diff --git a/assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz b/assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz new file mode 100644 index 000000000..83e06b337 Binary files /dev/null and b/assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz differ diff --git a/assets/k10/k10-5.0.200.tgz b/assets/k10/k10-5.0.200.tgz new file mode 100644 index 000000000..c86423aab Binary files /dev/null and b/assets/k10/k10-5.0.200.tgz differ diff --git a/assets/shipa/shipa-1.7.200.tgz b/assets/shipa/shipa-1.7.200.tgz new file mode 100644 index 000000000..edd8bc145 Binary files /dev/null and b/assets/shipa/shipa-1.7.200.tgz differ diff --git a/assets/vals-operator/vals-operator-0.6.201.tgz b/assets/vals-operator/vals-operator-0.6.201.tgz new file mode 100644 index 000000000..3bec7fe8e Binary files /dev/null and b/assets/vals-operator/vals-operator-0.6.201.tgz differ diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/.helmignore b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/Chart.yaml b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/Chart.yaml new file mode 100644 index 000000000..6d203cd61 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/Chart.yaml @@ -0,0 +1,13 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel Trusted Certificate Issuer + catalog.cattle.io/release-name: tcs-issuer +apiVersion: v2 +appVersion: 0.1.0 +description: A Helm chart for Trusted Certificate Service for Kubernetes Platform +home: https://github.com/intel/trusted-certificate-issuer +icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 +kubeVersion: '>= 1.19-0' +name: tcs-issuer +type: application +version: 0.1.0 diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/app-readme.md b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/app-readme.md new file mode 100644 index 000000000..d091e9ab6 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/app-readme.md @@ -0,0 +1,11 @@ +# Trusted Certificate Service + +## Introduction + +Trusted Certificate Service (TCS) is a Kubernetes certificate signing application, which protects the signing keys using Intel's SGX technology. TCS supports [Kubernetes Certificate Signing Request](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and [cert-manager certificate request](https://cert-manager.io/docs/concepts/certificaterequest/) APIs. The APIs provides an easy integration to Kubernetes applications such as Istio. + +## Prerequisites + +- Helm 3.x +- Kubernetes cluster with at least one SGX node (e.g., Azure DCsv3 instance) +- Cert-manager \ No newline at end of file diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/NOTES.txt b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/NOTES.txt new file mode 100644 index 000000000..c5615c64c --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/NOTES.txt @@ -0,0 +1 @@ +Thank you for installing {{ .Chart.Name }}. diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/tcs_issuer.yaml b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/tcs_issuer.yaml new file mode 100644 index 000000000..7f4b1f99b --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/tcs_issuer.yaml @@ -0,0 +1,376 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tcs-leader-election-role + namespace: {{ .Release.Namespace | quote }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tcs-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tcs-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: tcs-role +rules: +- apiGroups: + - '*' + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - cert-manager.io + resources: + - certificaterequests/finalizers + verbs: + - update +- apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/finalizers + verbs: + - update +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/status + verbs: + - get + - patch + - update +- apiGroups: + - certificates.k8s.io + resourceNames: + - tcsclusterissuer.tcs.intel.com/* + - tcsissuer.tcs.intel.com/* + resources: + - signers + verbs: + - sign +- apiGroups: + - tcs.intel.com + resources: + - quoteattestations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tcs.intel.com + resources: + - quoteattestations/finalizers + verbs: + - update +- apiGroups: + - tcs.intel.com + resources: + - quoteattestations/status + verbs: + - get + - patch + - update +- apiGroups: + - tcs.intel.com + resources: + - tcsclusterissuers + - tcsissuers + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - tcs.intel.com + resources: + - tcsclusterissuers/status + - tcsissuers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tcs-leader-election-rolebinding + namespace: {{ .Release.Namespace | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tcs-leader-election-role +subjects: +- kind: ServiceAccount + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tcs-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tcs-proxy-role +subjects: +- kind: ServiceAccount + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tcs-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tcs-role +subjects: +- kind: ServiceAccount + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: v1 +data: + tcs_issuer_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8083 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: bb9c3a43.sgx.intel.com +kind: ConfigMap +metadata: + name: tcs-config + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: v1 +data: + sopin: V0lwbUJCybc2Oc6M06Vz + userpin: U3BnbGIyTUl3ZV9lSHUy +kind: Secret +metadata: + name: tcs-issuer-pkcs11-conf + namespace: {{ .Release.Namespace | quote }} +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: tcs-issuer + name: tcs-metrics-service + namespace: {{ .Release.Namespace | quote }} +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: tcs-issuer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: tcs-issuer + name: tcs-controller + namespace: {{ .Release.Namespace | quote }} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: tcs-issuer + template: + metadata: + annotations: + sgx.intel.com/quote-provider: aesmd + labels: + control-plane: tcs-issuer + spec: + containers: + - args: + - --leader-elect + - --zap-devel + - --zap-log-level=5 + - --metrics-bind-address=:8082 + - --health-probe-bind-address=:8083 + - --user-pin=$USER_PIN + - --so-pin=$SO_PIN + {{- if .Values.controllerExtraArgs }} + {{- with .Values.controllerExtraArgs }} + {{- tpl . $ | trim | nindent 8 }} + {{- end }} + {{- end }} + command: + - /tcs-issuer + env: + - name: USER_PIN + valueFrom: + secretKeyRef: + key: userpin + name: tcs-issuer-pkcs11-conf + - name: SO_PIN + valueFrom: + secretKeyRef: + key: sopin + name: tcs-issuer-pkcs11-conf + image: "{{ .Values.image.hub }}/{{ .Values.image.name }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8083 + initialDelaySeconds: 10 + periodSeconds: 180 + name: tcs-issuer + readinessProbe: + httpGet: + path: /readyz + port: 8083 + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 30Mi + sgx.intel.com/enclave: 1 + sgx.intel.com/epc: 512Ki + requests: + cpu: 100m + memory: 20Mi + sgx.intel.com/enclave: 1 + sgx.intel.com/epc: 512Ki + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /home/tcs-issuer/tokens + name: tokens-dir + initContainers: + - command: + - /bin/chown + - -R + - 5000:5000 + - /home/tcs-issuer/tokens + image: busybox + imagePullPolicy: IfNotPresent + name: init + volumeMounts: + - mountPath: /home/tcs-issuer/tokens + name: tokens-dir + serviceAccountName: tcs-issuer-serviceaccount + terminationGracePeriodSeconds: 10 + volumes: + - hostPath: + path: /var/lib/tcs-issuer/tokens + type: DirectoryOrCreate + name: tokens-dir diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/values.yaml b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/values.yaml new file mode 100644 index 000000000..2f21cb9b5 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/values.yaml @@ -0,0 +1,10 @@ +image: + hub: intel + name: trusted-certificate-issuer + tag: "latest" + pullPolicy: Always + +# Any extra arguments for tcs-controller +controllerExtraArgs: {} +#controllerExtraArgs: |- +# - --csr-full-cert-chain=true diff --git a/charts/k10/k10/5.0.200/Chart.yaml b/charts/k10/k10/5.0.200/Chart.yaml new file mode 100644 index 000000000..32b032038 --- /dev/null +++ b/charts/k10/k10/5.0.200/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/release-name: k10 +apiVersion: v2 +appVersion: 5.0.2 +description: Kasten’s K10 Data Management Platform +home: https://kasten.io/ +icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png +kubeVersion: '>= 1.17.0-0' +maintainers: +- email: support@kasten.io + name: kastenIO +name: k10 +version: 5.0.200 diff --git a/charts/k10/k10/5.0.200/README.md b/charts/k10/k10/5.0.200/README.md new file mode 100644 index 000000000..006c361a5 --- /dev/null +++ b/charts/k10/k10/5.0.200/README.md @@ -0,0 +1,230 @@ +# Kasten's K10 Helm chart. + +[Kasten's k10](https://docs.kasten.io/) is a data lifecycle management system for all your persistence.enabled container-based applications. + +## TL;DR; + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io +``` + +## Introduction + +This chart bootstraps Kasten's K10 platform on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + - Kubernetes 1.7+ with Beta APIs enabled + +## Installing the Chart + +To install the chart on a [GKE](https://cloud.google.com/container-engine/) cluster + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io +``` + +To install the chart on an [AWS](https://aws.amazon.com/) [kops](https://github.com/kubernetes/kops)-created cluster + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io --set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \ + --set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}" +``` + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `k10` application: + +```console +$ helm delete k10 --purge +``` + +## Configuration + +The following table lists the configurable parameters of the K10 +chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`eula.accept`| Whether to enable accept EULA before installation | `false` +`eula.company` | Company name. Required field if EULA is accepted | `None` +`eula.email` | Contact email. Required field if EULA is accepted | `None` +`license` | License string obtained from Kasten | `None` +`rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true` +`scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false` +`services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false` +`services.executor.hostNetwork` | Whether the executor pods may use the node network | `false` +`services.aggregatedapis.hostNetwork` | Whether the aggregatedapis pods may use the node network | `false` +`serviceAccount.create`| Specifies whether a ServiceAccount should be created | `true` +`serviceAccount.name` | The name of the ServiceAccount to use. If not set, a name is derived using the release and chart names. | `None` +`ingress.create` | Specifies whether the K10 dashboard should be exposed via ingress | `false` +`ingress.class` | Cluster ingress controller class: `nginx`, `GCE` | `None` +`ingress.host` | FQDN (e.g., `k10.example.com`) for name-based virtual host | `None` +`ingress.urlPath` | URL path for K10 Dashboard (e.g., `/k10`) | `Release.Name` +`ingress.annotations` | Additional Ingress object annotations | `{}` +`ingress.tls.enabled` | Configures a TLS use for `ingress.host` | `false` +`ingress.tls.secretName` | Specifies a name of TLS secret | `None` +`ingress.pathType` | Specifies the path type for the ingress resource | `ImplementationSpecific` +`global.persistence.enabled` | Use PVS to persist data | `true` +`global.persistence.size` | Default global size of volumes for K10 persistent services | `20Gi` +`global.persistence.catalog.size` | Size of a volume for catalog service | `global.persistence.size` +`global.persistence.jobs.size` | Size of a volume for jobs service | `global.persistence.size` +`global.persistence.logging.size` | Size of a volume for logging service | `global.persistence.size` +`global.persistence.metering.size` | Size of a volume for metering service | `global.persistence.size` +`global.persistence.storageClass` | Specified StorageClassName will be used for PVCs | `None` +`global.airgapped.repository` | Specify the helm repository for offline (airgapped) installation | `''` +`global.imagePullSecret` | Provide secret which contains docker config for private repository. Use `k10-ecr` when secrets.dockerConfigPath is used. | `''` +`global.prometheus.external.host` | Provide external prometheus host name | `''` +`global.prometheus.external.port` | Provide external prometheus port number | `''` +`global.prometheus.external.baseURL` | Provide Base URL of external prometheus | `''` +`secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None` +`secrets.awsSecretAccessKey` | AWS access key secret | `None` +`secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None` +`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key file | `None` +`secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None` +`secrets.azureClientId` | Azure Service App ID | `None` +`secrets.azureClientSecret` | Azure Service APP secret | `None` +`secrets.azureResourceGroup` | Resource Group name that was created for the Kubernetes cluster | `None` +`secrets.azureSubscriptionID` | Subscription ID in your Azure tenant | `None` +`secrets.azureResourceMgrEndpoint` | Resource management endpoint for the Azure Stack instance | `None` +`secrets.azureADEndpoint` | Azure Active Directory login endpoint | `None` +`secrets.azureADResourceID` | Azure Active Directory resource ID to obtain AD tokens | `None` +`secrets.azureCloudEnvID` | Azure Cloud Environment ID | `None` +`secrets.vsphereEndpoint` | vSphere endpoint for login | `None` +`secrets.vsphereUsername` | vSphere username for login | `None` +`secrets.vspherePassword` | vSphere password for login | `None` +`secrets.dockerConfigPath` | Use --set-file secrets.dockerConfigPath=path_to_docker_config.yaml to specify docker config for image pull | `None` +`cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None` +`clusterName` | Cluster name for better logs visibility | `None` +`metering.awsRegion` | Sets AWS_REGION for metering service | `None` +`metering.mode` | Control license reporting (set to `airgap` for private-network installs) | `None` +`metering.reportCollectionPeriod` | Sets metric report collection period (in seconds) | `1800` +`metering.reportPushPeriod` | Sets metric report push period (in seconds) | `3600` +`metering.promoID` | Sets K10 promotion ID from marketing campaigns | `None` +`metering.awsMarketplace` | Sets AWS cloud metering license mode | `false` +`metering.awsManagedLicense` | Sets AWS managed license mode | `false` +`metering.redhatMarketplacePayg` | Sets Red Hat cloud metering license mode | `false` +`metering.licenseConfigSecretName` | Sets AWS managed license config secret | `None` +`externalGateway.create` | Configures an external gateway for K10 API services | `false` +`externalGateway.annotations` | Standard annotations for the services | `None` +`externalGateway.fqdn.name` | Domain name for the K10 API services | `None` +`externalGateway.fqdn.type` | Supported gateway type: `route53-mapper` or `external-dns` | `None` +`externalGateway.awsSSLCertARN` | ARN for the AWS ACM SSL certificate used in the K10 API server | `None` +`auth.basicAuth.enabled` | Configures basic authentication for the K10 dashboard | `false` +`auth.basicAuth.htpasswd` | A username and password pair separated by a colon character | `None` +`auth.basicAuth.secretName` | Name of an existing Secret that contains a file generated with htpasswd | `None` +`auth.k10AdminGroups` | A list of groups whose members are granted admin level access to K10's dashboard | `None` +`auth.k10AdminUsers` | A list of users who are granted admin level access to K10's dashboard | `None` +`auth.tokenAuth.enabled` | Configures token based authentication for the K10 dashboard | `false` +`auth.oidcAuth.enabled` | Configures Open ID Connect based authentication for the K10 dashboard | `false` +`auth.oidcAuth.providerURL` | URL for the OIDC Provider | `None` +`auth.oidcAuth.redirectURL` | URL to the K10 gateway service | `None` +`auth.oidcAuth.scopes` | Space separated OIDC scopes required for userinfo. Example: "profile email" | `None` +`auth.oidcAuth.prompt` | The type of prompt to be used during authentication (none, consent, login or select_account) | `select_account` +`auth.oidcAuth.clientID` | Client ID given by the OIDC provider for K10 | `None` +`auth.oidcAuth.clientSecret` | Client secret given by the OIDC provider for K10 | `None` +`auth.oidcAuth.usernameClaim` | The claim to be used as the username | `sub` +`auth.oidcAuth.usernamePrefix` | Prefix that has to be used with the username obtained from the username claim | `None` +`auth.oidcAuth.groupClaim` | Name of a custom