with $.Values.auth.basic.defaultPermissions }} - default_permissions: { - {{- if .publish }} - publish: [ - {{- range .publish }} - {{- toRawJson . | nindent 10 }}, - {{- end }} - ], - {{- end }} - {{- if .subscribe }} - subscribe: [ - {{- range .subscribe }} - {{- toRawJson . | nindent 10 }}, - {{- end }} - ], - {{- end }} - } - {{- end }} - } - {{- end }} - - {{- with .accounts }} - authorization { - {{- if $.Values.auth.timeout }} - timeout: {{ $.Values.auth.timeout }} - {{- end }} - } - accounts: {{- toRawJson . }} - {{- end }} - - {{- end }} - - {{- end }} diff --git a/charts/nats/nats/templates/extra-resources.yaml b/charts/nats/nats/templates/extra-resources.yaml new file mode 100644 index 000000000..c11f0085e --- /dev/null +++ b/charts/nats/nats/templates/extra-resources.yaml @@ -0,0 +1,5 @@ +{{- include "nats.defaultValues" . }} +{{- range .Values.extraResources }} +--- +{{ . | toYaml }} +{{- end }} diff --git a/charts/nats/nats/templates/headless-service.yaml b/charts/nats/nats/templates/headless-service.yaml new file mode 100644 index 000000000..f11a83d13 --- /dev/null +++ b/charts/nats/nats/templates/headless-service.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.headlessService }} +{{- include "nats.loadMergePatch" (merge (dict "file" "headless-service.yaml" "ctx" $) .) }} +{{- end }} diff --git a/charts/nats/nats/templates/ingress.yaml b/charts/nats/nats/templates/ingress.yaml new file mode 100644 index 000000000..eccd73ffd --- /dev/null +++ b/charts/nats/nats/templates/ingress.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.config.websocket.ingress }} +{{- if and .enabled .hosts $.Values.config.websocket.enabled $.Values.service.enabled $.Values.service.ports.websocket.enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "ingress.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/nats-box.yaml b/charts/nats/nats/templates/nats-box.yaml deleted file mode 100644 index e94362f46..000000000 --- a/charts/nats/nats/templates/nats-box.yaml +++ /dev/null @@ -1,121 +0,0 @@ -{{- if .Values.natsbox.enabled }} -{{- include "nats.fixImage" .Values.natsbox -}} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "nats.fullname" . }}-box - namespace: {{ include "nats.namespace" . }} - labels: - app: {{ include "nats.fullname" . }}-box - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - {{- if .Values.natsbox.additionalLabels }} - {{- tpl (toYaml .Values.natsbox.additionalLabels) $ | nindent 4 }} - {{- end }} - {{- if .Values.natsbox.annotations }} - annotations: - {{- toYaml .Values.natsbox.annotations | nindent 4 }} - {{- end }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "nats.fullname" . }}-box - template: - metadata: - labels: - app: {{ include "nats.fullname" . }}-box - {{- if .Values.natsbox.podLabels }} - {{- tpl (toYaml .Values.natsbox.podLabels) $ | nindent 8 }} - {{- end }} - {{- if .Values.natsbox.podAnnotations }} - annotations: - {{- toYaml .Values.natsbox.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- with .Values.natsbox.affinity }} - affinity: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.natsbox.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.natsbox.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - volumes: - {{- if .Values.natsbox.credentials }} - - name: nats-sys-creds - secret: - secretName: {{ .Values.natsbox.credentials.secret.name }} - {{- end }} - {{- if .Values.natsbox.extraVolumes }} - {{- toYaml .Values.natsbox.extraVolumes | nindent 6}} - {{- end }} - {{- with .Values.nats.tls }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-clients-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if hasKey .Values.natsbox "automountServiceAccountToken" }} - automountServiceAccountToken: {{ .Values.natsbox.automountServiceAccountToken }} - {{- end }} - containers: - - name: nats-box - image: {{ include "nats.image" .Values.natsbox.image }} - imagePullPolicy: {{ .Values.natsbox.image.pullPolicy }} - {{- if .Values.natsbox.securityContext }} - securityContext: - {{- toYaml .Values.natsbox.securityContext | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.natsbox.resources | nindent 10 }} - env: - - name: NATS_URL - value: {{ template "nats.fullname" . }} - {{- if .Values.natsbox.credentials }} - - name: NATS_CREDS - value: /etc/nats-config/creds/{{ .Values.natsbox.credentials.secret.key }} - {{- end }} - {{- with .Values.nats.tls }} - {{ $secretName := tpl .secret.name $ }} - lifecycle: - postStart: - exec: - command: - - /bin/sh - - -c - - cp /etc/nats-certs/clients/{{ $secretName }}/* /usr/local/share/ca-certificates && update-ca-certificates - {{- end }} - command: - - "tail" - - "-f" - - "/dev/null" - volumeMounts: - {{- if .Values.natsbox.credentials }} - - name: nats-sys-creds - mountPath: /etc/nats-config/creds - {{- end }} - {{- if .Values.natsbox.extraVolumeMounts }} - {{- toYaml .Values.natsbox.extraVolumeMounts | nindent 8 }} - {{- end }} - {{- with .Values.nats.tls }} - ####################### - # # - # TLS Volumes Mounts # - # # - ####################### - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-clients-volume - mountPath: /etc/nats-certs/clients/{{ $secretName }} - {{- end }} -{{- end }} diff --git a/charts/nats/nats/templates/nats-box/contents-secret.yaml b/charts/nats/nats/templates/nats-box/contents-secret.yaml new file mode 100644 index 000000000..db629bf7b --- /dev/null +++ b/charts/nats/nats/templates/nats-box/contents-secret.yaml @@ -0,0 +1,10 @@ +{{- include "nats.defaultValues" . }} +{{- if .hasContentsSecret }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .contentsSecret}} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/contents-secret.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/nats-box/contexts-secret.yaml b/charts/nats/nats/templates/nats-box/contexts-secret.yaml new file mode 100644 index 000000000..5ae20f45a --- /dev/null +++ b/charts/nats/nats/templates/nats-box/contexts-secret.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .contextsSecret}} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/contexts-secret/contexts-secret.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/nats-box/deployment.yaml b/charts/nats/nats/templates/nats-box/deployment.yaml new file mode 100644 index 000000000..a063332a2 --- /dev/null +++ b/charts/nats/nats/templates/nats-box/deployment.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .deployment }} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/deployment.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/nats-box/service-account.yaml b/charts/nats/nats/templates/nats-box/service-account.yaml new file mode 100644 index 000000000..e11bdd363 --- /dev/null +++ b/charts/nats/nats/templates/nats-box/service-account.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- if .Values.natsBox.enabled }} +{{- with .Values.natsBox.serviceAccount }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/service-account.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/networkpolicy.yaml b/charts/nats/nats/templates/networkpolicy.yaml deleted file mode 100644 index 9951441e2..000000000 --- a/charts/nats/nats/templates/networkpolicy.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ template "networkPolicy.apiVersion" . }} -metadata: - name: {{ include "nats.fullname" . }} - namespace: {{ include "nats.namespace" . }} - labels: - {{- include "nats.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "nats.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - egress: - # Allow dns resolution - - ports: - - port: 53 - protocol: UDP - # Allow outbound connections to other cluster pods - - ports: - - port: {{ .Values.nats.client.port }} - protocol: TCP - - port: 6222 - protocol: TCP - - port: 8222 - protocol: TCP - - port: 7777 - protocol: TCP - - port: {{ .Values.leafnodes.port }} - protocol: TCP - - port: {{ .Values.gateway.port }} - protocol: TCP - to: - - podSelector: - matchLabels: - {{- include "nats.selectorLabels" . | nindent 10 }} - {{- if .Values.networkPolicy.extraEgress }} - {{- include "tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 2 }} - {{- end }} - ingress: - # Allow inbound connections - - ports: - - port: {{ .Values.nats.client.port }} - protocol: TCP - - port: 6222 - protocol: TCP - - port: 8222 - protocol: TCP - - port: 7777 - protocol: TCP - - port: {{ .Values.leafnodes.port }} - protocol: TCP - - port: {{ .Values.gateway.port }} - protocol: TCP - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: - {{ include "nats.fullname" . }}-client: "true" - - podSelector: - matchLabels: - {{- include "nats.selectorLabels" . | nindent 10 }} - {{- if .Values.networkPolicy.ingressNSMatchLabels }} - - namespaceSelector: - matchLabels: - {{- toYaml .Values.networkPolicy.ingressNSMatchLabels | nindent 10 }} - {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} - podSelector: - matchLabels: - {{- toYaml .Values.networkPolicy.ingressNSPodMatchLabels | nindent 10 }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.extraIngress }} - {{- include "tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 2 }} - {{- end }} -{{- end }} diff --git a/charts/nats/nats/templates/pdb.yaml b/charts/nats/nats/templates/pdb.yaml deleted file mode 100644 index 5a7cb4387..000000000 --- a/charts/nats/nats/templates/pdb.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.podDisruptionBudget.enabled }} ---- -apiVersion: {{ .Capabilities.APIVersions.Has "policy/v1" | ternary "policy/v1" "policy/v1beta1" }} -kind: PodDisruptionBudget -metadata: - name: {{ include "nats.fullname" . }} - namespace: {{ include "nats.namespace" . }} - labels: - {{- include "nats.labels" . | nindent 4 }} -spec: - {{- if .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} - {{- end }} - selector: - matchLabels: - {{- include "nats.selectorLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/nats/nats/templates/pod-disruption-budget.yaml b/charts/nats/nats/templates/pod-disruption-budget.yaml new file mode 100644 index 000000000..911722629 --- /dev/null +++ b/charts/nats/nats/templates/pod-disruption-budget.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.podDisruptionBudget }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "pod-disruption-budget.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/pod-monitor.yaml b/charts/nats/nats/templates/pod-monitor.yaml new file mode 100644 index 000000000..0e42a43a5 --- /dev/null +++ b/charts/nats/nats/templates/pod-monitor.