OpenID Connect claim for specifying user groups | `None` +`auth.oidcAuth.groupPrefix` | All groups will be prefixed with this value to prevent conflicts | `None` +`auth.openshift.enabled` | Enables access to the K10 dashboard by authenticating with the OpenShift OAuth server | `false` +`auth.openshift.serviceAccount` | Name of the service account that represents an OAuth client | `None` +`auth.openshift.clientSecret` | The token corresponding to the service account | `None` +`auth.openshift.dashboardURL` | The URL used for accessing K10's dashboard | `None` +`auth.openshift.openshiftURL` | The URL for accessing OpenShift's API server | `None` +`auth.openshift.insecureCA` | To turn off SSL verification of connections to OpenShift | `false` +`auth.openshift.useServiceAccountCA` | Set this to true to use the CA certificate corresponding to the Service Account ``auth.openshift.serviceAccount`` usually found at ``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`` | `false` +`auth.ldap.enabled` | Configures Active Directory/LDAP based authentication for the K10 dashboard | `false` +`auth.ldap.restartPod` | To force a restart of the authentication service pod (useful when updating authentication config) | `false` +`auth.ldap.dashboardURL` | The URL used for accessing K10's dashboard | `None` +`auth.ldap.host` | Host and optional port of the AD/LDAP server in the form `host:port` | `None` +`auth.ldap.insecureNoSSL` | Required if the AD/LDAP host is not using TLS | `false` +`auth.ldap.insecureSkipVerifySSL` | To turn off SSL verification of connections to the AD/LDAP host | `false` +`auth.ldap.startTLS` | When set to true, ldap:// is used to connect to the server followed by creation of a TLS session. When set to false, ldaps:// is used. | `false` +`auth.ldap.bindDN` | The Distinguished Name(username) used for connecting to the AD/LDAP host | `None` +`auth.ldap.bindPW` | The password corresponding to the `bindDN` for connecting to the AD/LDAP host | `None` +`auth.ldap.bindPWSecretName` | The name of the secret that contains the password corresponding to the `bindDN` for connecting to the AD/LDAP host | `None` +`auth.ldap.userSearch.baseDN` | The base Distinguished Name to start the AD/LDAP search from | `None` +`auth.ldap.userSearch.filter` | Optional filter to apply when searching the directory | `None` +`auth.ldap.userSearch.username` | Attribute used for comparing user entries when searching the directory | `None` +`auth.ldap.userSearch.idAttr` | AD/LDAP attribute in a user's entry that should map to the user ID field in a token | `None` +`auth.ldap.userSearch.emailAttr` | AD/LDAP attribute in a user's entry that should map to the email field in a token | `None` +`auth.ldap.userSearch.nameAttr` | AD/LDAP attribute in a user's entry that should map to the name field in a token | `None` +`auth.ldap.userSearch.preferredUsernameAttr` | AD/LDAP attribute in a user's entry that should map to the preferred_username field in a token | `None` +`auth.ldap.groupSearch.baseDN` | The base Distinguished Name to start the AD/LDAP group search from | `None` +`auth.ldap.groupSearch.filter` | Optional filter to apply when searching the directory for groups | `None` +`auth.ldap.groupSearch.nameAttr` | The AD/LDAP attribute that represents a group's name in the directory | `None` +`auth.ldap.groupSearch.userMatchers` | List of field pairs that are used to match a user to a group. | `None` +`auth.ldap.groupSearch.userMatchers.userAttr` | Attribute in the user's entry that must match with the `groupAttr` while searching for groups | `None` +`auth.ldap.groupSearch.userMatchers.groupAttr` | Attribute in the group's entry that must match with the `userAttr` while searching for groups | `None` +`auth.groupAllowList` | A list of groups whose members are allowed access to K10's dashboard | `None` +`services.securityContext` | Custom [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for K10 service containers | `{"runAsUser" : 1000, "fsGroup": 1000}` +`services.securityContext.runAsUser` | User ID K10 service containers run as| `1000` +`services.securityContext.runAsGroup` | Group ID K10 service containers run as| `1000` +`services.securityContext.fsGroup` | FSGroup that owns K10 service container volumes | `1000` +`injectKanisterSidecar.enabled` | Enable Kanister sidecar injection for workload pods | `false` +`injectKanisterSidecar.namespaceSelector.matchLabels` | Set of labels to select namespaces in which sidecar injection is enabled for workloads | `{}` +`injectKanisterSidecar.objectSelector.matchLabels` | Set of labels to filter workload objects in which the sidecar is injected | `{}` +`injectKanisterSidecar.webhookServer.port` | Port number on which the mutating webhook server accepts request | `8080` +`gateway.insecureDisableSSLVerify` | Specifies whether to disable SSL verification for gateway pods | `false` +`gateway.exposeAdminPort` | Specifies whether to expose Admin port for gateway service | `true` +`genericVolumeSnapshot.resources.[requests\|limits].[cpu\|memory]` | Resource requests and limits for Generic Volume Snapshot restore pods | `{}` +`prometheus.server.enabled` | If false, K10's Prometheus server will not be created, reducing the dashboard's functionality. | `true` +`prometheus.server.persistentVolume.enabled` | If true, K10 Prometheus server will create a Persistent Volume Claim | `true` +`prometheus.server.persistentVolume.size` | K10 Prometheus server data Persistent Volume size | `30Gi` +`prometheus.server.persistentVolume.storageClass` | StorageClassName used to create Prometheus PVC. Setting this option overwrites global StorageClass value | `""` +`prometheus.server.retention` | (optional) K10 Prometheus data retention | `"30d"` +`prometheus.server.baseURL` | (optional) K10 Prometheus external url path at which the server can be accessed | `/k10/prometheus/` +`prometheus.server.prefixURL` | (optional) K10 Prometheus prefix slug at which the server can be accessed | `/k10/prometheus/` +`grafana.enabled` | (optional) If false Grafana will not be available | `true` +`grafana.prometheusPrefixURL` | (optional) URL for Prometheus datasource in Grafana (must match `prometheus.server.prefixURL`) | `/k10/prometheus/` +`resources...[requests\|limits].[cpu\|memory]` | Overwrite default K10 [container resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | varies by container +`route.enabled` | Specifies whether the K10 dashboard should be exposed via route | `false` +`route.host` | FQDN (e.g., `.k10.example.com`) for name-based virtual host | `""` +`route.path` | URL path for K10 Dashboard (e.g., `/k10`) | `/` +`route.annotations` | Additional Route object annotations | `{}` +`route.labels` | Additional Route object labels | `{}` +`route.tls.enabled` | Configures a TLS use for `route.host` | `false` +`route.tls.insecureEdgeTerminationPolicy` | Specifies behavior for insecure scheme traffic | `Redirect` +`route.tls.termination` | Specifies the TLS termination of the route | `edge` +`apigateway.serviceResolver` | Specifies the resolver used for service discovery in the API gateway (`dns` or `endpoint`) | `dns` +`limiter.genericVolumeSnapshots` | Limit of concurrent generic volume snapshot create operations | `10` +`limiter.genericVolumeCopies` | Limit of concurrent generic volume snapshot copy operations | `10` +`limiter.genericVolumeRestores` | Limit of concurrent generic volume snapshot restore operations | `10` +`limiter.csiSnapshots` | Limit of concurrent CSI snapshot create operations | `10` +`limiter.providerSnapshots` | Limit of concurrent cloud provider create operations | `10` +`cluster.domainName` | Specifies the domain name of the cluster | `cluster.local` +`kanister.backupTimeout` | Specifies timeout to set on Kanister backup operations | `45` +`kanister.restoreTimeout` | Specifies timeout to set on Kanister restore operations | `600` +`kanister.deleteTimeout` | Specifies timeout to set on Kanister delete operations | `45` +`kanister.hookTimeout` | Specifies timeout to set on Kanister pre-hook and post-hook operations | `20` +`kanister.checkRepoTimeout` | Specifies timeout to set on Kanister checkRepo operations | `20` +`kanister.statsTimeout` | Specifies timeout to set on Kanister stats operations | `20` +`kanister.efsPostRestoreTimeout` | Specifies timeout to set on Kanister efsPostRestore operations | `45` +`awsConfig.assumeRoleDuration` | Duration of a session token generated by AWS for an IAM role. The minimum value is 15 minutes and the maximum value is the maximum duration setting for that IAM role. For documentation about how to view and edit the maximum session duration for an IAM role see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session. The value accepts a number along with a single character ``m``(for minutes) or ``h`` (for hours) Examples: 60m or 2h | `''` +`awsConfig.efsBackupVaultName` | Specifies the AWS EFS backup vault name | `k10vault` +`vmWare.taskTimeoutMin` | Specifies the timeout for VMWare operations | `60` +`encryption.primaryKey.awsCmkKeyId` | Specifies the AWS CMK key ID for encrypting K10 Primary Key | `None` +## Helm tips and tricks + +There is a way of setting values via a yaml file instead of using `--set`. +You can copy/paste values into a file (e.g., my_values.yaml): + +```yaml +secrets: + awsAccessKeyId: ${AWS_ACCESS_KEY_ID} + awsSecretAccessKey: ${AWS_SECRET_ACCESS_KEY} +``` +and then run: +```bash + envsubst < my_values.yaml > my_values_out.yaml && helm install helm/k10 -f my_values_out.yaml +``` + +To use non-default GCP ServiceAccount (SA) credentials, the credentials JSON file needs to be encoded into a base64 string. + + +```bash + sa_key=$(base64 -w0 sa-key.json) + helm install kasten/k10 --name=k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key +``` diff --git a/charts/k10/k10/5.0.200/app-readme.md b/charts/k10/k10/5.0.200/app-readme.md new file mode 100644 index 000000000..1b221891b --- /dev/null +++ b/charts/k10/k10/5.0.200/app-readme.md @@ -0,0 +1,5 @@ +The K10 data management platform, purpose-built for Kubernetes, provides enterprise operations teams an easy-to-use, scalable, and secure system for backup/restore, disaster recovery, and mobility of Kubernetes applications. + +K10’s application-centric approach and deep integrations with relational and NoSQL databases, Kubernetes distributions, and all clouds provide teams the freedom of infrastructure choice without sacrificing operational simplicity. Policy-driven and extensible, K10 provides a native Kubernetes API and includes features such as full-spectrum consistency, database integrations, automatic application discovery, multi-cloud mobility, and a powerful web-based user interface. + +For more information, refer to the docs [https://docs.kasten.io/](https://docs.kasten.io/) diff --git a/charts/k10/k10/5.0.200/charts/grafana/.helmignore b/charts/k10/k10/5.0.200/charts/grafana/.helmignore new file mode 100644 index 000000000..8cade1318 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.vscode +.project +.idea/ +*.tmproj +OWNERS diff --git a/charts/k10/k10/5.0.200/charts/grafana/Chart.yaml b/charts/k10/k10/5.0.200/charts/grafana/Chart.yaml new file mode 100644 index 000000000..a0313c4be --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 8.5.0 +description: The leading tool for querying and visualizing time series and metrics. +home: https://grafana.net +icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png +kubeVersion: ^1.8.0-0 +maintainers: +- email: zanhsieh@gmail.com + name: zanhsieh +- email: rluckie@cisco.com + name: rtluckie +- email: maor.friedman@redhat.com + name: maorfr +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: mail@torstenwalter.de + name: torstenwalter +name: grafana +sources: +- https://github.com/grafana/grafana +type: application +version: 6.29.2 diff --git a/charts/k10/k10/5.0.200/charts/grafana/README.md b/charts/k10/k10/5.0.200/charts/grafana/README.md new file mode 100644 index 000000000..2ed7afe54 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/README.md @@ -0,0 +1,567 @@ +# Grafana Helm Chart + +* Installs the web dashboarding system [Grafana](http://grafana.org/) + +## Get Repo Info + +```console +helm repo add grafana https://grafana.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release grafana/grafana +``` + +## Uninstalling the Chart + +To uninstall/delete the my-release deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 4.0.0 (And 3.12.1) + +This version requires Helm >= 2.12.0. + +### To 5.0.0 + +You have to add --force to your helm upgrade command as the labels of the chart have changed. + +### To 6.0.0 + +This version requires Helm >= 3.1.0. + +## Configuration + +| Parameter | Description | Default | +|-------------------------------------------|-----------------------------------------------|---------------------------------------------------------| +| `replicas` | Number of nodes | `1` | +| `podDisruptionBudget.minAvailable` | Pod disruption minimum available | `nil` | +| `podDisruptionBudget.maxUnavailable` | Pod disruption maximum unavailable | `nil` | +| `deploymentStrategy` | Deployment strategy | `{ "type": "RollingUpdate" }` | +| `livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 }` | +| `readinessProbe` | Readiness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } }`| +| `securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` | +| `priorityClassName` | Name of Priority Class to assign pods | `nil` | +| `image.repository` | Image repository | `grafana/grafana` | +| `image.tag` | Image tag (`Must be >= 5.0.0`) | `8.2.5` | +| `image.sha` | Image sha (optional) | `2acf04c016c77ca2e89af3536367ce847ee326effb933121881c7c89781051d3` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets (can be templated) | `[]` | +| `service.enabled` | Enable grafana service | `true` | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.port` | Kubernetes port where service is exposed | `80` | +| `service.portName` | Name of the port on the service | `service` | +| `service.targetPort` | Internal service is port | `3000` | +| `service.nodePort` | Kubernetes service nodePort | `nil` | +| `service.annotations` | Service annotations (can be templated) | `{}` | +| `service.labels` | Custom labels | `{}` | +| `service.clusterIP` | internal cluster service IP | `nil` | +| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `nil` | +| `service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to lb (if supported) | `[]` | +| `service.externalIPs` | service external IP addresses | `[]` | +| `headlessService` | Create a headless service | `false` | +| `extraExposePorts` | Additional service ports for sidecar containers| `[]` | +| `hostAliases` | adds rules to the pod's /etc/hosts | `[]` | +| `ingress.enabled` | Enables Ingress | `false` | +| `ingress.annotations` | Ingress annotations (values are templated) | `{}` | +| `ingress.labels` | Custom labels | `{}` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress type of path | `Prefix` | +| `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Toleration labels for pod assignment | `[]` | +| `affinity` | Affinity settings for pod assignment | `{}` | +| `extraInitContainers` | Init containers to add to the grafana pod | `{}` | +| `extraContainers` | Sidecar containers to add to the grafana pod | `""` | +| `extraContainerVolumes` | Volumes that can be mounted in sidecar containers | `[]` | +| `extraLabels` | Custom labels for all manifests | `{}` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `global.persistence.enabled` | Use persistent volume to store data | `false` | +| `persistence.type` | Type of persistence (`pvc` or `statefulset`) | `pvc` | +| `global.persistence.size` | Size of persistent volume claim | `20Gi` | +| `persistence.existingClaim` | Use an existing PVC to persist data (can be templated) | `nil` | +| `global.persistence.storageClass` | Type of persistent volume claim | `nil` | +| `global.persistence.accessMode` | Persistence access modes | `[ReadWriteOnce]` | +| `persistence.annotations` | PersistentVolumeClaim annotations | `{}` | +| `persistence.finalizers` | PersistentVolumeClaim finalizers | `[ "kubernetes.io/pvc-protection" ]` | +| `persistence.subPath` | Mount a sub dir of the persistent volume (can be templated) | `nil` | +| `persistence.inMemory.enabled` | If persistence is not enabled, whether to mount the local storage in-memory to improve performance | `false` | +| `persistence.inMemory.sizeLimit` | SizeLimit for the in-memory local storage | `nil` | +| `initChownData.enabled` | If false, don't reset data ownership at startup | true | +| `initChownData.image.repository` | init-chown-data container image repository | `busybox` | +| `initChownData.image.tag` | init-chown-data container image tag | `1.31.1` | +| `initChownData.image.sha` | init-chown-data container image sha (optional)| `""` | +| `initChownData.image.pullPolicy` | init-chown-data container image pull policy | `IfNotPresent` | +| `initChownData.resources` | init-chown-data pod resource requests & limits | `{}` | +| `schedulerName` | Alternate scheduler name | `nil` | +| `env` | Extra environment variables passed to pods | `{}` | +| `envValueFrom` | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` | +| `envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `envFromSecrets` | List of Kubernetes secrets (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` | +| `envFromConfigMaps` | List of Kubernetes ConfigMaps (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` | +| `envRenderSecret` | Sensible environment variables passed to pods and stored as secret | `{}` | +| `enableServiceLinks` | Inject Kubernetes services as environment variables. | `true` | +| `extraSecretMounts` | Additional grafana server secret mounts | `[]` | +| `extraVolumeMounts` | Additional grafana server volume mounts | `[]` | +| `extraConfigmapMounts` | Additional grafana server configMap volume mounts (values are templated) | `[]` | +| `extraEmptyDirMounts` | Additional grafana server emptyDir volume mounts | `[]` | +| `plugins` | Plugins to be loaded along with Grafana | `[]` | +| `datasources` | Configure grafana datasources (passed through tpl) | `{}` | +| `notifiers` | Configure grafana notifiers | `{}` | +| `dashboardProviders` | Configure grafana dashboard providers | `{}` | +| `dashboards` | Dashboards to import | `{}` | +| `dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` | +| `grafana.ini` | Grafana's primary configuration | `{}` | +| `ldap.enabled` | Enable LDAP authentication | `false` | +| `ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` | +| `ldap.config` | Grafana's LDAP configuration | `""` | +| `annotations` | Deployment annotations | `{}` | +| `labels` | Deployment labels | `{}` | +| `podAnnotations` | Pod annotations | `{}` | +| `podLabels` | Pod labels | `{}` | +| `podPortName` | Name of the grafana port on the pod | `grafana` | +| `lifecycleHooks` | Lifecycle hooks for podStart and preStop [Example](https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/#define-poststart-and-prestop-handlers) | `{}` | +| `sidecar.image.repository` | Sidecar image repository | `quay.io/kiwigrid/k8s-sidecar` | +| `sidecar.image.tag` | Sidecar image tag | `1.15.6` | +| `sidecar.image.sha` | Sidecar image sha (optional) | `""` | +| `sidecar.imagePullPolicy` | Sidecar image pull policy | `IfNotPresent` | +| `sidecar.resources` | Sidecar resources | `{}` | +| `sidecar.securityContext` | Sidecar securityContext | `{}` | +| `sidecar.enableUniqueFilenames` | Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to `true` the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | `false` | +| `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | +| `sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` | +| `sidecar.dashboards.provider.name` | Unique name of the grafana provider | `sidecarProvider` | +| `sidecar.dashboards.provider.orgid` | Id of the organisation, to which the dashboards should be added | `1` | +| `sidecar.dashboards.provider.folder` | Logical folder in which grafana groups dashboards | `""` | +| `sidecar.dashboards.provider.disableDelete` | Activate to avoid the deletion of imported dashboards | `false` | +| `sidecar.dashboards.provider.allowUiUpdates` | Allow updating provisioned dashboards from the UI | `false` | +| `sidecar.dashboards.provider.type` | Provider type | `file` | +| `sidecar.dashboards.provider.foldersFromFilesStructure` | Allow Grafana to replicate dashboard structure from filesystem. | `false` | +| `sidecar.dashboards.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.skipTlsVerify` | Set to true to skip tls verification for kube api calls | `nil` | +| `sidecar.dashboards.label` | Label that config maps with dashboards should have to be added | `grafana_dashboard` | +| `sidecar.dashboards.labelValue` | Label value that config maps with dashboards should have to be added | `nil` | +| `sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` | +| `sidecar.dashboards.folderAnnotation` | The annotation the sidecar will look for in configmaps to override the destination folder for files | `nil` | +| `sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` | +| `sidecar.dashboards.searchNamespace` | Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces.Otherwise the namespace in which the sidecar is running will be used.It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.dashboards.script` | Absolute path to shell script to execute after a configmap got reloaded. | `nil` | +| `sidecar.dashboards.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.dashboards.extraMounts` | Additional dashboard sidecar volume mounts. | `[]` | +| `sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | +| `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `grafana_datasource` | +| `sidecar.datasources.labelValue` | Label value that config maps with datasources should have to be added | `nil` | +| `sidecar.datasources.searchNamespace` | Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces.Otherwise the namespace in which the sidecar is running will be used.It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.datasources.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.datasources.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/datasources/reload"` | +| `sidecar.datasources.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.notifiers.enabled` | Enables the cluster wide search for notifiers and adds/updates/deletes them in grafana | `false` | +| `sidecar.notifiers.label` | Label that config maps with notifiers should have to be added | `grafana_notifier` | +| `sidecar.notifiers.searchNamespace` | Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces.Otherwise the namespace in which the sidecar is running will be used.It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.notifiers.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` | +| `smtp.userKey` | The key in the existing SMTP secret containing the username. | `"user"` | +| `smtp.passwordKey` | The key in the existing SMTP secret containing the password. | `"password"` | +| `admin.existingSecret` | The name of an existing secret containing the admin credentials (can be templated). | `""` | +| `admin.userKey` | The key in the existing admin secret containing the username. | `"admin-user"` | +| `admin.passwordKey` | The key in the existing admin secret containing the password. | `"admin-password"` | +| `serviceAccount.autoMount` | Automount the service account token in the pod| `true` | +| `serviceAccount.annotations` | ServiceAccount annotations | | +| `serviceAccount.create` | Create service account | `true` | +| `serviceAccount.name` | Service account name to use, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` | +| `serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` | +| `rbac.create` | Create and use RBAC resources | `true` | +| `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` | +| `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | +| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true` | +| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `true` | +| `rbac.extraRoleRules` | Additional rules to add to the Role | [] | +| `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] | +| `command` | Define command to be executed by grafana container at startup | `nil` | +| `testFramework.enabled` | Whether to create test-related resources | `true` | +| `testFramework.image` | `test-framework` image repository. | `bats/bats` | +| `testFramework.tag` | `test-framework` image tag. | `v1.4.1` | +| `testFramework.imagePullPolicy` | `test-framework` image pull policy. | `IfNotPresent` | +| `testFramework.securityContext` | `test-framework` securityContext | `{}` | +| `downloadDashboards.env` | Environment variables to be passed to the `download-dashboards` container | `{}` | +| `downloadDashboards.envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `downloadDashboards.resources` | Resources of `download-dashboards` container | `{}` | +| `downloadDashboardsImage.repository` | Curl docker image repo | `curlimages/curl` | +| `downloadDashboardsImage.tag` | Curl docker image tag | `7.73.0` | +| `downloadDashboardsImage.sha` | Curl docker image sha (optional) | `""` | +| `downloadDashboardsImage.pullPolicy` | Curl docker image pull policy | `IfNotPresent` | +| `namespaceOverride` | Override the deployment namespace | `""` (`Release.Namespace`) | +| `serviceMonitor.enabled` | Use servicemonitor from prometheus operator | `false` | +| `serviceMonitor.namespace` | Namespace this servicemonitor is installed in | | +| `serviceMonitor.interval` | How frequently Prometheus should scrape | `1m` | +| `serviceMonitor.path` | Path to scrape | `/metrics` | +| `serviceMonitor.scheme` | Scheme to use for metrics scraping | `http` | +| `serviceMonitor.tlsConfig` | TLS configuration block for the endpoint | `{}` | +| `serviceMonitor.labels` | Labels for the servicemonitor passed to Prometheus Operator | `{}` | +| `serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` | +| `serviceMonitor.relabelings` | MetricRelabelConfigs to apply to samples before ingestion. | `[]` | +| `revisionHistoryLimit` | Number of old ReplicaSets to retain | `10` | +| `imageRenderer.enabled` | Enable the image-renderer deployment & service | `false` | +| `imageRenderer.image.repository` | image-renderer Image repository | `grafana/grafana-image-renderer` | +| `imageRenderer.image.tag` | image-renderer Image tag | `latest` | +| `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` | +| `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` | +| `imageRenderer.env` | extra env-vars for image-renderer | `{}` | +| `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` | +| `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` | +| `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` | +| `imageRenderer.priorityClassName` | image-renderer deployment priority class | `''` | +| `imageRenderer.service.enabled` | Enable the image-renderer service | `true` | +| `imageRenderer.service.portName` | image-renderer service port name | `http` | +| `imageRenderer.service.port` | image-renderer service port used by both service and deployment | `8081` | +| `imageRenderer.grafanaProtocol` | Protocol to use for image renderer callback url | `http` | +| `imageRenderer.grafanaSubPath` | Grafana sub path to use for image renderer callback url | `''` | +| `imageRenderer.podPortName` | name of the image-renderer port on the pod | `http` | +| `imageRenderer.revisionHistoryLimit` | number of image-renderer replica sets to keep | `10` | +| `imageRenderer.networkPolicy.limitIngress` | Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods | `true` | +| `imageRenderer.networkPolicy.limitEgress` | Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods | `false` | +| `imageRenderer.resources` | Set resource limits for image-renderer pdos | `{}` | +| `imageRenderer.nodeSelector` | Node labels for pod assignment | `{}` | +| `imageRenderer.tolerations` | Toleration labels for pod assignment | `[]` | +| `imageRenderer.affinity` | Affinity settings for pod assignment | `{}` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | +| `enableKubeBackwardCompatibility` | Enable backward compatibility of kubernetes where pod's defintion version below 1.13 doesn't have the enableServiceLinks option | `false` | + + + +### Example ingress with path + +With grafana 6.3 and above +```yaml +grafana.ini: + server: + domain: monitoring.example.com + root_url: "%(protocol)s://%(domain)s/grafana" + serve_from_sub_path: true +ingress: + enabled: true + hosts: + - "monitoring.example.com" + path: "/grafana" +``` + +### Example of extraVolumeMounts + +Volume can be type persistentVolumeClaim or hostPath but not both at same time. +If none existingClaim or hostPath argument is givent then type is emptyDir. + +```yaml +- extraVolumeMounts: + - name: plugins + mountPath: /var/lib/grafana/plugins + subPath: configs/grafana/plugins + existingClaim: existing-grafana-claim + readOnly: false + - name: dashboards + mountPath: /var/lib/grafana/dashboards + hostPath: /usr/shared/grafana/dashboards + readOnly: false +``` + +## Import dashboards + +There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method: + +```yaml +dashboards: + default: + some-dashboard: + json: | + { + "annotations": + + ... + # Complete json file here + ... + + "title": "Some Dashboard", + "uid": "abcd1234", + "version": 1 + } + custom-dashboard: + # This is a path to a file inside the dashboards directory inside the chart directory + file: dashboards/custom-dashboard.json + prometheus-stats: + # Ref: https://grafana.com/dashboards/2 + gnetId: 2 + revision: 2 + datasource: Prometheus + local-dashboard: + url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json +``` + +## BASE64 dashboards + +Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit) +A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk. +If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk. + +### Gerrit use case + +Gerrit API for download files has the following schema: where {project-name} and +{file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard +the url value is + +## Sidecar for dashboards + +If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana +pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with +a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written +to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported +dashboards are deleted/updated. + +A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside +one configmap is currently not properly mirrored in grafana. + +Example dashboard config: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-grafana-dashboard + labels: + grafana_dashboard: "1" +data: + k8s-dashboard.json: |- + [...] +``` + +## Sidecar for datasources + +If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the data sources in grafana can be imported. + +Secrets are recommended over configmaps for this usecase because datasources usually contain private +data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): + +```yaml +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + # name of the datasource. Required + - name: Graphite + # datasource type. Required + type: graphite + # access mode. proxy or direct (Server or Browser in the UI). Required + access: proxy + # org id. will default to orgId 1 if not specified + orgId: 1 + # url + url: http://localhost:8080 + # database password, if used + password: + # database user, if used + user: + # database name, if used + database: + # enable/disable basic auth + basicAuth: + # basic auth username + basicAuthUser: + # basic auth password + basicAuthPassword: + # enable/disable with credentials headers + withCredentials: + # mark as default datasource. Max one per org + isDefault: + # fields that will be converted to json and stored in json_data + jsonData: + graphiteVersion: "1.1" + tlsAuth: true + tlsAuthWithCACert: true + # json object of data that will be encrypted. + secureJsonData: + tlsCACert: "..." + tlsClientCert: "..." + tlsClientKey: "..." + version: 1 + # allow users to edit datasources from the UI. + editable: false +``` + +## Sidecar for notifiers + +If the parameter `sidecar.notifiers.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.notifiers.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the notification channels in grafana can be imported. The secrets must be created before +`helm install` so that the notifiers init container can list the secrets. + +Secrets are recommended over configmaps for this usecase because alert notification channels usually contain +private data like SMTP usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example datasource config adapted from [Grafana](https://grafana.com/docs/grafana/latest/administration/provisioning/#alert-notification-channels): + +```yaml +notifiers: + - name: notification-channel-1 + type: slack + uid: notifier1 + # either + org_id: 2 + # or + org_name: Main Org. + is_default: true + send_reminder: true + frequency: 1h + disable_resolve_message: false + # See `Supported Settings` section for settings supporter for each + # alert notification type. + settings: + recipient: 'XXX' + token: 'xoxb' + uploadImage: true + url: https://slack.com + +delete_notifiers: + - name: notification-channel-1 + uid: notifier1 + org_id: 2 + - name: notification-channel-2 + # default org_id: 1 +``` + +## How to serve Grafana with a path prefix (/grafana) + +In order to serve Grafana with a prefix (e.g., ), add the following to your values.yaml. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + + path: /grafana/?(.*) + hosts: + - k8s.example.dev + +grafana.ini: + server: + root_url: http://localhost:3000/grafana # this host can be localhost +``` + +## How to securely reference secrets in grafana.ini + +This example uses Grafana uses [file providers](https://grafana.com/docs/grafana/latest/administration/configuration/#file-provider) for secret values and the `extraSecretMounts` configuration flag (Additional grafana server secret mounts) to mount the secrets. + +In grafana.ini: + +```yaml +grafana.ini: + [auth.generic_oauth] + enabled = true + client_id = $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret} +``` + +Existing secret, or created along with helm: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: auth-generic-oauth-secret +type: Opaque +stringData: + client_id: + client_secret: +``` + +Include in the `extraSecretMounts` configuration flag: + +```yaml +- extraSecretMounts: + - name: auth-generic-oauth-secret-mount + secretName: auth-generic-oauth-secret + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true +``` + +### extraSecretMounts using a Container Storage Interface (CSI) provider + +This example uses a CSI driver e.g. retrieving secrets using [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure) + +```yaml +- extraSecretMounts: + - name: secrets-store-inline + mountPath: /run/secrets + readOnly: true + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "my-provider" + nodePublishSecretRef: + name: akv-creds +``` + +## Image Renderer Plug-In + +This chart supports enabling [remote image rendering](https://github.com/grafana/grafana-image-renderer/blob/master/README.md#run-in-docker) + +```yaml +imageRenderer: + enabled: true +``` + +### Image Renderer NetworkPolicy + +By default the image-renderer pods will have a network policy which only allows ingress traffic from the created grafana instance + +### High Availability for unified alerting + +If you want to run Grafana in a high availability cluster you need to enable +the headless service by setting `headlessService: true` in your `values.yaml` +file. + +As next step you have to setup the `grafana.ini` in your `values.yaml` in a way +that it will make use of the headless service to obtain all the IPs of the +cluster. You should replace ``{{ Name }}`` with the name of your helm deployment. + +```yaml +grafana.ini: + ... + unified_alerting: + enabled: true + ha_peers: {{ Name }}-headless:9094 + alerting: + enabled: false +``` diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/NOTES.txt b/charts/k10/k10/5.0.200/charts/grafana/templates/NOTES.txt new file mode 100644 index 000000000..ca7d88e3d --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/NOTES.txt @@ -0,0 +1,54 @@ +1. Get your '{{ .Values.adminUser }}' user password by running: + + kubectl get secret --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath="{.data.admin-password}" | base64 --decode ; echo + +2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: + + {{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}.svc.cluster.local +{{ if .Values.ingress.enabled }} + If you bind grafana to 80, please update values in values.yaml and reinstall: + ``` + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + + command: + - "setcap" + - "'cap_net_bind_service=+ep'" + - "/usr/sbin/grafana-server &&" + - "sh" + - "/run.sh" + ``` + Details refer to https://grafana.com/docs/installation/configuration/#http-port. + Or grafana would always crash. + + From outside the cluster, the server URL(s) are: +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{ else }} + Get the Grafana URL to visit by running these commands in the same shell: +{{ if contains "NodePort" .Values.service.type -}} + export NODE_PORT=$(kubectl get --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "grafana.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{ else if contains "LoadBalancer" .Values.service.type -}} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ template "grafana.namespace" . }} -w {{ template "grafana.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + http://$SERVICE_IP:{{ .Values.service.port -}} +{{ else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ template "grafana.namespace" . }} -l "app={{ template "grafana.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ template "grafana.namespace" . }} port-forward $POD_NAME 3000 +{{- end }} +{{- end }} + +3. Login with the password from step 1 and the username: {{ .Values.adminUser }} + +{{- if not .Values.global.persistence.enabled }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Grafana pod is terminated. ##### +################################################################################# +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/_definitions.tpl b/charts/k10/k10/5.0.200/charts/grafana/templates/_definitions.tpl new file mode 100644 index 000000000..3dd9a0b17 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/_definitions.tpl @@ -0,0 +1,3 @@ +{{/* Autogenerated, do NOT modify */}} +{{- define "k10.grafanaImageTag" -}}8.5.0{{- end -}} +{{- define "k10.grafanaInitContainerImageTag" -}}8.6-854{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/_helpers.tpl b/charts/k10/k10/5.0.200/charts/grafana/templates/_helpers.tpl new file mode 100644 index 000000000..aea79b673 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/_helpers.tpl @@ -0,0 +1,235 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "grafana.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "grafana.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "grafana.serviceAccountNameTest" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }} +{{- else -}} + {{ default "default" .Values.serviceAccount.nameTest }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "grafana.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "grafana.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels }} +{{- end }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "grafana.selectorLabels" -}} +app: {{ include "grafana.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "grafana.imageRenderer.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.imageRenderer.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels ImageRenderer +*/}} +{{- define "grafana.imageRenderer.selectorLabels" -}} +app: {{ include "grafana.name" . }}-image-renderer +release: {{ .Release.Name }} +{{- end -}} + +{{/* +Looks if there's an existing secret and reuse its password. If not it generates +new password and use it. +*/}} +{{- define "grafana.password" -}} +{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) -}} + {{- if $secret -}} + {{- index $secret "data" "admin-password" -}} + {{- else -}} + {{- (randAlphaNum 40) | b64enc | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "grafana.rbac.apiVersion" -}} + {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} + {{- print "rbac.authorization.k8s.io/v1" -}} + {{- else -}} + {{- print "rbac.authorization.k8s.io/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "grafana.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "grafana.ingress.isStable" -}} + {{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "grafana.ingress.supportsIngressClassName" -}} + {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "grafana.ingress.supportsPathType" -}} + {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} + +{{/* +Figure out the grafana image tag +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.grafanaImageTag"}} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.grafanaImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.grafanaImageTag" .) }} +{{- end }} +{{- end }} + +{{- define "get.grafanaImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/grafana" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.image.repository }} +{{- end }} +{{- end }} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.grafanaServerimage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/grafana:%s" .Values.global.airgapped.repository (include "get.grafanaImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.grafanaImageRepo" .) (include "get.grafanaImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s" .Values.global.images.grafana }} +{{- end -}} +{{- end }} + +{{/* +Figure out the grafana init container busy box image tag +based on the value of global.airgapped.repository +*/}} +{{- define "get.grafanaInitContainerImageTag"}} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.grafanaInitContainerImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.grafanaInitContainerImageTag" .) }} +{{- end }} +{{- end }} + +{{- define "get.grafanaInitContainerImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/ubi-minimal" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.ubi.image.repository }} +{{- end }} +{{- end }} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.grafanaInitContainerImage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/ubi-minimal:%s" .Values.global.airgapped.repository (include "get.grafanaInitContainerImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.grafanaInitContainerImageRepo" .) (include "get.grafanaInitContainerImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s:%s" (include "get.grafanaInitContainerImageRepo" .) (include "get.grafanaInitContainerImageTag" .) }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/_pod.tpl b/charts/k10/k10/5.0.200/charts/grafana/templates/_pod.tpl new file mode 100644 index 000000000..733753806 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/_pod.tpl @@ -0,0 +1,744 @@ + +{{- define "grafana.pod" -}} +{{- if .Values.schedulerName }} +schedulerName: "{{ .Values.schedulerName }}" +{{- end }} +serviceAccountName: {{ template "grafana.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} +{{- if .Values.securityContext }} +securityContext: +{{ toYaml .Values.securityContext | indent 2 }} +{{- end }} +{{- if .Values.hostAliases }} +hostAliases: +{{ toYaml .Values.hostAliases | indent 2 }} +{{- end }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +{{- if ( or .Values.global.persistence.enabled .Values.dashboards .Values.sidecar.notifiers.enabled .Values.extraInitContainers (and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources)) }} +initContainers: +{{- end }} +{{- if ( and .Values.global.persistence.enabled .Values.initChownData.enabled ) }} + - name: init-chown-data + image: "{{ include "get.grafanaInitContainerImage" . }}" + imagePullPolicy: {{ .Values.ubi.image.pullPolicy }} + securityContext: + runAsNonRoot: false + runAsUser: 0 + command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/var/lib/grafana"] + resources: +{{ toYaml .Values.initChownData.resources | indent 6 }} + volumeMounts: + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ tpl .Values.persistence.subPath . }} +{{- end }} +{{- end }} +{{- if .Values.dashboards }} + - name: download-dashboards + {{- if .Values.downloadDashboardsImage.sha }} + image: "{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }}@sha256:{{ .Values.downloadDashboardsImage.sha }}" + {{- else }} + image: "{{ include "get.grafanaInitContainerImage" . }}" + {{- end }} + imagePullPolicy: {{ .Values.downloadDashboardsImage.pullPolicy }} + command: ["/bin/sh"] + args: [ "-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh" ] + resources: +{{ toYaml .Values.downloadDashboards.resources | indent 6 }} + env: +{{- range $key, $value := .Values.downloadDashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" +{{- end }} +{{- if .Values.downloadDashboards.envFromSecret }} + envFrom: + - secretRef: + name: {{ tpl .Values.downloadDashboards.envFromSecret . }} +{{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/download_dashboards.sh" + subPath: download_dashboards.sh + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ tpl .Values.persistence.subPath . }} +{{- end }} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} +{{- end }} +{{- if and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources }} + - name: {{ template "grafana.name" . }}-init-sc-datasources + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: "LIST" + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- if .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.datasources.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.datasources.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end }} +{{- if .Values.sidecar.notifiers.enabled }} + - name: {{ template "grafana.name" . }}-sc-notifiers + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: LIST + - name: LABEL + value: "{{ .Values.sidecar.notifiers.label }}" + - name: FOLDER + value: "/etc/grafana/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.sidecar.notifiers.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.notifiers.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} +{{- if .Values.extraInitContainers }} +{{ tpl (toYaml .Values.extraInitContainers) . | indent 2 }} +{{- end }} +{{- if (or .Values.global.imagePullSecret .Values.image.pullSecrets) }} +imagePullSecrets: +{{- if .Values.global.imagePullSecret }} + - name: {{ .Values.global.imagePullSecret }} +{{- end }} +{{- $root := . }} +{{- range .Values.image.pullSecrets }} + - name: {{ tpl . $root }} +{{- end}} +{{- end }} +{{- if not .Values.enableKubeBackwardCompatibility }} +enableServiceLinks: {{ .Values.enableServiceLinks }} +{{- end }} +containers: +{{- if .Values.sidecar.dashboards.enabled }} + - name: {{ template "grafana.name" . }}-sc-dashboard + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.dashboards.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.dashboards.label }}" + {{- if .Values.sidecar.dashboards.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.dashboards.labelValue }} + {{- end }} + - name: FOLDER + value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" + - name: RESOURCE + value: {{ quote .Values.sidecar.dashboards.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.dashboards.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.dashboards.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if .Values.sidecar.dashboards.folderAnnotation }} + - name: FOLDER_ANNOTATION + value: "{{ .Values.sidecar.dashboards.folderAnnotation }}" + {{- end }} + {{- if .Values.sidecar.dashboards.script }} + - name: SCRIPT + value: "{{ .Values.sidecar.dashboards.script }}" + {{- end }} + {{- if .Values.sidecar.dashboards.watchServerTimeout }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.dashboards.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.dashboards.watchClientTimeout }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.dashboards.watchClientTimeout }}" + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} + {{- if .Values.sidecar.dashboards.extraMounts }} + {{- toYaml .Values.sidecar.dashboards.extraMounts | trim | nindent 6}} + {{- end }} +{{- end}} +{{- if .Values.sidecar.datasources.enabled }} + - name: {{ template "grafana.name" . }}-sc-datasources + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.datasources.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- if .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.datasources.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.datasources.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.datasources.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.datasources.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end}} +{{- if .Values.sidecar.plugins.enabled }} + - name: {{ template "grafana.name" . }}-sc-plugins + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.plugins.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.plugins.label }}" + {{- if .Values.sidecar.plugins.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.plugins.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/plugins" + - name: RESOURCE + value: {{ quote .Values.sidecar.plugins.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.plugins.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.plugins.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.plugins.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.plugins.