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.promExporter }} +{{- if and .enabled .podMonitor.enabled }} +{{- with .podMonitor }} +{{- include "nats.loadMergePatch" (merge (dict "file" "pod-monitor.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/rbac.yaml b/charts/nats/nats/templates/rbac.yaml deleted file mode 100644 index 7b55aeb65..000000000 --- a/charts/nats/nats/templates/rbac.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if or (.Values.nats.serviceAccount.create) (and .Values.nats.externalAccess .Values.nats.advertise) }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "nats.serviceAccountName" . }} - namespace: {{ include "nats.namespace" . }} - labels: - {{- include "nats.labels" . | nindent 4 }} - {{- with .Values.nats.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} -{{- if and .Values.nats.externalAccess .Values.nats.advertise }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "nats.serviceAccountName" . }} -rules: -- apiGroups: [""] - resources: - - nodes - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "nats.serviceAccountName" . }}-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "nats.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "nats.serviceAccountName" . }} - namespace: {{ include "nats.namespace" . }} -{{- end }} diff --git a/charts/nats/nats/templates/service-account.yaml b/charts/nats/nats/templates/service-account.yaml new file mode 100644 index 000000000..6c763bd3e --- /dev/null +++ b/charts/nats/nats/templates/service-account.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.serviceAccount }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "service-account.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/service.yaml b/charts/nats/nats/templates/service.yaml index 361e725b2..04b0b37e7 100644 --- a/charts/nats/nats/templates/service.yaml +++ b/charts/nats/nats/templates/service.yaml @@ -1,74 +1,6 @@ -{{- $appProtocol := semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "nats.fullname" . }} - namespace: {{ include "nats.namespace" . }} - labels: - {{- include "nats.labels" . | nindent 4 }} - {{- if .Values.serviceAnnotations}} - annotations: - {{- toYaml .Values.serviceAnnotations | nindent 4 }} - {{- end }} -spec: - selector: - {{- include "nats.selectorLabels" . | nindent 4 }} - clusterIP: None - publishNotReadyAddresses: true - {{- if .Values.topologyKeys }} - topologyKeys: - {{- toYaml .Values.topologyKeys | nindent 4 }} - {{- end }} - ports: - {{- if .Values.websocket.enabled }} - - name: websocket - port: {{ .Values.websocket.port }} - {{- if $appProtocol }} - appProtocol: tcp - {{- end }} - {{- end }} - {{- if .Values.nats.profiling.enabled }} - - name: profiling - port: {{ .Values.nats.profiling.port }} - {{- if $appProtocol }} - appProtocol: http - {{- end }} - {{- end }} - - name: {{ .Values.nats.client.portName }} - port: {{ .Values.nats.client.port }} - {{- if $appProtocol }} - appProtocol: tcp - {{- end }} - - name: cluster - port: 6222 - {{- if $appProtocol }} - appProtocol: tcp - {{- end }} - - name: monitor - port: 8222 - {{- if $appProtocol }} - appProtocol: http - {{- end }} - - name: {{ .Values.exporter.portName }} - port: 7777 - {{- if $appProtocol }} - appProtocol: http - {{- end }} - - name: leafnodes - port: {{ .Values.leafnodes.port }} - {{- if $appProtocol }} - appProtocol: tcp - {{- end }} - - name: gateways - port: {{ .Values.gateway.port }} - {{- if $appProtocol }} - appProtocol: tcp - {{- end }} - {{- if .Values.mqtt.enabled }} - - name: mqtt - port: 1883 - {{- if $appProtocol }} - appProtocol: tcp - {{- end }} - {{- end }} +{{- include "nats.defaultValues" . }} +{{- with .Values.service }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "service.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/serviceMonitor.yaml b/charts/nats/nats/templates/serviceMonitor.yaml deleted file mode 100644 index 282f50f56..000000000 --- a/charts/nats/nats/templates/serviceMonitor.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{ if and .Values.exporter.enabled .Values.exporter.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "nats.fullname" . }} - {{- if .Values.exporter.serviceMonitor.namespace }} - namespace: {{ .Values.exporter.serviceMonitor.namespace }} - {{- else }} - namespace: {{ include "nats.namespace" . }} - {{- end }} - {{- if .Values.exporter.serviceMonitor.labels }} - labels: - {{- toYaml .Values.exporter.serviceMonitor.labels | nindent 4 }} - {{- end }} - {{- if .Values.exporter.serviceMonitor.annotations }} - annotations: - {{- toYaml .Values.exporter.serviceMonitor.annotations | nindent 4 }} - {{- end }} -spec: - endpoints: - - port: {{ .Values.exporter.portName }} - {{- if .Values.exporter.serviceMonitor.path }} - path: {{ .Values.exporter.serviceMonitor.path }} - {{- end }} - {{- if .Values.exporter.serviceMonitor.interval }} - interval: {{ .Values.exporter.serviceMonitor.interval }} - {{- end }} - {{- if .Values.exporter.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.exporter.serviceMonitor.scrapeTimeout }} - {{- end }} - namespaceSelector: - any: true - selector: - matchLabels: - {{- include "nats.selectorLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/nats/nats/templates/stateful-set.yaml b/charts/nats/nats/templates/stateful-set.yaml new file mode 100644 index 000000000..bb198323e --- /dev/null +++ b/charts/nats/nats/templates/stateful-set.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.statefulSet }} +{{- include "nats.loadMergePatch" (merge (dict "file" "stateful-set/stateful-set.yaml" "ctx" $) .) }} +{{- end }} diff --git a/charts/nats/nats/templates/statefulset.yaml b/charts/nats/nats/templates/statefulset.yaml deleted file mode 100644 index 1ea285fce..000000000 --- a/charts/nats/nats/templates/statefulset.yaml +++ /dev/null @@ -1,650 +0,0 @@ -{{- include "nats.fixImage" .Values.nats -}} -{{- include "nats.fixImage" .Values.bootconfig -}} -{{- include "nats.fixImage" .Values.reloader -}} -{{- include "nats.fixImage" .Values.exporter -}} ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "nats.fullname" . }} - namespace: {{ include "nats.namespace" . }} - labels: - {{- include "nats.labels" . | nindent 4 }} - {{- if .Values.statefulSetAnnotations }} - annotations: - {{- toYaml .Values.statefulSetAnnotations | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "nats.selectorLabels" . | nindent 6 }} - {{- if .Values.cluster.enabled }} - replicas: {{ .Values.cluster.replicas }} - {{- else }} - replicas: 1 - {{- end }} - serviceName: {{ include "nats.fullname" . }} - - podManagementPolicy: {{ .Values.podManagementPolicy }} - - template: - metadata: - {{- if or .Values.exporter.enabled .Values.nats.configChecksumAnnotation .Values.podAnnotations }} - annotations: - {{- if .Values.exporter.enabled }} - prometheus.io/path: /metrics - prometheus.io/port: "7777" - prometheus.io/scrape: "true" - {{- end }} - {{- if .Values.nats.configChecksumAnnotation }} - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- toYaml .Values.podAnnotations | nindent 8 }} - {{- end }} - {{- end }} - labels: - {{- include "nats.selectorLabels" . | nindent 8 }} - {{- if .Values.statefulSetPodLabels }} - {{- tpl (toYaml .Values.statefulSetPodLabels) . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- range .Values.topologySpreadConstraints }} - {{- if and .maxSkew .topologyKey }} - - maxSkew: {{ .maxSkew }} - topologyKey: {{ .topologyKey }} - {{- if .whenUnsatisfiable }} - whenUnsatisfiable: {{ .whenUnsatisfiable }} - {{- end }} - labelSelector: - matchLabels: - {{- include "nats.selectorLabels" $ | nindent 12 }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- with .Values.nats.dnsPolicy }} - dnsPolicy: {{ . }} - {{- end }} - {{- with .Values.nats.hostNetwork }} - hostNetwork: {{ . }} - {{- end }} - # Common volumes for the containers. - volumes: - - name: config-volume - {{- if .Values.nats.customConfigSecret }} - secret: - secretName: {{ .Values.nats.customConfigSecret.name }} - {{- else }} - configMap: - name: {{ include "nats.fullname" . }}-config - {{- end }} - - {{- /* User extended config volumes*/}} - {{- if .Values.nats.config }} - # User extended config volumes - {{- with .Values.nats.config }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - - # Local volume shared with the reloader. - - name: pid - {{- toYaml .Values.pidVolume | nindent 8 }} - - {{- if and .Values.auth.enabled .Values.auth.resolver }} - {{- if .Values.auth.resolver.configMap }} - - name: resolver-volume - configMap: - name: {{ .Values.auth.resolver.configMap.name }} - {{- end }} - - {{- if eq .Values.auth.resolver.type "URL" }} - - name: operator-jwt-volume - configMap: - name: {{ .Values.auth.operatorjwt.configMap.name }} - {{- end }} - {{- end }} - - {{- if and .Values.nats.externalAccess .Values.nats.advertise }} - # Local volume shared with the advertise config initializer. - - name: advertiseconfig - {{- toYaml .Values.advertiseconfigVolume | nindent 8 }} - {{- end }} - - {{- if and .Values.nats.jetstream.enabled .Values.nats.jetstream.fileStorage.enabled .Values.nats.jetstream.fileStorage.existingClaim }} - # Persistent volume for jetstream running with file storage option - - name: {{ include "nats.fullname" . }}-js-pvc - persistentVolumeClaim: - claimName: {{ .Values.nats.jetstream.fileStorage.existingClaim | quote }} - {{- end }} - - ################# - # # - # TLS Volumes # - # # - ################# - {{- with .Values.nats.tls }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-clients-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- with .Values.mqtt.tls }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-mqtt-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- with .Values.cluster.tls }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-cluster-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- with .Values.leafnodes.tls }} - {{- if not .custom }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-leafnodes-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- end }} - {{- with .Values.gateway.tls }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-gateways-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- with .Values.websocket.tls }} - {{ $secretName := tpl .secret.name $ }} - - name: {{ $secretName }}-ws-volume - secret: - secretName: {{ $secretName }} - {{- end }} - {{- if .Values.leafnodes.enabled }} - # - # Leafnode credential volumes - # - {{- range .Values.leafnodes.remotes }} - {{- with .credentials }} - - name: {{ .secret.name }}-volume - secret: - secretName: {{ .secret.name }} - {{- end }} - {{- with .tls }} - - name: {{ .secret.name }}-volume - secret: - secretName: {{ .secret.name }} - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.additionalVolumes }} - {{- toYaml .Values.additionalVolumes | nindent 6 }} - {{- end }} - - serviceAccountName: {{ include "nats.serviceAccountName" . }} - {{- if hasKey .Values.nats "automountServiceAccountToken" }} - automountServiceAccountToken: {{ .Values.nats.automountServiceAccountToken }} - {{- end }} - - # Required to be able to HUP signal and apply config - # reload to the server without restarting the pod. - shareProcessNamespace: true - - {{- if and .Values.nats.externalAccess .Values.nats.advertise }} - # Initializer container required to be able to lookup - # the external ip on which this node is running. - initContainers: - - name: bootconfig - command: - - nats-pod-bootconfig - - -f - - /etc/nats-config/advertise/client_advertise.conf - - -gf - - /etc/nats-config/advertise/gateway_advertise.conf - env: - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - image: {{ include "nats.image" .Values.bootconfig.image }} - imagePullPolicy: {{ .Values.bootconfig.image.pullPolicy }} - {{- if .Values.bootconfig.securityContext }} - securityContext: - {{- toYaml .Values.bootconfig.securityContext | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.bootconfig.resources | nindent 10 }} - volumeMounts: - - mountPath: /etc/nats-config/advertise - name: advertiseconfig - subPath: advertise - {{- end }} - - ################# - # # - # NATS Server # - # # - ################# - terminationGracePeriodSeconds: {{ .Values.nats.terminationGracePeriodSeconds }} - containers: - - name: nats - image: {{ include "nats.image" .Values.nats.image }} - imagePullPolicy: {{ .Values.nats.image.pullPolicy }} - {{- if .Values.nats.securityContext }} - securityContext: - {{- toYaml .Values.nats.securityContext | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.nats.resources | nindent 10 }} - ports: - - containerPort: {{ .Values.nats.client.port }} - name: {{ .Values.nats.client.portName }} - {{- if .Values.nats.externalAccess }} - hostPort: {{ .Values.nats.client.port }} - {{- end }} - {{- if .Values.leafnodes.enabled }} - - containerPort: {{ .Values.leafnodes.port }} - name: leafnodes - {{- if .Values.nats.externalAccess }} - hostPort: {{ .Values.leafnodes.port }} - {{- end }} - {{- end }} - {{- if .Values.gateway.enabled }} - - containerPort: {{ .Values.gateway.port }} - name: gateways - {{- if .Values.nats.externalAccess }} - hostPort: {{ .Values.gateway.port }} - {{- end }} - {{- end }} - - containerPort: 6222 - name: cluster - - containerPort: 8222 - name: monitor - {{- if .Values.mqtt.enabled }} - - containerPort: 1883 - name: mqtt - {{- if .Values.nats.externalAccess }} - hostPort: 1883 - {{- end }} - {{- end }} - {{- if .Values.websocket.enabled }} - - containerPort: {{ .Values.websocket.port }} - name: websocket - {{- if .Values.nats.externalAccess }} - hostPort: {{ .Values.websocket.port }} - {{- end }} - {{- end }} - {{- if .Values.nats.profiling.enabled }} - - containerPort: {{ .Values.nats.profiling.port }} - name: profiling - {{- end }} - - command: - - "nats-server" - - "--config" - - "/etc/nats-config/nats.conf" - {{- if .Values.nats.profiling.enabled }} - - "--profile={{ .Values.nats.profiling.port }}" - {{- end }} - - # Required to be able to define an environment variable - # that refers to other environment variables. This env var - # is later used as part of the configuration file. - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SERVER_NAME - value: {{ .Values.nats.serverNamePrefix }}$(POD_NAME) - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CLUSTER_ADVERTISE - value: {{ include "nats.clusterAdvertise" . }} - {{- if .Values.nats.gomemlimit }} - - name: GOMEMLIMIT - value: {{ .Values.nats.gomemlimit | quote }} - {{- end }} - {{- if .Values.nats.extraEnv }} - {{- toYaml .Values.nats.extraEnv | nindent 8 }} - {{- end }} - - {{- if .Values.nats.jetstream.enabled }} - {{- with .Values.nats.jetstream.encryption }} - {{- with .secret }} - - name: JS_KEY - valueFrom: - secretKeyRef: - name: {{ .name }} - key: {{ .key }} - {{- end }} - {{- end }} - {{- end }} - volumeMounts: - - name: config-volume - mountPath: /etc/nats-config - - name: pid - mountPath: /var/run/nats - {{- if and .Values.nats.externalAccess .Values.nats.advertise }} - - mountPath: /etc/nats-config/advertise - name: advertiseconfig - subPath: advertise - {{- end }} - - {{- /* User extended config volumes*/}} - {{- range .Values.nats.config }} - # User extended config volumes - - name: {{ .name }} - mountPath: /etc/nats-config/{{ .name }} - {{- end }} - - - {{- if and .Values.auth.enabled .Values.auth.resolver }} - {{- if eq .Values.auth.resolver.type "memory" }} - - name: resolver-volume - mountPath: /etc/nats-config/accounts - {{- end }} - - {{- if eq .Values.auth.resolver.type "full" }} - {{- if .Values.auth.resolver.configMap }} - - name: resolver-volume - mountPath: /etc/nats-config/accounts - {{- end }} - {{- if and .Values.auth.resolver .Values.auth.resolver.store }} - - name: nats-jwt-pvc - mountPath: {{ .Values.auth.resolver.store.dir }} - {{- end }} - {{- end }} - - {{- if eq .Values.auth.resolver.type "URL" }} - - name: operator-jwt-volume - mountPath: /etc/nats-config/operator - {{- end }} - {{- end }} - - {{- if and .Values.nats.jetstream.enabled .Values.nats.jetstream.fileStorage.enabled }} - - name: {{ include "nats.fullname" . }}-js-pvc - mountPath: {{ .Values.nats.jetstream.fileStorage.storageDirectory }} - {{- end }} - - {{- include "nats.tlsVolumeMounts" . | nindent 8 }} - - {{- if .Values.leafnodes.enabled }} - # - # Leafnode credential volumes - # - {{- range .Values.leafnodes.remotes }} - {{- with .credentials }} - - name: {{ .secret.name }}-volume - mountPath: /etc/nats-creds/{{ .secret.name }} - {{- end }} - {{- with .tls }} - - name: {{ .secret.name }}-volume - mountPath: /etc/nats-certs/leafnodes/{{ .secret.name }} - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.additionalVolumeMounts }} - {{- toYaml .Values.additionalVolumeMounts | nindent 8 }} - {{- end }} - - ####################### - # # - # Healthcheck Probes # - # # - ####################### - {{- if .Values.nats.healthcheck }} - {{- $serverVersion := .Values.nats.image.tag | regexFind "\\d+(\\.\\d+)?(\\.\\d+)?" | default "2.9.0" }} - {{- $enableHealthzStartup := and .Values.nats.healthcheck.enableHealthz (or (not .Values.nats.healthcheck.detectHealthz) (semverCompare ">=2.7.1" $serverVersion)) }} - {{- $enableHealthzLivenessReadiness := and .Values.nats.healthcheck.enableHealthzLivenessReadiness (or (not .Values.nats.healthcheck.detectHealthz) (semverCompare ">=2.9.0" $serverVersion)) }} - {{- $healthzStartupEndpoint := "/healthz" }} - {{- $healthzLivenessEndpoint := "/healthz?js-enabled-only=true" }} - {{- $healthzReadinessEndpoint := "/healthz?js-server-only=true" }} - - {{- /* healthz options behaved differently in 2.9.0 - 2.9.9 https://github.com/nats-io/nats-server/pull/3704 */}} - {{- if (semverCompare "<=2.9.9" $serverVersion) }} - {{- $healthzLivenessEndpoint = "/healthz?js-server-only=true" }} - {{- $healthzReadinessEndpoint = "/healthz?js-server-only=true" }} - {{- if .Values.nats.jetstream.enabled }} - {{- $healthzLivenessEndpoint = print $healthzLivenessEndpoint "&js-enabled=true" }} - {{- $healthzReadinessEndpoint = print $healthzReadinessEndpoint "&js-enabled=true" }} - {{- end }} - {{- end }} - - {{- with .Values.nats.healthcheck.liveness }} - {{- if .enabled }} - livenessProbe: - {{- $probe := merge (dict) . }} - {{- $_ := unset $probe "enabled" }} - {{- $probeDefault := dict "httpGet" (dict "path" "/" "port" 8222) }} - {{- if $enableHealthzLivenessReadiness }} - # for NATS server versions >=2.9.0, {{ $healthzLivenessEndpoint }} will be enabled - # liveness probe checks that the JS server is enabled - {{- $_ := set $probeDefault.httpGet "path" $healthzLivenessEndpoint }} - {{- end }} - {{- $probe := merge $probe $probeDefault }} - {{- toYaml $probe | nindent 10}} - {{- end }} - {{- end }} - - {{- with .Values.nats.healthcheck.readiness }} - {{- if .enabled }} - readinessProbe: - {{- $probe := merge (dict) . }} - {{- $_ := unset $probe "enabled" }} - {{- $probeDefault := dict "httpGet" (dict "path" "/" "port" 8222) }} - {{- if $enableHealthzLivenessReadiness }} - # for NATS server versions >=2.9.0, {{ $healthzReadinessEndpoint }} will be enabled - # readiness probe checks that the JS server is enabled, and is current with the meta leader - {{- $_ := set $probeDefault.httpGet "path" $healthzReadinessEndpoint }} - {{- end }} - {{- $probe := merge $probe $probeDefault }} - {{- toYaml $probe | nindent 10}} - {{- end }} - {{- end }} - - {{- with .Values.nats.healthcheck.startup }} - {{- if .enabled }} - startupProbe: - {{- $probe := merge (dict) . }} - {{- $_ := unset $probe "enabled" }} - {{- $probeDefault := dict "httpGet" (dict "path" "/" "port" 8222) }} - {{- if $enableHealthzStartup }} - # for NATS server versions >=2.7.1, {{ $healthzStartupEndpoint}} will be enabled - # startup probe checks that the JS server is enabled, is current with the meta leader, - # and that all streams and consumers assigned to this JS server are current - {{- $_ := set $probeDefault.httpGet "path" $healthzStartupEndpoint }} - {{- end }} - {{- $probe := merge $probe $probeDefault }} - {{- toYaml $probe | nindent 10}} - {{- end }} - {{- end }} - - {{- end }} - - # Gracefully stop NATS Server on pod deletion or image upgrade. - # - lifecycle: - preStop: - exec: - # send the lame duck shutdown signal to trigger a graceful shutdown - # nats-server will ignore the TERM signal it receives after this - # - command: - - "nats-server" - - "-sl=ldm=/var/run/nats/nats.pid" - - ################################# - # # - # NATS Configuration Reloader # - # # - ################################# - {{- if .Values.reloader.enabled }} - - name: reloader - image: {{ include "nats.image" .Values.reloader.image }} - imagePullPolicy: {{ .Values.reloader.image.pullPolicy }} - {{- if .Values.reloader.securityContext }} - securityContext: - {{- toYaml .Values.reloader.securityContext | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.reloader.resources | nindent 10 }} - command: - - "nats-server-config-reloader" - - "-pid" - - "/var/run/nats/nats.pid" - - "-config" - - "/etc/nats-config/nats.conf" - {{- with .Values.nats.tls }} - {{- $nats_tls := merge (dict) . }} - {{- $_ := set $nats_tls "secretPath" "/etc/nats-certs/clients" }} - {{- tpl (include "nats.tlsReloaderArgs" $nats_tls) $ | nindent 8}} - {{- end }} - {{- with .Values.cluster.tls }} - {{- $nats_tls := merge (dict) . }} - {{- $_ := set $nats_tls "secretPath" "/etc/nats-certs/cluster" }} - {{- tpl (include "nats.tlsReloaderArgs" $nats_tls) $ | nindent 8}} - {{- end }} - {{- range .Values.reloader.extraConfigs }} - - "-config" - - {{ . | quote }} - {{- end }} - {{- range .Values.nats.config }} - - "-config" - - "/etc/nats-config/{{ .name }}/{{ .name }}.conf" - {{- end}} - volumeMounts: - - name: config-volume - mountPath: /etc/nats-config - - name: pid - mountPath: /var/run/nats - {{- include "nats.tlsVolumeMounts" . | nindent 8 }} - {{- if .Values.additionalVolumeMounts }} - {{- toYaml .Values.additionalVolumeMounts | nindent 8 }} - {{- end }} - {{- /* User extended config volumes*/}} - {{- range .Values.nats.config }} - # User extended config volumes - - name: {{ .name }} - mountPath: /etc/nats-config/{{ .name }} - {{- end }} - {{- end }} - - ############################## - # # - # NATS Prometheus Exporter # - # # - ############################## - {{- if .Values.exporter.enabled }} - - name: metrics - image: {{ include "nats.image" .Values.exporter.image }} - imagePullPolicy: {{ .Values.exporter.image.pullPolicy }} - {{- if .Values.exporter.securityContext }} - securityContext: - {{- toYaml .Values.exporter.securityContext | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.exporter.resources | nindent 10 }} - args: - {{- if .Values.exporter.args }} - {{- toYaml .Values.exporter.args | nindent 8 }} - {{- else }} - - -connz - - -routez - - -subz - - -varz - - -prefix=nats - - -use_internal_server_id - {{- if .Values.nats.jetstream.enabled }} - - -jsz=all - {{- end }} - {{- if .Values.leafnodes.enabled }} - - -leafz - {{- end }} - {{- if .Values.gateway.enabled }} - - -gatewayz - {{- end }} - - http://localhost:8222/ - {{- end }} - ports: - - containerPort: 7777 - name: {{ .Values.exporter.portName }} - {{- end }} - - {{- if .Values.additionalContainers }} - {{- toYaml .Values.additionalContainers | nindent 6 }} - {{- end }} - - volumeClaimTemplates: - {{- if eq .Values.auth.resolver.type "full" }} - {{- if and .Values.auth.resolver .Values.auth.resolver.store }} - ##################################### - # # - # Account Server Embedded JWT # - # # - ##################################### - - metadata: - name: nats-jwt-pvc - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.auth.resolver.store.size }} - {{- if .Values.auth.resolver.store.storageClassName }} - storageClassName: {{ .Values.auth.resolver.store.storageClassName | quote }} - {{- end }} - {{- end }} - {{- end }} - - {{- if and .Values.nats.jetstream.enabled .Values.nats.jetstream.fileStorage.enabled (not .Values.nats.jetstream.fileStorage.existingClaim) }} - ##################################### - # # - # Jetstream New Persistent Volume # - # # - ##################################### - - metadata: - name: {{ include "nats.fullname" . }}-js-pvc - {{- if .Values.nats.jetstream.fileStorage.annotations }} - annotations: - {{- toYaml .Values.nats.jetstream.fileStorage.annotations | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- toYaml .Values.nats.jetstream.fileStorage.accessModes | nindent 10 }} - resources: - requests: - storage: {{ .Values.nats.jetstream.fileStorage.size }} - {{- if .Values.nats.jetstream.fileStorage.storageClassName }} - storageClassName: {{ .Values.nats.jetstream.fileStorage.storageClassName | quote }} - {{- end }} - {{- end }} diff --git a/charts/nats/nats/templates/tests/request-reply.yaml b/charts/nats/nats/templates/tests/request-reply.yaml new file mode 100644 index 000000000..4ce2bf83c --- /dev/null +++ b/charts/nats/nats/templates/tests/request-reply.yaml @@ -0,0 +1,35 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox | deepCopy }} +{{- $natsBox := . }} +{{- if .enabled -}} +apiVersion: v1 +kind: Pod +{{- with .container }} +{{- $_ := set . "merge" (dict + "args" (list + "nats reply --echo echo & pid=\"$!\"; sleep 1; nats request echo hi > /tmp/resp; kill \"$pid\"; wait; grep -qF hi /tmp/resp" + ) +) }} +{{- $_ := set . "patch" list }} +{{- end }} +{{- with .podTemplate }} +{{- $_ := set . "merge" (dict + "metadata" (dict + "name" (printf "%s-test-request-reply" $.Values.statefulSet.name) + "labels" (dict + "app.kubernetes.io/component" "test-request-reply" + ) + "annotations" (dict + "helm.sh/hook" "test" + "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded" + ) + ) + "spec" (dict + "restartPolicy" "Never" + ) +) }} +{{- $_ := set . "patch" list }} +{{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" (merge (dict "Values" (dict "natsBox" $natsBox)) $)) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/templates/tests/test-request-reply.yaml b/charts/nats/nats/templates/tests/test-request-reply.yaml deleted file mode 100644 index 829aca29e..000000000 --- a/charts/nats/nats/templates/tests/test-request-reply.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "nats.fullname" . }}-test-request-reply" - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app: {{ include "nats.fullname" . }}-test-request-reply - annotations: - "helm.sh/hook": test -spec: - containers: - - name: nats-box - image: {{ include "nats.image" .Values.natsbox.image }} - env: - - name: NATS_HOST - value: {{ template "nats.fullname" . }} - command: - - /bin/sh - - -ec - - | - nats reply -s nats://$NATS_HOST:{{ .Values.nats.client.port }} 'name.>' --command "echo {{1}}" & - - | - "&&" - - | - name=$(nats request -s nats://$NATS_HOST:{{ .Values.nats.client.port }} name.test '' 2>/dev/null) - - | - "&&" - - | - [ $name = test ] - - restartPolicy: Never diff --git a/charts/nats/nats/values.yaml b/charts/nats/nats/values.yaml index 6f5bdf260..56a63fcbe 100644 --- a/charts/nats/nats/values.yaml +++ b/charts/nats/nats/values.yaml @@ -1,827 +1,665 @@ -############################### -# # -# NATS Server Configuration # -# # -############################### -nats: +################################################################################ +# Global options +################################################################################ +global: image: - repository: nats - tag: 2.9.20-alpine - pullPolicy: IfNotPresent - # registry: docker.io + # global image pull policy to use for all container images in the chart + # can be overridden by individual image pullPolicy + pullPolicy: + # global registry to use for all container images in the chart + # can be overridden by individual image registry + registry: - # The servers name prefix, must be used for example when we want a NATS cluster - # spanning multiple Kubernetes clusters. - serverNamePrefix: "" + # global labels will be applied to all resources deployed by the chart + labels: {} - # Server Tags - serverTags: - # - "foo" - # - "bar" +################################################################################ +# Common options +################################################################################ +# override name of the chart +nameOverride: +# override full name of the chart+release +fullnameOverride: +# override the namespace that resources are installed into +namespaceOverride: - # Sets GOMEMLIMIT environment variable which makes the Go GC be aware of memory limits - # from the container. Recommended to be set to about 90% of the resource memory limits. - # - # More info about the Go GC: https://go.dev/doc/gc-guide - # - # gomemlimit: "4GiB" +# reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts +# note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS +tlsCA: + enabled: false + # set configMapName in order to mount an existing configMap to dir + configMapName: + # set secretName in order to mount an existing secretName to dir + secretName: + # directory to mount the configMap or secret to + dir: /etc/nats-ca-cert + # key in the configMap or secret that contains the CA Certificate or Bundle + key: ca.crt - # Toggle profiling. - # This enables nats-server pprof (profiling) port, so you can see goroutines - # stacks, memory heap sizes, etc. - profiling: +################################################################################ +# NATS Stateful Set and associated resources +################################################################################ + +############################################################ +# NATS config +############################################################ +config: + cluster: enabled: false - port: 6000 + port: 6222 + # must be 2 or higher when jetstream is enabled + replicas: 3 - # Toggle using health check probes to better detect failures. - healthcheck: - # /healthz health check endpoint was introduced in NATS Server 2.7.1 - # Attempt to detect /healthz support by inspecting if tag is >=2.7.1 - detectHealthz: true - # Enable /healthz startupProbe for controlled upgrades of NATS JetStream - enableHealthz: true - # Enable /healthz liveness and readiness probes (supported in >=2.9.0) - # This is a feature flag and will be removed in future releases - enableHealthzLivenessReadiness: false + # apply to generated route URLs that connect to other pods in the StatefulSet + routeURLs: + # if both user and password are set, they will be added to route URLs + # and the cluster authorization block + user: + password: + # set to true to use FQDN in route URLs + useFQDN: false + k8sClusterDomain: cluster.local - # Enable liveness checks. If this fails, then the NATS Server will restarted. - liveness: - enabled: true + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/cluster + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] - initialDelaySeconds: 10 - timeoutSeconds: 5 - # NOTE: liveness check + terminationGracePeriodSeconds can introduce unnecessarily long outages - # due to the coupling between liveness probe and terminationGracePeriodSeconds. - # To avoid this, we make the periodSeconds of the liveness check to be about half the default - # time that it takes for lame duck graceful stop. - # - # In case of using Kubernetes +1.22 with probe-level terminationGracePeriodSeconds - # we could revise this but for now keep a minimal liveness check. - # - # More info: - # - # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#probe-level-terminationgraceperiodseconds - # https://github.com/kubernetes/kubernetes/issues/64715 - # - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - - # Override the health check path - # httpGet: - # path: /healthz?js-enabled=true - - # Only for Kubernetes +1.22 that have pod level probes enabled. - # terminationGracePeriodSeconds: 5 - - # Periodically check for the server to be ready for connections while - # the NATS container is running. - readiness: - enabled: true - - initialDelaySeconds: 10 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - - # Override the health check path - # httpGet: - # path: /healthz?js-server-only=true - - # Enable startup checks to confirm server is ready for traffic. - # This is recommended for JetStream deployments since in cluster mode - # it will try to ensure that the server is ready to serve streams. - startup: - enabled: true - - initialDelaySeconds: 10 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 90 - - # Override the health check path - # httpGet: - # path: /healthz - - ## hostNetwork - hostNetwork: false - - ## Pod Dns Policy. Default is ClusterFirst - ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: ClusterFirst - - # Adds a hash of the ConfigMap as a pod annotation - # This will cause the StatefulSet to roll when the ConfigMap is updated - configChecksumAnnotation: true - - # securityContext for the nats container - securityContext: {} - - # Toggle whether to enable external access. - # This binds a host port for clients, gateways and leafnodes. - externalAccess: false - - # Toggle to disable client advertisements (connect_urls), - # in case of running behind a load balancer - # it might be required to disable advertisements. - advertise: true - - # In case both external access and advertise are enabled - # then a service account would be required to be able to - # gather the public ip from a node. - serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - - # Toggle whether to automatically mount Service Account token in the pod - # not set means default value, boolean true/false overrides default value - # automountServiceAccountToken: true - - # The number of connect attempts against discovered routes. - connectRetries: 120 - - # selector matchLabels for the server and service. - # If left empty defaults are used. - # This is helpful if you are updating from Chart version <=7.4 - selectorLabels: {} - - # Resources to add to the container - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - - client: - port: 4222 - portName: "client" - - # extraEnv is the list of environment variables to add to the nats-server container - extraEnv: [] - - # Server settings. - limits: - maxConnections: - maxSubscriptions: - maxControlLine: - maxPayload: - - writeDeadline: - maxPending: - maxPings: - - # How many seconds should pass before sending a PING - # to a client that has no activity. - pingInterval: - - # grace period after pod begins shutdown before starting to close client connections - lameDuckGracePeriod: "10s" - - # duration over which to slowly close close client connections after lameDuckGracePeriod has passed - lameDuckDuration: "30s" - - # terminationGracePeriodSeconds determines how long to wait for graceful shutdown - # this should be at least `lameDuckGracePeriod` + `lameDuckDuration` + 20s shutdown overhead - terminationGracePeriodSeconds: 60 - - logging: - debug: - trace: - logtime: - connectErrorReports: - reconnectErrorReports: - - # customConfigSecret can be used to use an custom secret for the config - # of the NATS Server. - # NOTE: For this to work the name of the configuration has to be - # called `nats.conf`. - # - # e.g. kubectl create secret generic custom-nats-conf --from-file nats.conf - # - # customConfigSecret: - # name: - # - # Alternately, the generated config can be extended with extra imports using the below syntax. - # The benefit of this is that cluster settings can be built up via helm values, but external - # secrets can be referenced and imported alongside it. - # - # config: - # : - # - # name: "" - # - # e.g: - # - # config: - # - name: ssh-key - # secret: - # secretName: ssh-key - # - name: config-vol - # configMap: - # name: log-config - - # mappings is used to configure subject mapping - # https://docs.nats.io/running-a-nats-service/configuration/configuring_subject_mapping - # e.g: - # mappings: - # foo: bar - # foo.cluster.scoped: - # - destination: bar.cluster.scoped - # weight: 70% - # cluster: us-west-1 - # - destination: foobar.cluster.scoped - # weight: 30% - # cluster: us-east-1 - mappings: {} + # merge or patch the cluster config + # https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config + merge: {} + patch: [] jetstream: enabled: false - # Jetstream Domain - domain: + fileStore: + enabled: true + dir: /data - # Jetstream Unique Tag prevent placing a stream in the same availability zone twice. - uniqueTag: + ############################################################ + # stateful set -> volume claim templates -> jetstream pvc + ############################################################ + pvc: + enabled: true + size: 10Gi + storageClassName: - max_outstanding_catchup: + # merge or patch the jetstream pvc + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-js" + name: - ########################## - # # - # Jetstream Encryption # - # # - ########################## - encryption: - # Use key if you want to provide the key via Helm Values - # key: random_key + # defaults to the PVC size + maxSize: - # Use a secret reference if you want to get a key from a secret - # secret: - # name: "nats-jetstream-encryption" - # key: "key" + memoryStore: + enabled: false + # ensure that container has a sufficient memory limit greater than maxSize + maxSize: 1Gi - # Use cipher if you want to choose a different cipher from the default. - # cipher: aes + # merge or patch the jetstream config + # https://docs.nats.io/running-a-nats-service/configuration#jetstream + merge: {} + patch: [] - ############################# - # # - # Jetstream Memory Storage # - # # - ############################# - memStorage: + nats: + port: 4222 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/nats + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + leafnodes: + enabled: false + port: 7422 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/leafnodes + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the leafnodes config + # https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf + merge: {} + patch: [] + + websocket: + enabled: false + port: 8080 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/websocket + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + ############################################################ + # ingress + ############################################################ + # service must be enabled also + ingress: + enabled: false + # must contain at least 1 host otherwise ingress will not be created + hosts: [] + path: / + pathType: Exact + # sets to the ingress class name + className: + # set to an existing secret name to enable TLS on the ingress; applies to all hosts + tlsSecretName: + + # merge or patch the ingress + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-ws" + name: + + # merge or patch the websocket config + # https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf + merge: {} + patch: [] + + mqtt: + enabled: false + port: 1883 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/mqtt + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the mqtt config + # https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config + merge: {} + patch: [] + + gateway: + enabled: false + port: 7222 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/gateway + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the gateway config + # https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block + merge: {} + patch: [] + + monitor: + enabled: true + port: 8222 + tls: + # config.nats.tls must be enabled also + # when enabled, monitoring port will use HTTPS with the options from config.nats.tls + enabled: false + + profiling: + enabled: false + port: 65432 + + resolver: + enabled: false + dir: /data/resolver + + ############################################################ + # stateful set -> volume claim templates -> resolver pvc + ############################################################ + pvc: enabled: true size: 1Gi + storageClassName: - ############################ - # # - # Jetstream File Storage # - # # - ############################ - fileStorage: - enabled: true - storageDirectory: /data + # merge or patch the pvc + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-resolver" + name: - # Set for use with existing PVC - # existingClaim: jetstream-pvc - # claimStorageSize: 10Gi + # merge or patch the resolver + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver + merge: {} + patch: [] - # Use below block to create new persistent volume - # only used if existingClaim is not specified - size: 10Gi - # storageClassName: "" - accessModes: - - ReadWriteOnce - annotations: - # key: "value" + # adds a prefix to the server name, which defaults to the pod name + # helpful for ensuring server name is unique in a super cluster + serverNamePrefix: "" - # Use below if fileStorage is not enabled but you are persisting - # data using an alternative to PVC (e.g. hostPath) - # These set the corresponding jetstream configuration in nats.conf. - # store_dir: "/data" - # max_file: "10Gi" - - ####################### - # # - # TLS Configuration # - # # - ####################### + # merge or patch the nats config + # https://docs.nats.io/running-a-nats-service/configuration + # following special rules apply + # 1. strings that start with << and end with >> will be unquoted + # use this for variables and numbers with units + # 2. keys ending in $include will be switched to include directives + # keys are sorted alphabetically, use prefix before $includes to control includes ordering + # paths should be relative to /etc/nats-config/nats.conf + # example: # - # # You can find more on how to setup and trouble shoot TLS connnections at: - # - # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # merge: + # $include: ./my-config.conf + # zzz$include: ./my-config-last.conf + # server_name: nats + # authorization: + # token: << $TOKEN >> + # jetstream: + # max_memory_store: << 1GB >> # + # will yield the config: + # { + # include ./my-config.conf; + # "authorization": { + # "token": $TOKEN + # }, + # "jetstream": { + # "max_memory_store": 1GB + # }, + # "server_name": "nats", + # include ./my-config-last.conf; + # } + merge: {} + patch: [] - # tls: - # allowNonTLS: false - # secret: - # name: nats-client-tls - # ca: "ca.crt" - # cert: "tls.crt" - # key: "tls.key" - -mqtt: - enabled: false - ackWait: 1m - maxAckPending: 100 - - ####################### - # # - # TLS Configuration # - # # - ####################### - # - # # You can find more on how to setup and trouble shoot TLS connnections at: - # - # # https://docs.nats.io/nats-server/configuration/securing_nats/tls - # - - # - # tls: - # secret: - # name: nats-mqtt-tls - # ca: "ca.crt" - # cert: "tls.crt" - # key: "tls.key" - -nameOverride: "" -namespaceOverride: "" - -# An array of imagePullSecrets, and they have to be created manually in the same namespace -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -imagePullSecrets: [] - -# Toggle whether to use setup a Pod Security Context -# ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -securityContext: {} -# securityContext: -# fsGroup: 1000 -# runAsUser: 1000 -# runAsNonRoot: true - -# Affinity for pod assignment -# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -affinity: {} - -## Pod priority class name -## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: null - -# Service topology -# ref: https://kubernetes.io/docs/concepts/services-networking/service-topology/ -topologyKeys: [] - -# Pod Topology Spread Constraints -# ref https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: [] -# - maxSkew: 1 -# topologyKey: zone -# whenUnsatisfiable: DoNotSchedule - -# Annotations to add to the NATS pods -# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -podAnnotations: {} -# key: "value" - -# Define a Pod Disruption Budget for the stateful set -# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ -podDisruptionBudget: - enabled: true - maxUnavailable: 1 - # minAvailable: 1 - -# Node labels for pod assignment -# Ref: https://kubernetes.io/docs/user-guide/node-selection/ -nodeSelector: {} - -# Node tolerations for server scheduling to nodes with taints -# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ -# -tolerations: [] -# - key: "key" -# operator: "Equal|Exists" -# value: "value" -# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - -# Annotations to add to the NATS StatefulSet -statefulSetAnnotations: {} - -# Labels to add to the pods of the NATS StatefulSet -statefulSetPodLabels: {} - -# Annotations to add to the NATS Service -serviceAnnotations: {} - -# additionalContainers are the sidecar containers to add to the NATS StatefulSet -additionalContainers: [] - -# additionalVolumes are the additional volumes to add to the NATS StatefulSet -additionalVolumes: [] - -# additionalVolumeMounts are the additional volume mounts to add to the nats-server and nats-server-config-reloader containers -additionalVolumeMounts: [] - -cluster: - enabled: false - replicas: 3 - noAdvertise: false - - # Explicitly set routes for clustering. - # When JetStream is enabled, the serverName must be unique in the cluster. - extraRoutes: [] - - # authorization: - # user: foo - # password: pwd - # timeout: 0.5 - -# Leafnode connections to extend a cluster: -# -# https://docs.nats.io/nats-server/configuration/leafnodes -# -leafnodes: - enabled: false - port: 7422 - noAdvertise: false - # remotes: - # - url: "tls://connect.ngs.global:7422" - - ####################### - # # - # TLS Configuration # - # # - ####################### - # - # # You can find more on how to setup and trouble shoot TLS connnections at: - # - # # https://docs.nats.io/nats-server/configuration/securing_nats/tls - # - - # - # tls: - # secret: - # name: nats-client-tls - # ca: "ca.crt" - # cert: "tls.crt" - # key: "tls.key" - -# Gateway connections to create a super cluster -# -# https://docs.nats.io/nats-server/configuration/gateways -# -gateway: - enabled: false - port: 7522 - name: "default" - # authorization: - # user: foo - # password: pwd - # timeout: 0.5 - # rejectUnknownCluster: false - - # You can add an implicit advertise address instead of using from Node's IP - # could also be a fqdn address - # advertise: "nats.example.com" - - ############################# - # # - # List of remote gateways # - # # - ############################# - # gateways: - # - name: other - # url: nats://my-gateway-url:7522 - - ####################### - # # - # TLS Configuration # - # # - ####################### - # - # # You can find more on how to setup and trouble shoot TLS connnections at: - # - # # https://docs.nats.io/nats-server/configuration/securing_nats/tls - # - # tls: - # secret: - # name: nats-client-tls - # ca: "ca.crt" - # cert: "tls.crt" - # key: "tls.key" - -# In case of both external access and advertisements being -# enabled, an initializer container will be used to gather -# the public ips. -bootconfig: +############################################################ +# stateful set -> pod template -> nats container +############################################################ +container: image: - repository: natsio/nats-boot-config - tag: 0.11.0 - pullPolicy: IfNotPresent - # registry: docker.io + repository: nats + tag: 2.9.20-alpine + pullPolicy: + registry: - securityContext: {} + # container port options + # must be enabled in the config section also + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core + ports: + nats: {} + leafnodes: {} + websocket: {} + mqtt: {} + cluster: {} + gateway: {} + monitor: {} + profiling: {} - # Resources to add to the container - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - -# NATS Box -# -# https://github.com/nats-io/nats-box -# -natsbox: - enabled: true - image: - repository: natsio/nats-box - tag: 0.13.8 - pullPolicy: IfNotPresent - # registry: docker.io - - securityContext: {} - - # Resources to add to the container - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - - # Annotations to add to the natsbox deployment - # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - annotations: {} - # key: "value" - - # Labels to add to the natsbox deployment - # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - additionalLabels: {} - - # An array of imagePullSecrets, and they have to be created manually in the same namespace - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - imagePullSecrets: [] - # - name: dockerhub - - # credentials: - # secret: - # name: nats-sys-creds - # key: sys.creds - - # Annotations to add to the box pods - # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} - # key: "value" - - # Labels to add to the box pods - # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - # key: "value" - - # Affinity for nats box pod assignment - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - affinity: {} - - # Node labels for pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - nodeSelector: {} - - # Node tolerations for server scheduling to nodes with taints - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # map with key as env var name, value can be string or map + # example: # - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # env: + # GOMEMLIMIT: 7GiB + # TOKEN: + # valueFrom: + # secretKeyRef: + # name: nats-auth + # key: token + env: {} - # Additional nats-box server Volume mounts - extraVolumeMounts: [] + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] - # Additional nats-box server Volumes - extraVolumes: [] - - # Toggle whether to automatically mount Service Account token in the pod - # not set means default value, boolean true/false overrides default value - # automountServiceAccountToken: true - -# The NATS config reloader image to use. +############################################################ +# stateful set -> pod template -> reloader container +############################################################ reloader: enabled: true image: repository: natsio/nats-server-config-reloader tag: 0.11.0 - pullPolicy: IfNotPresent - # registry: docker.io + pullPolicy: + registry: - securityContext: {} + # env var map, see nats.env for an example + env: {} - # Resources to add to the container - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} + # all nats container volume mounts with the following prefixes + # will be mounted into the reloader container + natsVolumeMountPrefixes: + - /etc/ - extraConfigs: [] + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] -# Prometheus NATS Exporter configuration. -exporter: - enabled: true +############################################################ +# stateful set -> pod template -> prom-exporter container +############################################################ +# config.monitor must be enabled +promExporter: + enabled: false image: repository: natsio/prometheus-nats-exporter tag: 0.12.0 - pullPolicy: IfNotPresent - # registry: docker.io + pullPolicy: + registry: - portName: metrics - securityContext: {} + port: 7777 + # env var map, see nats.env for an example + env: {} - # Resources to add to the container - # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] - # override the default args passed to the exporter - # see https://github.com/nats-io/prometheus-nats-exporter#usage - # make sure to pass HTTP monitoring port URL as last arg, e.g ["-connz", "http://localhost:8222/"] - args: [] - # Prometheus operator ServiceMonitor support. Exporter has to be enabled - serviceMonitor: + ############################################################ + # prometheus pod monitor + ############################################################ + podMonitor: enabled: false - ## Specify the namespace where Prometheus Operator is running - ## - # namespace: monitoring - labels: {} - annotations: {} - path: /metrics - # interval: - # scrapeTimeout: -# Authentication setup -auth: + # merge or patch the pod monitor + # https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + + +############################################################ +# service +############################################################ +service: + enabled: true + + # service port options + # additional boolean field enable to control whether port is exposed in the service + # must be enabled in the config section also + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core + ports: + nats: + enabled: true + leafnodes: + enabled: true + websocket: + enabled: true + mqtt: + enabled: true + cluster: + enabled: false + gateway: + enabled: false + monitor: + enabled: false + profiling: + enabled: false + + # merge or patch the service + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +############################################################ +# other nats extension points +############################################################ + +# stateful set +statefulSet: + # merge or patch the stateful set + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +# stateful set -> pod template +podTemplate: + # adds a hash of the ConfigMap as a pod annotation + # this will cause the StatefulSet to roll when the ConfigMap is updated + configChecksumAnnotation: true + + # map of topologyKey: topologySpreadConstraint + # labelSelector will be added to match StatefulSet pods + # + # topologySpreadConstraints: + # kubernetes.io/hostname: + # maxSkew: 1 + # + topologySpreadConstraints: {} + + # merge or patch the pod template + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core + merge: {} + patch: [] + +# headless service +headlessService: + # merge or patch the headless service + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-headless" + name: + +# config map +configMap: + # merge or patch the config map + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-config" + name: + +# pod disruption budget +podDisruptionBudget: + enabled: true + # merge or patch the pod disruption budget + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudget-v1-policy + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +# service account +serviceAccount: enabled: false + # merge or patch the service account + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: - # basic: - # noAuthUser: - # # List of users that can connect with basic auth, - # # that belong to the global account. - # users: - # defaultPermissions: - # publish: ["SANDBOX.*"] - # subscribe: ["SANDBOX.>"] +############################################################ +# natsBox +# +# NATS Box Deployment and associated resources +############################################################ +natsBox: + enabled: true - # # List of accounts with users that can connect - # # using basic auth. - # accounts: + ############################################################ + # NATS contexts + ############################################################ + contexts: + default: + creds: + # set contents in order to create a secret with the creds file contents + contents: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-creds/ + dir: + key: nats.creds + nkey: + # set contents in order to create a secret with the nkey file contents + contents: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-nkeys/ + dir: + key: nats.nk + # used to connect with client certificates + tls: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-certs/ + dir: + cert: tls.crt + key: tls.key - # Reference to the Operator JWT. - # operatorjwt: - # configMap: - # name: operator-jwt - # key: KO.jwt + # merge or patch the context + # https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts + merge: {} + patch: [] - # Token authentication - # token: + # name of context to select by default + defaultContextName: default - # NKey authentication - # nkeys: - # users: + ############################################################ + # deployment -> pod template -> nats-box container + ############################################################ + container: + image: + repository: natsio/nats-box + tag: 0.13.5 + pullPolicy: + registry: - # Public key of the System Account - # systemAccount: + # env var map, see nats.env for an example + env: {} - resolver: - # Disables the resolver by default - type: none + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] - ########################################## - # # - # Embedded NATS Account Server Resolver # - # # - ########################################## - # type: full + ############################################################ + # other nats-box extension points + ############################################################ - # If the resolver type is 'full', delete when enabled will rename the jwt. - allowDelete: false + # deployment + deployment: + # merge or patch the deployment + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box" + name: - # Interval at which a nats-server with a nats based account resolver will compare - # it's state with one random nats based account resolver in the cluster and if needed, - # exchange jwt and converge on the same set of jwt. - interval: 2m + # deployment -> pod template + podTemplate: + # merge or patch the pod template + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core + merge: {} + patch: [] - # Operator JWT - operator: + # contexts secret + contextsSecret: + # merge or patch the context secret + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box-contexts" + name: - # System Account Public NKEY - systemAccount: + # contents secret + contentsSecret: + # merge or patch the contents secret + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box-contents" + name: - # resolverPreload: - # : + # service account + serviceAccount: + enabled: false + # merge or patch the service account + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box" + name: - # Directory in which the account JWTs will be stored. - store: - dir: "/accounts/jwt" - # Size of the account JWT storage. - size: 1Gi - - # StorageClass of JWT storage claim. - # storageClassName: "" - - ############################## - # # - # Memory resolver settings # - # # - ############################## - # type: memory - # - # Use a configmap reference which will be mounted - # into the container. - # - # configMap: - # name: nats-accounts - # key: resolver.conf - - ########################## - # # - # URL resolver settings # - # # - ########################## - # type: URL - # url: "http://nats-account-server:9090/jwt/v1/accounts/" - -websocket: - enabled: false - port: 443 - noTLS: true - - sameOrigin: false - allowedOrigins: [] - - # This will optionally specify what host:port for websocket - # connections to be advertised in the cluster. - # advertise: "host:port" - - # Set the handshake timeout for websocket connections - # handshakeTimeout: 5s - -# Network Policy configuration -networkPolicy: - enabled: false - # Don't require client label for connections - # When set to false, only pods with the correct client label will have network access to the ports - # NATS is listening on. When true, NATS will accept connections from any source - # (with the correct destination port). - allowExternal: true - # Add extra ingress rules to the NetworkPolicy - # e.g: - # extraIngress: - # - ports: - # - port: 1234 - # from: - # - podSelector: - # - matchLabels: - # - role: frontend - # - podSelector: - # - matchExpressions: - # - key: role - # operator: In - # values: - # - frontend - extraIngress: [] - # Add extra ingress rules to the NetworkPolicy - # e.g: - # extraEgress: - # - ports: - # - port: 1234 - # to: - # - podSelector: - # - matchLabels: - # - role: frontend - # - podSelector: - # - matchExpressions: - # - key: role - # operator: In - # values: - # - frontend - extraEgress: [] - # Labels to match to allow traffic from other namespaces - ingressNSMatchLabels: {} - # Pod labels to match to allow traffic from other namespaces - ingressNSPodMatchLabels: {} - -# Cluster Domain configured on the kubelets -# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -k8sClusterDomain: cluster.local - -# Define if NATS is using FQDN name for clustering (i.e. nats-0.nats.default.svc.cluster.local) or short name (i.e. nats-0.nats.default). -useFQDN: true - -# Add labels to all the deployed resources -commonLabels: {} - -# podManagementPolicy controls how pods are created during initial scale up, -# when replacing pods on nodes, or when scaling down. -podManagementPolicy: Parallel - -# Shared volume to be mounted in pods for pid -pidVolume: - emptyDir: {} - -# Shared volume to be mounted in pods for advertiseconfig -advertiseconfigVolume: - emptyDir: {} +################################################################################ +# Extra user-defined resources +################################################################################ +# +# add arbitrary user-generated resources +# example: +# +# config: +# websocket: +# enabled: true +# extraResources: +# - apiVersion: networking.istio.io/v1beta1 +# kind: VirtualService +# metadata: +# name: +# $tplYaml: > +# {{ include "nats.fullname" $ | quote }} +# labels: +# $tplYaml: | +# {{ include "nats.labels" $ }} +# spec: +# hosts: +# - demo.nats.io +# gateways: +# - my-gateway +# http: +# - name: default +# match: +# - name: root +# uri: +# exact: / +# route: +# - destination: +# host: +# $tplYaml: > +# {{ .Values.service.name | quote }} +# port: +# number: +# $tplYaml: > +# {{ .Values.config.websocket.port }} +# +extraResources: [] diff --git a/charts/new-relic/nri-bundle/Chart.lock b/charts/new-relic/nri-bundle/Chart.lock index b18b17b8e..25cb249bf 100644 --- a/charts/new-relic/nri-bundle/Chart.lock +++ b/charts/new-relic/nri-bundle/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: newrelic-infrastructure repository: https://newrelic.github.io/nri-kubernetes - version: 3.20.2 + version: 3.20.3 - name: nri-prometheus repository: https://newrelic.github.io/nri-prometheus version: 2.1.17 @@ -22,7 +22,7 @@ dependencies: version: 3.1.2 - name: newrelic-logging repository: https://newrelic.github.io/helm-charts - version: 1.16.1 + version: 1.18.1 - name: newrelic-pixie repository: https://newrelic.github.io/helm-charts version: 2.1.2 @@ -32,5 +32,5 @@ dependencies: - name: newrelic-infra-operator repository: https://newrelic.github.io/newrelic-infra-operator version: 2.2.2 -digest: sha256:5fb36da47b85fc7492388df2d97c69e6adc0563ab62e025942323083858d6eed -generated: "2023-07-27T19:24:50.33978983Z" +digest: sha256:ade19c524ea42c1f7f584e54a58f32ff62b90382f5b2d5191dc664743f74da40 +generated: "2023-08-02T02:07:16.362898985Z" diff --git a/charts/new-relic/nri-bundle/Chart.yaml b/charts/new-relic/nri-bundle/Chart.yaml index 24c506773..c5a48a910 100644 --- a/charts/new-relic/nri-bundle/Chart.yaml +++ b/charts/new-relic/nri-bundle/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - condition: infrastructure.enabled,newrelic-infrastructure.enabled name: newrelic-infrastructure repository: file://./charts/newrelic-infrastructure - version: 3.20.2 + version: 3.20.3 - condition: prometheus.enabled,nri-prometheus.enabled name: nri-prometheus repository: file://./charts/nri-prometheus @@ -35,7 +35,7 @@ dependencies: - condition: logging.enabled,newrelic-logging.enabled name: newrelic-logging repository: file://./charts/newrelic-logging - version: 1.16.1 + version: 1.18.1 - condition: newrelic-pixie.enabled name: newrelic-pixie repository: file://./charts/newrelic-pixie @@ -89,4 +89,4 @@ sources: - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator -version: 5.0.24 +version: 5.0.25 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml index 0e0b5c1db..578d257ee 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.15.2 +appVersion: 3.15.3 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -35,4 +35,4 @@ sources: - https://github.com/newrelic/nri-kubernetes/ - https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure - https://github.com/newrelic/infrastructure-agent/ -version: 3.20.2 +version: 3.20.3 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml index 9426e68fe..b69a88ab2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml @@ -17,4 +17,4 @@ maintainers: - name: danybmx - name: sdaubin name: newrelic-logging -version: 1.16.1 +version: 1.18.1 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md b/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md index 2aeaed2bb..476da5b9d 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md @@ -137,7 +137,6 @@ See [values.yaml](values.yaml) for the default values | `global.nrStaging` - `nrStaging` | Send data to staging (requires a staging license key) | `false` | | `fluentBit.path` | Node path logs are forwarded from. Patterns are supported, as well as specifying multiple paths/patterns separated by commas. | `/var/log/containers/*.log` | | `fluentBit.db` | Node path used by Fluent Bit to store a database file to keep track of monitored files and offsets. | `/var/log/containers/*.log` | -| `fluentBit.criEnabled` | We assume that `kubelet`directly communicates with the Docker container engine. Set this to `true` if your K8s installation uses [CRI](https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/) instead, in order to get the logs properly parsed. | `false` | | `fluentBit.k8sBufferSize` | Set the buffer size for HTTP client when reading responses from Kubernetes API server. A value of 0 results in no limit and the buffer will expand as needed. | `32k` | | `fluentBit.k8sLoggingExclude` | Set to "On" to allow excluding pods by adding the annotation `fluentbit.io/exclude: "true"` to pods you wish to exclude. | `Off` | | `fluentBit.additionalEnvVariables` | Additional environmental variables for fluentbit pods | `[]]` | @@ -156,6 +155,7 @@ See [values.yaml](values.yaml) for the default values | `fluentBit.config.parsers` | Contains parsers.conf Parsers config | | | `fluentBit.retryLimit` | Amount of times to retry sending a given batch of logs to New Relic. This prevents data loss if there is a temporary network disruption, if a request to the Logs API is lost or when receiving a recoverable HTTP response. Set it to "False" for unlimited retries. | 5 | | `dnsConfig` | [DNS configuration](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) that will be added to the pods. Can be configured also with `global.dnsConfig`. | `{}` | +| `fluentBit.criEnabled` | We assume that `kubelet`directly communicates with the container engine using the [CRI](https://kubernetes.io/docs/concepts/overview/components/#container-runtime) specification. Set this to `false` if your K8s installation uses [dockershim](https://kubernetes.io/docs/tasks/administer-cluster/migrating-from-dockershim/) instead, in order to get the logs properly parsed. |`true` | ### Proxy support diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml index 5454f312c..e2ae53ef5 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml @@ -44,9 +44,9 @@ spec: {{- end }} dnsPolicy: ClusterFirst terminationGracePeriodSeconds: 10 - {{- if $.Values.image.pullSecrets }} + {{- with include "newrelic.common.images.renderPullSecrets" ( dict "pullSecrets" (list $.Values.image.pullSecrets) "context" $) }} imagePullSecrets: -{{ toYaml $.Values.image.pullSecrets | indent 8 }} + {{- . | nindent 8 }} {{- end }} {{- if $.Values.windows.initContainers }} initContainers: @@ -54,7 +54,9 @@ spec: {{- end }} containers: - name: {{ template "newrelic-logging.name" $ }} - image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}-{{ .imageTagSuffix }}" + # We have to use 'replace' to remove the double-quotes that "newrelic.common.images.image" has, so that + # we can append the Windows image tag suffix (and then re-quote that value) + image: "{{ include "newrelic.common.images.image" ( dict "imageRoot" $.Values.image "context" $) | replace "\"" ""}}-{{ .imageTagSuffix }}" imagePullPolicy: "{{ $.Values.image.pullPolicy }}" securityContext: {} env: @@ -86,9 +88,9 @@ spec: value: {{ $.Values.fluentBit.logLevel | quote }} - name: LOG_PARSER {{- if $.Values.fluentBit.criEnabled }} - value: "cri" + value: "cri,docker" {{- else }} - value: "docker" + value: "docker,cri" {{- end }} - name: FB_DB value: {{ $.Values.fluentBit.windowsDb | quote }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml index 5e1837a28..b21dd8eb2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml @@ -40,9 +40,9 @@ spec: {{- end }} dnsPolicy: ClusterFirstWithHostNet terminationGracePeriodSeconds: 10 - {{- if .Values.image.pullSecrets }} + {{- with include "newrelic.common.images.renderPullSecrets" ( dict "pullSecrets" (list .Values.image.pullSecrets) "context" .) }} imagePullSecrets: -{{ toYaml .Values.image.pullSecrets | indent 8 }} + {{- . | nindent 8 }} {{- end }} {{- with include "newrelic.common.securityContext.pod" . }} securityContext: @@ -58,7 +58,7 @@ spec: securityContext: {{- . | nindent 12 }} {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ include "newrelic.common.images.image" ( dict "imageRoot" .Values.image "context" .) }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" env: - name: ENDPOINT @@ -89,9 +89,9 @@ spec: value: {{ .Values.fluentBit.logLevel | quote }} - name: LOG_PARSER {{- if .Values.fluentBit.criEnabled }} - value: "cri" + value: "cri,docker" {{- else }} - value: "docker" + value: "docker,cri" {{- end }} - name: FB_DB value: {{ .Values.fluentBit.db | quote }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/cri_parser_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/cri_parser_test.yaml new file mode 100644 index 000000000..f4a1d01d0 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/cri_parser_test.yaml @@ -0,0 +1,37 @@ +suite: test cri, docker parser options in daemonsets +templates: + - templates/configmap.yaml + - templates/daemonset.yaml + - templates/daemonset-windows.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: cri enabled by default and docker as fallback + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: LOG_PARSER + value: "cri,docker" + - it: docker is set if enabled by and cri as fallback + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + fluentBit: + criEnabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: LOG_PARSER + value: "docker,cri" \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml new file mode 100644 index 000000000..e7b65ccb7 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml @@ -0,0 +1,96 @@ +suite: test images settings +templates: + - templates/configmap.yaml + - templates/daemonset.yaml + - templates/daemonset-windows.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: image names are correct + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: newrelic/newrelic-fluentbit-output:1.17.3 + template: templates/daemonset.yaml + - equal: + path: spec.template.spec.containers[0].image + value: newrelic/newrelic-fluentbit-output:1.17.3-windows-ltsc-2019 + template: templates/daemonset-windows.yaml + documentIndex: 0 + - equal: + path: spec.template.spec.containers[0].image + value: newrelic/newrelic-fluentbit-output:1.17.3-windows-ltsc-2022 + template: templates/daemonset-windows.yaml + documentIndex: 1 + - it: global registry is used if set + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + global: + images: + registry: global_registry + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: global_registry/.* + - it: local registry overrides global + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + global: + images: + registry: global_registry + image: + registry: local_registry + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: local_registry/.* + - it: pullSecrets is used if defined + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + image: + pullSecrets: + - name: regsecret + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: regsecret + - it: pullSecrets are merged + templates: + - templates/daemonset.yaml + - templates/daemonset-windows.yaml + set: + licenseKey: nr_license_key + enableWindows: true + global: + images: + pullSecrets: + - name: global_regsecret + image: + pullSecrets: + - name: regsecret + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: global_regsecret + - equal: + path: spec.template.spec.imagePullSecrets[1].name + value: regsecret diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml index b82bbb602..ae98e6d36 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml @@ -30,7 +30,7 @@ fluentBit: windowsPath: "C:\\var\\log\\containers\\*.log" db: "/var/log/flb_kube.db" windowsDb: "C:\\var\\log\\flb_kube.db" - criEnabled: false + criEnabled: true k8sBufferSize: "32k" k8sLoggingExclude: "Off" retryLimit: 5 @@ -62,7 +62,7 @@ fluentBit: Name tail Tag kube.* Path ${PATH} - Parser ${LOG_PARSER} + multiline.parser ${LOG_PARSER} DB ${FB_DB} Mem_Buf_Limit 7MB Skip_Long_Lines On @@ -137,28 +137,22 @@ fluentBit: # Name null # Match * - parsers: | - [PARSER] - Name docker - Format json - Time_Key time - Time_Format %Y-%m-%dT%H:%M:%S.%L - Time_Keep On - - [PARSER] - Name cri - Format regex - Regex ^(?