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-plugins-volume + mountPath: "/etc/grafana/provisioning/plugins" +{{- end}} + - name: {{ .Chart.Name }} + {{- if .Values.image.sha }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}@sha256:{{ .Values.image.sha }}" + {{- else }} + image: "{{ include "get.grafanaServerimage" . }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.command }} + command: + {{- range .Values.command }} + - {{ . }} + {{- end }} + {{- end}} +{{- if .Values.containerSecurityContext }} + securityContext: +{{- toYaml .Values.containerSecurityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + {{- if .Values.ldap.enabled }} + - name: ldap + mountPath: "/etc/grafana/ldap.toml" + subPath: ldap.toml + {{- end }} + {{- $root := . }} + {{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + mountPath: {{ tpl .mountPath $root }} + subPath: {{ (tpl .subPath $root) | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ tpl .Values.persistence.subPath . }} +{{- end }} +{{- if .Values.dashboards }} +{{- range $provider, $dashboards := .Values.dashboards }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} + - name: dashboards-{{ $provider }} + mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" + subPath: "{{ $key }}.json" +{{- end }} +{{- end }} +{{- end }} +{{- end -}} +{{- if .Values.dashboardsConfigMaps }} +{{- range (keys .Values.dashboardsConfigMaps | sortAlpha) }} + - name: dashboards-{{ . }} + mountPath: "/var/lib/grafana/dashboards/{{ . }}" +{{- end }} +{{- end }} +{{/* Mounting default datasources in pod as yaml */}} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: "datasources.yaml" +{{- if .Values.notifiers }} +{{- range (keys .Values.notifiers | sortAlpha) }} + - name: config + mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} +{{- end }} +{{- end }} +{{- if .Values.dashboardProviders }} +{{- range (keys .Values.dashboardProviders | sortAlpha) }} + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/{{ . }}" + subPath: {{ . | quote }} +{{- end }} +{{- end }} +{{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} +{{ if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml" + subPath: provider.yaml +{{- end}} +{{- end}} +{{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end}} +{{- if .Values.sidecar.plugins.enabled }} + - name: sc-plugins-volume + mountPath: "/etc/grafana/provisioning/plugins" +{{- end}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + subPath: {{ .subPath | default "" }} + {{- end }} + {{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- end }} + ports: + - name: {{ .Values.service.portName }} + containerPort: {{ .Values.service.port }} + protocol: TCP + - name: {{ .Values.podPortName }} + containerPort: 3000 + protocol: TCP + env: + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if .Values.plugins }} + - name: GF_INSTALL_PLUGINS + valueFrom: + configMapKeyRef: + name: {{ template "grafana.fullname" . }} + key: plugins + {{- end }} + {{- if .Values.smtp.existingSecret }} + - name: GF_SMTP_USER + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.userKey | default "user" }} + - name: GF_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.passwordKey | default "password" }} + {{- end }} + {{- if .Values.imageRenderer.enabled }} + - name: GF_RENDERING_SERVER_URL + value: http://{{ template "grafana.fullname" . }}-image-renderer.{{ template "grafana.namespace" . }}:{{ .Values.imageRenderer.service.port }}/render + - name: GF_RENDERING_CALLBACK_URL + value: {{ .Values.imageRenderer.grafanaProtocol }}://{{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}:{{ .Values.service.port }}/{{ .Values.imageRenderer.grafanaSubPath }} + {{- end }} + - name: GF_PATHS_DATA + value: {{ (get .Values "grafana.ini").paths.data }} + - name: GF_PATHS_LOGS + value: {{ (get .Values "grafana.ini").paths.logs }} + - name: GF_PATHS_PLUGINS + value: {{ (get .Values "grafana.ini").paths.plugins }} + - name: GF_PATHS_PROVISIONING + value: {{ (get .Values "grafana.ini").paths.provisioning }} + {{- range $key, $value := .Values.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: +{{ tpl (toYaml $value) $ | indent 10 }} + {{- end }} +{{- range $key, $value := .Values.env }} + - name: "{{ tpl $key $ }}" + value: "{{ tpl (print $value) $ }}" +{{- end }} + {{- if or .Values.envFromSecret (or .Values.envRenderSecret .Values.envFromSecrets) .Values.envFromConfigMaps }} + envFrom: + {{- if .Values.envFromSecret }} + - secretRef: + name: {{ tpl .Values.envFromSecret . }} + {{- end }} + {{- if .Values.envRenderSecret }} + - secretRef: + name: {{ template "grafana.fullname" . }}-env + {{- end }} + {{- range .Values.envFromSecrets }} + - secretRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- end }} + {{- range .Values.envFromConfigMaps }} + - configMapRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- if .Values.lifecycleHooks }} + lifecycle: {{ tpl (.Values.lifecycleHooks | toYaml) . | nindent 6 }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 6 }} +{{- with .Values.extraContainers }} +{{ tpl . $ | indent 2 }} +{{- end }} +{{- with .Values.nodeSelector }} +nodeSelector: +{{ toYaml . | indent 2 }} +{{- end }} +{{- $root := . }} +{{- with .Values.affinity }} +affinity: +{{ tpl (toYaml .) $root | indent 2 }} +{{- end }} +{{- with .Values.tolerations }} +tolerations: +{{ toYaml . | indent 2 }} +{{- end }} +volumes: + - name: config + configMap: + name: {{ template "grafana.fullname" . }} +{{- $root := . }} +{{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + configMap: + name: {{ tpl .configMap $root }} +{{- end }} + {{- if .Values.dashboards }} + {{- range (keys .Values.dashboards | sortAlpha) }} + - name: dashboards-{{ . }} + configMap: + name: {{ template "grafana.fullname" $ }}-dashboards-{{ . }} + {{- end }} + {{- end }} + {{- if .Values.dashboardsConfigMaps }} + {{ $root := . }} + {{- range $provider, $name := .Values.dashboardsConfigMaps }} + - name: dashboards-{{ $provider }} + configMap: + name: {{ tpl $name $root }} + {{- end }} + {{- end }} + {{- if .Values.ldap.enabled }} + - name: ldap + secret: + {{- if .Values.ldap.existingSecret }} + secretName: {{ .Values.ldap.existingSecret }} + {{- else }} + secretName: {{ template "grafana.fullname" . }} + {{- end }} + items: + - key: ldap-toml + path: ldap.toml + {{- end }} +{{- if and .Values.global.persistence.enabled (eq .Values.persistence.type "pvc") }} + - name: storage + persistentVolumeClaim: + claimName: {{ tpl (.Values.persistence.existingClaim | default (include "grafana.fullname" .)) . }} +{{- else if and .Values.global.persistence.enabled (eq .Values.persistence.type "statefulset") }} +# nothing +{{- else }} + - name: storage +{{- if .Values.persistence.inMemory.enabled }} + emptyDir: + medium: Memory +{{- if .Values.persistence.inMemory.sizeLimit }} + sizeLimit: {{ .Values.persistence.inMemory.sizeLimit }} +{{- end -}} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume +{{- if .Values.sidecar.dashboards.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.dashboards.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + configMap: + name: {{ template "grafana.fullname" . }}-config-dashboards +{{- end }} +{{- end }} +{{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume +{{- if .Values.sidecar.datasources.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.datasources.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.plugins.enabled }} + - name: sc-plugins-volume +{{- if .Values.sidecar.plugins.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.plugins.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume +{{- if .Values.sidecar.notifiers.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.notifiers.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- range .Values.extraSecretMounts }} +{{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} +{{- else if .projected }} + - name: {{ .name }} + projected: {{- toYaml .projected | nindent 6 }} +{{- else if .csi }} + - name: {{ .name }} + csi: {{- toYaml .csi | nindent 6 }} +{{- end }} +{{- end }} +{{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + path: {{ .hostPath }} + {{- else }} + emptyDir: {} + {{- end }} +{{- end }} +{{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + emptyDir: {} +{{- end -}} +{{- if .Values.extraContainerVolumes }} +{{ toYaml .Values.extraContainerVolumes | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/clusterrole.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/clusterrole.yaml new file mode 100644 index 000000000..6d2aa55c9 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/clusterrole.yaml @@ -0,0 +1,27 @@ +{{- if .Values.enabled }} +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) (not .Values.rbac.useExistingRole) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.fullname" . }}-clusterrole +{{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraClusterRoleRules) }} +rules: +{{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }} +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +{{- end}} +{{- with .Values.rbac.extraClusterRoleRules }} +{{ toYaml . | indent 0 }} +{{- end}} +{{- else }} +rules: [] +{{- end}} +{{- end}} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/clusterrolebinding.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..5e50cd7fe --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/clusterrolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.enabled }} +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "grafana.fullname" . }}-clusterrolebinding + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +roleRef: + kind: ClusterRole +{{- if (not .Values.rbac.useExistingRole) }} + name: {{ template "grafana.fullname" . }}-clusterrole +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} + apiGroup: rbac.authorization.k8s.io +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/configmap-dashboard-provider.yaml new file mode 100644 index 000000000..c3dcc0810 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/configmap-dashboard-provider.yaml @@ -0,0 +1,31 @@ +{{- if .Values.enabled }} +{{- if .Values.sidecar.dashboards.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.fullname" . }}-config-dashboards + namespace: {{ template "grafana.namespace" . }} +data: + provider.yaml: |- + apiVersion: 1 + providers: + - name: '{{ .Values.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.sidecar.dashboards.provider.orgid }} + {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.sidecar.dashboards.provider.folder }}' + {{- end}} + type: {{ .Values.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end}} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/configmap.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/configmap.yaml new file mode 100644 index 000000000..89219183c --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/configmap.yaml @@ -0,0 +1,109 @@ +{{- if .Values.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +data: + # Adding default prometheus datasource for grafana + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: false + isDefault: true + name: Prometheus + type: prometheus + {{- if and .Values.global.prometheus.external.host .Values.global.prometheus.external.port }} + url: {{ printf "http://%s:%s/%s" .Values.global.prometheus.external.host .Values.global.prometheus.external.port .Values.global.prometheus.external.baseURL | trimSuffix "/" }} + {{- else }} + url: http://{{ .Values.prometheusName | trimSuffix "/" }}-exp/{{ .Values.prometheusPrefixURL | trimPrefix "/" }} + {{- end }} + jsonData: + timeInterval: '1m' +{{- if .Values.plugins }} + plugins: {{ join "," .Values.plugins }} +{{- end }} + grafana.ini: | +{{- range $key, $value := index .Values "grafana.ini" }} + [{{ $key }}] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} +{{- end }} + [server] + root_url=/{{ include "k10.ingressPath" . | trimSuffix "/"}}/grafana + serve_from_sub_path=true + +{{- if .Values.datasources }} +{{ $root := . }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ tpl (toYaml $value | indent 4) $root }} + {{- end -}} +{{- end -}} + +{{- if .Values.notifiers }} + {{- range $key, $value := .Values.notifiers }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboards }} + download_dashboards.sh: | + #!/usr/bin/env sh + set -euf + {{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{- range $value.providers }} + mkdir -p {{ .options.path }} + {{- end }} + {{- end }} + {{- end }} + {{ $dashboardProviders := .Values.dashboardProviders }} + {{- range $provider, $dashboards := .Values.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} + curl -skf \ + --connect-timeout 60 \ + --max-time 60 \ + {{- if not $value.b64content }} + -H "Accept: application/json" \ + {{- if $value.token }} + -H "Authorization: token {{ $value.token }}" \ + {{- end }} + -H "Content-Type: application/json;charset=UTF-8" \ + {{ end }} + {{- $dpPath := "" -}} + {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers -}} + {{- if eq $kd.name $provider -}} + {{- $dpPath = $kd.options.path -}} + {{- end -}} + {{- end -}} + {{- if $value.url -}}"{{ $value.url }}"{{- else -}}"https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download"{{- end -}}{{ if $value.datasource }} | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g'{{ end }}{{- if $value.b64content -}} | base64 -d {{- end -}} \ + > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" + {{- end }} + {{- end -}} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/dashboards-json-configmap.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/dashboards-json-configmap.yaml new file mode 100644 index 000000000..232cd5a5e --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/dashboards-json-configmap.yaml @@ -0,0 +1,37 @@ +{{- if .Values.enabled }} +{{- if .Values.dashboards }} +{{ $files := .Files }} +{{- range $provider, $dashboards := .Values.dashboards }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "grafana.fullname" $ }}-dashboards-{{ $provider }} + namespace: {{ template "grafana.namespace" $ }} + labels: + {{- include "grafana.labels" $ | nindent 4 }} + dashboard-provider: {{ $provider }} +{{- if $dashboards }} +data: +{{- $dashboardFound := false }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} +{{- $dashboardFound = true }} +{{ print $key | indent 2 }}.json: +{{- if hasKey $value "json" }} + |- +{{ $value.json | indent 6 }} +{{- end }} +{{- if hasKey $value "file" }} +{{ toYaml ( $files.Get $value.file ) | indent 4}} +{{- end }} +{{- end }} +{{- end }} +{{- if not $dashboardFound }} + {} +{{- end }} +{{- end }} +--- +{{- end }} + +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/deployment.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/deployment.yaml new file mode 100644 index 000000000..1186607b5 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/deployment.yaml @@ -0,0 +1,52 @@ +{{- if .Values.enabled }} +{{ if (or (not .Values.global.persistence.enabled) (eq .Values.persistence.type "pvc")) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if and (not .Values.autoscaling.enabled) (.Values.replicas) }} + replicas: {{ .Values.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- with .Values.deploymentStrategy }} + strategy: +{{ toYaml . | trim | indent 4 }} +{{- end }} + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} +{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.envRenderSecret }} + checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} +{{- end }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/extra-manifests.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/extra-manifests.yaml new file mode 100644 index 000000000..a9bb3b6ba --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/headless-service.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/headless-service.yaml new file mode 100644 index 000000000..fe32d545b --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/headless-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.enabled }} +{{- if or .Values.headlessService (and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset"))}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }}-headless + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + clusterIP: None + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} + type: ClusterIP + ports: + - protocol: TCP + port: 3000 + targetPort: 3000 +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/hpa.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/hpa.yaml new file mode 100644 index 000000000..b4e610c6c --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/hpa.yaml @@ -0,0 +1,22 @@ +{{- if .Values.enabled }} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "grafana.fullname" . }} + labels: + app: {{ template "grafana.name" . }} + helm.sh/chart: {{ template "grafana.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "grafana.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-deployment.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-deployment.yaml new file mode 100644 index 000000000..f29c982b9 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-deployment.yaml @@ -0,0 +1,123 @@ +{{- if .Values.enabled }} +{{ if .Values.imageRenderer.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} +{{- if .Values.imageRenderer.labels }} +{{ toYaml .Values.imageRenderer.labels | indent 4 }} +{{- end }} +{{- with .Values.imageRenderer.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.imageRenderer.replicas }} + revisionHistoryLimit: {{ .Values.imageRenderer.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} +{{- with .Values.imageRenderer.deploymentStrategy }} + strategy: +{{ toYaml . | trim | indent 4 }} +{{- end }} + template: + metadata: + labels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 8 }} +{{- with .Values.imageRenderer.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- with .Values.imageRenderer.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + + {{- if .Values.imageRenderer.schedulerName }} + schedulerName: "{{ .Values.imageRenderer.schedulerName }}" + {{- end }} + {{- if .Values.imageRenderer.serviceAccountName }} + serviceAccountName: "{{ .Values.imageRenderer.serviceAccountName }}" + {{- end }} + {{- if .Values.imageRenderer.securityContext }} + securityContext: + {{- toYaml .Values.imageRenderer.securityContext | nindent 8 }} + {{- end }} + {{- if .Values.imageRenderer.hostAliases }} + hostAliases: + {{- toYaml .Values.imageRenderer.hostAliases | nindent 8 }} + {{- end }} + {{- if .Values.imageRenderer.priorityClassName }} + priorityClassName: {{ .Values.imageRenderer.priorityClassName }} + {{- end }} + {{- if .Values.imageRenderer.image.pullSecrets }} + imagePullSecrets: + {{- $root := . }} + {{- range .Values.imageRenderer.image.pullSecrets }} + - name: {{ tpl . $root }} + {{- end}} + {{- end }} + containers: + - name: {{ .Chart.Name }}-image-renderer + {{- if .Values.imageRenderer.image.sha }} + image: "{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}@sha256:{{ .Values.imageRenderer.image.sha }}" + {{- else }} + image: "{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.imageRenderer.image.pullPolicy }} + {{- if .Values.imageRenderer.command }} + command: + {{- range .Values.imageRenderer.command }} + - {{ . }} + {{- end }} + {{- end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + containerPort: {{ .Values.imageRenderer.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: {{ .Values.imageRenderer.service.portName }} + env: + - name: HTTP_PORT + value: {{ .Values.imageRenderer.service.port | quote }} + {{- range $key, $value := .Values.imageRenderer.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + securityContext: + capabilities: + drop: ['all'] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp + name: image-renderer-tmpfs + {{- with .Values.imageRenderer.resources }} + resources: +{{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.imageRenderer.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- $root := . }} + {{- with .Values.imageRenderer.affinity }} + affinity: +{{ tpl (toYaml .) $root | indent 8 }} + {{- end }} + {{- with .Values.imageRenderer.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: image-renderer-tmpfs + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-network-policy.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-network-policy.yaml new file mode 100644 index 000000000..3730e7eba --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-network-policy.yaml @@ -0,0 +1,78 @@ +{{- if .Values.enabled }} +{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitIngress) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer-ingress + namespace: {{ template "grafana.namespace" . }} + annotations: + comment: Limit image-renderer ingress traffic from grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- if .Values.imageRenderer.podLabels }} + {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- end }} + + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + from: + - namespaceSelector: + matchLabels: + name: {{ template "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 14 }} + {{- end }} +{{ end }} + +{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitEgress) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer-egress + namespace: {{ template "grafana.namespace" . }} + annotations: + comment: Limit image-renderer egress traffic to grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- if .Values.imageRenderer.podLabels }} + {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- end }} + + policyTypes: + - Egress + egress: + # allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # talk only to grafana + - ports: + - port: {{ .Values.service.port }} + protocol: TCP + to: + - namespaceSelector: + matchLabels: + name: {{ template "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 14 }} + {{- end }} +{{ end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-service.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-service.yaml new file mode 100644 index 000000000..530931327 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/image-renderer-service.yaml @@ -0,0 +1,32 @@ +{{- if .Values.enabled }} +{{ if .Values.imageRenderer.enabled }} +{{ if .Values.imageRenderer.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} +{{- if .Values.imageRenderer.service.labels }} +{{ toYaml .Values.imageRenderer.service.labels | indent 4 }} +{{- end }} +{{- with .Values.imageRenderer.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.imageRenderer.service.clusterIP }} + clusterIP: {{ .Values.imageRenderer.service.clusterIP }} + {{end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + targetPort: {{ .Values.imageRenderer.service.targetPort }} + selector: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 4 }} +{{ end }} +{{ end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/ingress.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/ingress.yaml new file mode 100644 index 000000000..80dbc798b --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/ingress.yaml @@ -0,0 +1,80 @@ +{{- if .Values.enabled }} +{{- if .Values.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "grafana.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "grafana.ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "grafana.ingress.supportsPathType" .) "true" -}} +{{- $fullName := include "grafana.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "grafana.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.ingress.labels }} +{{ toYaml .Values.ingress.labels | indent 4 }} +{{- end }} + {{- if .Values.ingress.annotations }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end -}} +{{- if .Values.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} +{{- end }} + rules: + {{- if .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} + - host: {{ tpl . $}} + http: + paths: +{{- if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + - backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if $ingressPath }} + path: {{ $ingressPath }} + {{- end }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/networkpolicy.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/networkpolicy.yaml new file mode 100644 index 000000000..591ac7286 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/networkpolicy.yaml @@ -0,0 +1,18 @@ +{{- if .Values.enabled }} +{{ if .Values.service.enabled}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.name" . }}-network-policy + namespace: {{ template "grafana.namespace" . }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + app: {{ template "grafana.name" . }} + ingress: + - { } + egress: + - { } +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/poddisruptionbudget.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..c1ee81e61 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if .Values.enabled }} +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: +{{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/podsecuritypolicy.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..50fd2649e --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/podsecuritypolicy.yaml @@ -0,0 +1,51 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "grafana.fullname" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.rbac.pspUseAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, with DAC_OVERRIDE and CHOWN + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'csi' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/pvc.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/pvc.yaml new file mode 100644 index 000000000..4389846c7 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/pvc.yaml @@ -0,0 +1,33 @@ +{{- if .Values.enabled }} +{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "pvc")}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .Values.persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.global.persistence.accessMode }} + resources: + requests: + storage: {{ default .Values.global.persistence.size .Values.global.persistence.grafana.size | quote }} + {{- if .Values.global.persistence.storageClass }} + storageClassName: {{ .Values.global.persistence.storageClass }} + {{- end -}} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: +{{ toYaml . | indent 6 }} + {{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/role.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/role.yaml new file mode 100644 index 000000000..ab67f1d5b --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/role.yaml @@ -0,0 +1,34 @@ +{{- if .Values.enabled }} +{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}} +apiVersion: {{ template "grafana.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraRoleRules))) }} +rules: +{{- if .Values.rbac.pspEnabled }} +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "grafana.fullname" . }}] +{{- end }} +{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }} +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +{{- end }} +{{- with .Values.rbac.extraRoleRules }} +{{ toYaml . | indent 0 }} +{{- end}} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/rolebinding.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/rolebinding.yaml new file mode 100644 index 000000000..bd0bd5dea --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.create -}} +apiVersion: {{ template "grafana.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not .Values.rbac.useExistingRole) }} + name: {{ template "grafana.fullname" . }} +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +{{- end -}} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/secret-env.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/secret-env.yaml new file mode 100644 index 000000000..be272234c --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/secret-env.yaml @@ -0,0 +1,16 @@ +{{- if .Values.enabled }} +{{- if .Values.envRenderSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "grafana.fullname" . }}-env + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $val := .Values.envRenderSecret }} + {{ $key }}: {{ $val | b64enc | quote }} +{{- end -}} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/secret.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/secret.yaml new file mode 100644 index 000000000..cd5939cc5 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/secret.yaml @@ -0,0 +1,28 @@ +{{- if .Values.enabled }} +{{- if or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +type: Opaque +data: + {{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} + admin-user: {{ .Values.adminUser | b64enc | quote }} + {{- if .Values.adminPassword }} + admin-password: {{ .Values.adminPassword | b64enc | quote }} + {{- else }} + admin-password: {{ template "grafana.password" . }} + {{- end }} + {{- end }} + {{- if not .Values.ldap.existingSecret }} + ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/service.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/service.yaml new file mode 100644 index 000000000..b5a8e0f0c --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/service.yaml @@ -0,0 +1,61 @@ +{{- if .Values.enabled }} +{{ if .Values.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: grafana-server-mapping + prefix: /{{- include "k10.ingressPath" . | trimSuffix "/" }}/grafana/ + rewrite: / + service: {{ template "grafana.fullname" .}}:{{ .Values.service.port }} + timeout_ms: 15000 + hostname: "*" + +spec: +{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: +{{ toYaml .Values.service.externalIPs | indent 4 }} +{{- end }} + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.targetPort }} +{{ if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{.Values.service.nodePort}} +{{ end }} + {{- if .Values.extraExposePorts }} + {{- tpl (toYaml .Values.extraExposePorts) . | indent 4 }} + {{- end }} + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/serviceaccount.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/serviceaccount.yaml new file mode 100644 index 000000000..86904e634 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.enabled }} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- $root := . }} +{{- with .Values.serviceAccount.annotations }} + annotations: +{{ tpl (toYaml . | indent 4) $root }} +{{- end }} + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/servicemonitor.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/servicemonitor.yaml new file mode 100644 index 000000000..e8c7925be --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/servicemonitor.yaml @@ -0,0 +1,46 @@ +{{- if .Values.enabled }} +{{- if .Values.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "grafana.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "grafana.namespace" . }} + {{- end }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- if .Values.serviceMonitor.labels }} + {{- toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.service.portName }} + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: true + path: {{ .Values.serviceMonitor.path }} + scheme: {{ .Values.serviceMonitor.scheme }} + {{- if .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }} + {{- end }} + {{- if .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.serviceMonitor.relabelings | nindent 4 }} + {{- end }} + jobLabel: "{{ .Release.Name }}" + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 8 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/templates/statefulset.yaml b/charts/k10/k10/5.0.200/charts/grafana/templates/statefulset.yaml new file mode 100644 index 000000000..86f04c1a5 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/templates/statefulset.yaml @@ -0,0 +1,55 @@ +{{- if .Values.enabled }} +{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset")}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + serviceName: {{ template "grafana.fullname" . }}-headless + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} +{{- end }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: + - {{ .Values.global.persistence.accessMode }} + storageClassName: {{ .Values.global.persistence.storageClass }} + resources: + requests: + storage: {{ .Values.global.persistence.size }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: +{{ toYaml . | indent 10 }} + {{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/5.0.200/charts/grafana/values.yaml b/charts/k10/k10/5.0.200/charts/grafana/values.yaml new file mode 100644 index 000000000..5ffdefd0d --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/grafana/values.yaml @@ -0,0 +1,3277 @@ +# Value to control if grafana installation +enabled: true + +# Values for prometheus datasource +prometheusName: prometheus-server +prometheusPrefixURL: /k10/prometheus + +#general purpose image for init container +ubi: + image: + repository: registry.access.redhat.com/ubi8/ubi-minimal + tag: 8.6-854 + pullPolicy: IfNotPresent + +k10image: + registry: gcr.io + repository: kasten-images + +rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-(cluster)role + pspEnabled: true + pspUseAppArmor: true + namespaced: false + extraRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] +serviceAccount: + create: true + name: + nameTest: +## Service account annotations. Can be templated. +# annotations: +# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + autoMount: true + +replicas: 1 + +## Create a headless service for the deployment +headlessService: false + +## Create HorizontalPodAutoscaler object for deployment type +# +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# targetAverageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# targetAverageUtilization: 60 + +## See `kubectl explain poddisruptionbudget.spec` for more +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} +# minAvailable: 1 +# maxUnavailable: 1 + +## See `kubectl explain deployment.spec.strategy` for more +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +deploymentStrategy: + type: Recreate + +readinessProbe: + httpGet: + path: /api/health + port: 3000 + +livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: "default-scheduler" + +image: + repository: grafana/grafana + tag: 8.5.0 + sha: "" + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Can be templated. + ## + # pullSecrets: + # - myRegistrKeySecretName + +testFramework: + enabled: false + image: "bats/bats" + tag: "v1.4.1" + imagePullPolicy: IfNotPresent + securityContext: {} + +securityContext: + runAsUser: 472 + runAsGroup: 472 + fsGroup: 472 + +containerSecurityContext: + {} + +# Extra configmaps to mount in grafana pods +# Values are templated. +extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/grafana/ssl/ + # subPath: certificates.crt # (optional) + # configMap: certs-configmap + # readOnly: true + + +extraEmptyDirMounts: [] + # - name: provisioning-notifiers + # mountPath: /etc/grafana/provisioning/notifiers + + +# Apply extra labels to common labels. +extraLabels: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: + +downloadDashboardsImage: + repository: curlimages/curl + tag: 7.73.0 + sha: "" + pullPolicy: IfNotPresent + +downloadDashboards: + env: {} + envFromSecret: "" + resources: {} + +## Pod Annotations +# podAnnotations: {} + +## Pod Labels +# podLabels: {} + +podPortName: grafana + +## Deployment annotations +# annotations: {} + +## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +service: + enabled: true + type: ClusterIP + port: 80 + targetPort: 3000 + # targetPort: 4181 To be used with a proxy extraContainer + annotations: {} + labels: {} + portName: service + +serviceMonitor: + ## If true, a ServiceMonitor CRD is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 1m + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + +extraExposePorts: [] + # - name: keycloak + # port: 8080 + # targetPort: 8080 + # type: ClusterIP + +# overrides pod.spec.hostAliases in the grafana deployment's pods +hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "my.host.com" + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Values can be templated + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + + # pathType is only for k8s >= 1.1= + pathType: Prefix + + hosts: + - chart-example.local + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## Or for k8s > 1.19 + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +# +nodeSelector: {} + +## Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Affinity for pod assignment (evaluated as template) +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Additional init containers (evaluated as template) +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## +extraInitContainers: [] + +## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod +extraContainers: "" +# extraContainers: | +# - name: proxy +# image: quay.io/gambol99/keycloak-proxy:latest +# args: +# - -provider=github +# - -client-id= +# - -client-secret= +# - -github-org= +# - -email-domain=* +# - -cookie-secret= +# - -http-address=http://0.0.0.0:4181 +# - -upstream-url=http://127.0.0.1:3000 +# ports: +# - name: proxy-web +# containerPort: 4181 + +## Volumes that can be used in init containers that will not be mounted to deployment pods +extraContainerVolumes: [] +# - name: volume-from-secret +# secret: +# secretName: secret-to-mount +# - name: empty-dir-volume +# emptyDir: {} + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + type: pvc + enabled: true + # storageClassName: default + accessModes: + - ReadWriteOnce + size: 5Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # selectorLabels: {} + ## Sub-directory of the PV to mount. Can be templated. + # subPath: "" + ## Name of an existing PVC. Can be templated. + # existingClaim: + + ## If persistence is not enabled, this allows to mount the + ## local storage in-memory to improve performance + ## + inMemory: + enabled: false + ## The maximum usage on memory medium EmptyDir would be + ## the minimum value between the SizeLimit specified + ## here and the sum of memory limits of all containers in a pod + ## + # sizeLimit: 300Mi + +initChownData: + ## If false, data ownership will not be reset at startup + ## This allows the prometheus-server to be run with an arbitrary user + ## + enabled: true + + ## initChownData container image + ## +# image: +# repository: busybox +# tag: "1.31.1" +# sha: "" +# pullPolicy: IfNotPresent + + ## initChownData resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# Administrator credentials when not using an existing secret (see below) +adminUser: admin +# adminPassword: strongpassword + +# Use an existing secret for the admin user. +admin: + ## Name of the secret. Can be templated. + existingSecret: "" + userKey: admin-user + passwordKey: admin-password + +## Define command to be executed at startup by grafana container +## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) +## Default is "run.sh" as defined in grafana's Dockerfile +# command: +# - "sh" +# - "/run.sh" + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Extra environment variables that will be pass onto deployment pods +## +## to provide grafana with access to CloudWatch on AWS EKS: +## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later) +## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the +## same oidc eks provider as noted before (same as the existing line) +## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name +## +## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana", +## +## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess +## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name) +## +## env: +## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here +## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +## AWS_REGION: us-east-1 +## +## 5. uncomment the EKS section in extraSecretMounts: below +## 6. uncomment the annotation section in the serviceAccount: above +## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn + +env: {} + +## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core +## Renders in container spec as: +## env: +## ... +## - name: +## valueFrom: +## +envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + +## The name of a secret in the same kubernetes namespace which contain values to be added to the environment +## This can be useful for auth tokens, etc. Value is templated. +envFromSecret: "" + +## Sensible environment variables that will be rendered as new secret object +## This can be useful for auth tokens, etc +envRenderSecret: {} + +## The names of secrets in the same kubernetes namespace which contain values to be added to the environment +## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key. +## Name is templated. +envFromSecrets: [] +## - name: secret-name +## optional: true + +## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment +## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key. +## Name is templated. +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core +envFromConfigMaps: [] +## - name: configmap-name +## optional: true + +# Inject Kubernetes services as environment variables. +# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables +enableServiceLinks: true + +## Additional grafana server secret mounts +# Defines additional mounts with secrets. Secrets must be manually created in the namespace. +extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: grafana-secret-files + # readOnly: true + # subPath: "" + # + # for AWS EKS (cloudwatch) use the following (see also instruction in env: above) + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + # + # for CSI e.g. Azure Key Vault use the following + # - name: secrets-store-inline + # mountPath: /run/secrets + # readOnly: true + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "akv-grafana-spc" + # nodePublishSecretRef: # Only required when using service principal mode + # name: grafana-akv-creds # Only required when using service principal mode + +## Additional grafana server volume mounts +# Defines additional volume mounts. +extraVolumeMounts: [] + # - name: extra-volume-0 + # mountPath: /mnt/volume0 + # readOnly: true + # existingClaim: volume-claim + # - name: extra-volume-1 + # mountPath: /mnt/volume1 + # readOnly: true + # hostPath: /usr/shared/ + +## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request +lifecycleHooks: {} + # postStart: + # exec: + # command: [] + +## Pass the plugins you want installed as a list. +## +plugins: [] + # - digrich-bubblechart-panel + # - grafana-clock-panel + +## Configure grafana datasources +## ref: http://docs.grafana.org/administration/provisioning/#datasources +## +#datasources: +# datasources.yaml: +# apiVersion: 1 +# datasources: +# - name: Prometheus +# type: prometheus +# url: prometheus-server-exp/k10/prometheus +# access: proxy +# isDefault: true +# - name: CloudWatch +# type: cloudwatch +# access: proxy +# uid: cloudwatch +# editable: false +# jsonData: +# authType: default +# defaultRegion: us-east-1 + +## Configure notifiers +## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels +## +notifiers: {} +# notifiers.yaml: +# notifiers: +# - name: email-notifier +# type: email +# uid: email1 +# # either: +# org_id: 1 +# # or +# org_name: Main Org. +# is_default: true +# settings: +# addresses: an_email_address@example.com +# delete_notifiers: + +## Configure grafana dashboard providers +## ref: http://docs.grafana.org/administration/provisioning/#dashboards +## +## `path` must be /var/lib/grafana/dashboards/ +## +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: false + options: + path: /var/lib/grafana/dashboards + +## Configure grafana dashboard to import +## NOTE: To use dashboards you must also enable/configure dashboardProviders +## ref: https://grafana.com/dashboards +## +## dashboards per provider, use provider name as key. +## +dashboards: + default: + default: + json: | + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": 1, + "iteration": 1645712665620, + "links": [], + "panels": [ + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 18, + "panels": [], + "title": "Applications", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "yellow", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 0, + "y": 1 + }, + "id": 24, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Backups Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 5, + "y": 1 + }, + "id": 33, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Backups Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 8, + "y": 1 + }, + "id": 34, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Backups Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 13, + "y": 1 + }, + "id": 35, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Restores Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 18, + "y": 1 + }, + "id": 36, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Restores Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 21, + "y": 1 + }, + "id": 23, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Restores Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 8 + }, + "id": 16, + "panels": [], + "title": "Cluster", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "yellow", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 0, + "y": 9 + }, + "id": 10, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Backups Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 5, + "y": 9 + }, + "id": 19, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Backups Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 8, + "y": 9 + }, + "id": 28, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Backups Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 13, + "y": 9 + }, + "id": 21, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Restores Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 18, + "y": 9 + }, + "id": 22, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Restores Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 21, + "y": 9 + }, + "id": 25, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Restores Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 31, + "panels": [], + "title": "Backup Exports", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 0, + "y": 17 + }, + "id": 38, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_export_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Exports Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 5, + "y": 17 + }, + "id": 29, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_export_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Exports Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 8, + "y": 17 + }, + "id": 20, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_export_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Exports Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 13, + "y": 17 + }, + "id": 27, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_import_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Imports Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 17 + }, + "id": 39, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_import_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Imports Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 17 + }, + "id": 37, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_import_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Imports Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 23 + }, + "id": 14, + "panels": [], + "title": "System", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "runs" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 0, + "y": 24 + }, + "id": 12, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_run_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "format": "time_series", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "timeFrom": null, + "title": "Policy Runs", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] + }, + "unit": "runs" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 3, + "y": 24 + }, + "id": 40, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_run_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "format": "time_series", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "timeFrom": null, + "title": "Policy Runs Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 6, + "y": 24 + }, + "id": 6, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "catalog_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Catalog Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 9, + "y": 24 + }, + "id": 2, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "100-catalog_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Catalog Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 12, + "y": 24 + }, + "id": 8, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "jobs_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Jobs Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 15, + "y": 24 + }, + "id": 4, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "100-jobs_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Jobs Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 24 + }, + "id": 7, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "logging_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Logging Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 24 + }, + "id": 3, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "100-logging_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Logging Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 0, + "y": 30 + }, + "id": 41, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "compliance_count{state=\"Compliant\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Compliant Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 3, + "y": 30 + }, + "id": 42, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "compliance_count{state=\"NotCompliant\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Non-Compliant Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 6, + "y": 30 + }, + "id": 43, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "compliance_count{state=\"Unmanaged\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Unmanaged Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 12, + "y": 30 + }, + "id": 44, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "snapshot_storage_size_bytes{cluster=\"$cluster\", type=\"physical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Snapshot Size (Physical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 15, + "y": 30 + }, + "id": 45, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "snapshot_storage_size_bytes{cluster=\"$cluster\", type=\"logical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Snapshot Size (Logical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 30 + }, + "id": 46, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "export_storage_size_bytes{cluster=\"$cluster\", type=\"physical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Export Size (Physical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 30 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "export_storage_size_bytes{cluster=\"$cluster\", type=\"logical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Export Size (Logical)", + "type": "stat" + } + ], + "schemaVersion": 30, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "description": null, + "error": null, + "hide": 2, + "label": "Cluster", + "name": "cluster", + "query": "", + "skipUrlSync": false, + "type": "constant" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "K10 Dashboard", + "uid": "8Ebb3xS7k", + "version": 1 + } + + # custom-dashboard: + # file: dashboards/custom-dashboard.json + # prometheus-stats: + # gnetId: 2 + # revision: 2 + # datasource: Prometheus + # local-dashboard: + # url: https://example.com/repository/test.json + # token: '' + # local-dashboard-base64: + # url: https://example.com/repository/test-b64.json + # token: '' + # b64content: true + +## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. +## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. +## ConfigMap data example: +## +## data: +## example-dashboard.json: | +## RAW_JSON +## +dashboardsConfigMaps: {} +# default: "" + +## Grafana's primary configuration +## NOTE: values in map will be converted to ini format +## ref: http://docs.grafana.org/installation/configuration/ +## +grafana.ini: + paths: + data: /var/lib/grafana/ + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: true + log: + mode: console + grafana_net: + url: https://grafana.net + dashboards: + default_home_dashboard_path: /var/lib/grafana/dashboards/default/default.json +## grafana Authentication can be enabled with the following values on grafana.ini +# server: +# # The full public facing url you use in browser, used for redirects and emails +## domain: +# root_url: /k10/grafana +# serve_from_sub_path: true + + auth: + disable_login_form: true + disable_signout_menu: true + + auth.basic: + enabled: false + + auth.anonymous: + enabled: true + org_name: Main Org. + org_role: Admin + # https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana + # auth.github: + # enabled: false + # allow_sign_up: false + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # api_url: https://api.github.com/user + # team_ids: + # allowed_organizations: + # client_id: + # client_secret: +## LDAP Authentication can be enabled with the following values on grafana.ini +## NOTE: Grafana will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/grafana/ldap.toml + +## Grafana's LDAP configuration +## Templated by the template in _helpers.tpl +## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled +## ref: http://docs.grafana.org/installation/configuration/#auth-ldap +## ref: http://docs.grafana.org/installation/ldap/#configuration +ldap: + enabled: false + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Grafana in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + +## Grafana's SMTP configuration +## NOTE: To enable, grafana.ini must be configured with smtp.enabled +## ref: http://docs.grafana.org/installation/configuration/#smtp +smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Grafana. + existingSecret: "" + userKey: "user" + passwordKey: "password" + +## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders +## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards +sidecar: + image: + repository: quay.io/kiwigrid/k8s-sidecar + tag: 1.15.6 + sha: "" + imagePullPolicy: IfNotPresent + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi + securityContext: {} + # skipTlsVerify Set to true to skip tls verification for kube api calls + # skipTlsVerify: true + enableUniqueFilenames: false + readinessProbe: {} + livenessProbe: {} + dashboards: + enabled: false + SCProvider: true + # label that the configmaps with dashboards are marked with + label: grafana_dashboard + # value of label that the configmaps with dashboards are set to + labelValue: null + # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set) + folder: /tmp/dashboards + # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead + defaultFolderName: null + # Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces. + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # If specified, the sidecar will look for annotation with this name to create folder and put graph here. + # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. + folderAnnotation: null + # Absolute path to shell script to execute after a configmap got reloaded + script: null + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # provider configuration that lets grafana manage the dashboards + provider: + # name of the provider, should be unique + name: sidecarProvider + # orgid as configured in grafana + orgid: 1 + # folder in which the dashboards should be imported in grafana + folder: '' + # type of the provider + type: file + # disableDelete to activate a import-only behaviour + disableDelete: false + # allow updating provisioned dashboards from the UI + allowUiUpdates: false + # allow Grafana to replicate dashboard structure from filesystem + foldersFromFilesStructure: false + # Additional dashboard sidecar volume mounts + extraMounts: [] + # Sets the size limit of the dashboard sidecar emptyDir volume + sizeLimit: {} + datasources: + enabled: false + # label that the configmaps with datasources are marked with + label: grafana_datasource + # value of label that the configmaps with datasources are set to + labelValue: null + # If specified, the sidecar will search for datasource config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # Endpoint to send request to reload datasources + reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload" + skipReload: false + # Deploy the datasource sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any datasources defined at startup time. + initDatasources: false + # Sets the size limit of the datasource sidecar emptyDir volume + sizeLimit: {} + plugins: + enabled: false + # label that the configmaps with plugins are marked with + label: grafana_plugin + # value of label that the configmaps with plugins are set to + labelValue: null + # If specified, the sidecar will search for plugin config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # Endpoint to send request to reload plugins + reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload" + skipReload: false + # Deploy the datasource sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any plugins defined at startup time. + initPlugins: false + # Sets the size limit of the plugin sidecar emptyDir volume + sizeLimit: {} + notifiers: + enabled: false + # label that the configmaps with notifiers are marked with + label: grafana_notifier + # If specified, the sidecar will search for notifier config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + # Sets the size limit of the notifier sidecar emptyDir volume + sizeLimit: {} + +## Override the deployment namespace +## +namespaceOverride: "" + +## Number of old ReplicaSets to retain +## +revisionHistoryLimit: 10 + +## Add a seperate remote image renderer deployment/service +imageRenderer: + # Enable the image-renderer deployment & service + enabled: false + replicas: 1 + image: + # image-renderer Image repository + repository: grafana/grafana-image-renderer + # image-renderer Image tag + tag: latest + # image-renderer Image sha (optional) + sha: "" + # image-renderer ImagePullPolicy + pullPolicy: Always + # extra environment variables + env: + HTTP_HOST: "0.0.0.0" + # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758 + # RENDERING_MODE: clustered + # IGNORE_HTTPS_ERRORS: true + # image-renderer deployment serviceAccount + serviceAccountName: "" + # image-renderer deployment securityContext + securityContext: {} + # image-renderer deployment Host Aliases + hostAliases: [] + # image-renderer deployment priority class + priorityClassName: '' + service: + # Enable the image-renderer service + enabled: true + # image-renderer service port name + portName: 'http' + # image-renderer service port used by both service and deployment + port: 8081 + targetPort: 8081 + # If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana + grafanaProtocol: http + # In case a sub_path is used this needs to be added to the image renderer callback + grafanaSubPath: "" + # name of the image-renderer port on the pod + podPortName: http + # number of image-renderer replica sets to keep + revisionHistoryLimit: 10 + networkPolicy: + # Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods + limitIngress: true + # Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods + limitEgress: false + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi + ## Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: {} + + ## Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Affinity for pod assignment (evaluated as template) + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to grafana port defined. + ## When true, grafana will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the grafana. + ## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option +enableKubeBackwardCompatibility: false + +# Create a dynamic manifests via values: +extraObjects: [] + # - apiVersion: "kubernetes-client.io/v1" + # kind: ExternalSecret + # metadata: + # name: grafana-secrets + # spec: + # backendType: gcpSecretsManager + # data: + # - key: grafana-admin-password + # name: adminPassword diff --git a/charts/k10/k10/5.0.200/charts/prometheus/Chart.yaml b/charts/k10/k10/5.0.200/charts/prometheus/Chart.yaml new file mode 100644 index 000000000..315edf4d4 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +appVersion: 2.34.0 +dependencies: +- condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 4.7.* +description: Prometheus is a monitoring system and time series database. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +maintainers: +- email: gianrubio@gmail.com + name: gianrubio +- email: zanhsieh@gmail.com + name: zanhsieh +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: naseem@transit.app + name: naseemkullah +name: prometheus +sources: +- https://github.com/prometheus/alertmanager +- https://github.com/prometheus/prometheus +- https://github.com/prometheus/pushgateway +- https://github.com/prometheus/node_exporter +- https://github.com/kubernetes/kube-state-metrics +type: application +version: 15.8.5 diff --git a/charts/k10/k10/5.0.200/charts/prometheus/README.md b/charts/k10/k10/5.0.200/charts/prometheus/README.md new file mode 100644 index 000000000..d8a1e9ab2 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/README.md @@ -0,0 +1,226 @@ +# Prometheus + +[Prometheus](https://prometheus.io/), a [Cloud Native Computing Foundation](https://cncf.io/) project, is a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. + +This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.16+ +- Helm 3+ + +## Get Repo Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Dependencies + +By default this chart installs additional, dependent charts: + +- [kube-state-metrics](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) + +To disable the dependency during installation, set `kubeStateMetrics.enabled` to `false`. + +_See [helm dependency](https://helm.sh/docs/helm/helm_dependency/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### To 15.0 + +Version 15.0.0 changes the relabeling config, aligning it with the [Prometheus community conventions](https://github.com/prometheus/prometheus/pull/9832). If you've made manual changes to the relabeling config, you have to adapt your changes. + +Before you update please execute the following command, to be able to update kube-state-metrics: + +```bash +kubectl delete deployments.apps -l app.kubernetes.io/instance=prometheus,app.kubernetes.io/name=kube-state-metrics --cascade=orphan +``` + +### To 9.0 + +Version 9.0 adds a new option to enable or disable the Prometheus Server. This supports the use case of running a Prometheus server in one k8s cluster and scraping exporters in another cluster while using the same chart for each deployment. To install the server `server.enabled` must be set to `true`. + +### To 5.0 + +As of version 5.0, this chart uses Prometheus 2.x. This version of prometheus introduces a new data format and is not compatible with prometheus 1.x. It is recommended to install this as a new release, as updating existing releases will not work. See the [prometheus docs](https://prometheus.io/docs/prometheus/latest/migration/#storage) for instructions on retaining your old data. + +Prometheus version 2.x has made changes to alertmanager, storage and recording rules. Check out the migration guide [here](https://prometheus.io/docs/prometheus/2.0/migration/). + +Users of this chart will need to update their alerting rules to the new format before they can upgrade. + +### Example Migration + +Assuming you have an existing release of the prometheus chart, named `prometheus-old`. In order to update to prometheus 2.x while keeping your old data do the following: + +1. Update the `prometheus-old` release. Disable scraping on every component besides the prometheus server, similar to the configuration below: + + ```yaml + alertmanager: + enabled: false + alertmanagerFiles: + alertmanager.yml: "" + kubeStateMetrics: + enabled: false + nodeExporter: + enabled: false + pushgateway: + enabled: false + server: + extraArgs: + storage.local.retention: 720h + serverFiles: + alerts: "" + prometheus.yml: "" + rules: "" + ``` + +1. Deploy a new release of the chart with version 5.0+ using prometheus 2.x. In the values.yaml set the scrape config as usual, and also add the `prometheus-old` instance as a remote-read target. + + ```yaml + prometheus.yml: + ... + remote_read: + - url: http://prometheus-old/api/v1/read + ... + ``` + + Old data will be available when you query the new prometheus instance. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values prometheus-community/prometheus +``` + +You may similarly use the above configuration commands on each chart [dependency](#dependencies) to see it's configurations. + +### Scraping Pod Metrics via Annotations + +This chart uses a default configuration that causes prometheus to scrape a variety of kubernetes resource types, provided they have the correct annotations. In this section we describe how to configure pods to be scraped; for information on how other resource types can be scraped you can do a `helm template` to get the kubernetes resource definitions, and then reference the prometheus configuration in the ConfigMap against the prometheus documentation for [relabel_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) and [kubernetes_sd_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). + +In order to get prometheus to scrape pods, you must add annotations to the the pods as below: + +```yaml +metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: /metrics + prometheus.io/port: "8080" +``` + +You should adjust `prometheus.io/path` based on the URL that your pod serves metrics from. `prometheus.io/port` should be set to the port that your pod serves metrics from. Note that the values for `prometheus.io/scrape` and `prometheus.io/port` must be enclosed in double quotes. + +### Sharing Alerts Between Services + +Note that when [installing](#install-chart) or [upgrading](#upgrading-chart) you may use multiple values override files. This is particularly useful when you have alerts belonging to multiple services in the cluster. For example, + +```yaml +# values.yaml +# ... + +# service1-alert.yaml +serverFiles: + alerts: + service1: + - alert: anAlert + # ... + +# service2-alert.yaml +serverFiles: + alerts: + service2: + - alert: anAlert + # ... +``` + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus -f values.yaml -f service1-alert.yaml -f service2-alert.yaml +``` + +### RBAC Configuration + +Roles and RoleBindings resources will be created automatically for `server` service. + +To manually setup RBAC you need to set the parameter `rbac.create=false` and specify the service account to be used for each service by setting the parameters: `serviceAccounts.{{ component }}.create` to `false` and `serviceAccounts.{{ component }}.name` to the name of a pre-existing service account. + +> **Tip**: You can refer to the default `*-clusterrole.yaml` and `*-clusterrolebinding.yaml` files in [templates](templates/) to customize your own. + +### ConfigMap Files + +AlertManager is configured through [alertmanager.yml](https://prometheus.io/docs/alerting/configuration/). This file (and any others listed in `alertmanagerFiles`) will be mounted into the `alertmanager` pod. + +Prometheus is configured through [prometheus.yml](https://prometheus.io/docs/operating/configuration/). This file (and any others listed in `serverFiles`) will be mounted into the `server` pod. + +### Ingress TLS + +If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```console +kubectl create secret tls prometheus-server-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the alertmanager/server Ingress TLS section of your custom `values.yaml` file: + +```yaml +server: + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: true + + ## Prometheus server Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - prometheus.domain.com + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: prometheus-server-tls + hosts: + - prometheus.domain.com +``` + +### NetworkPolicy + +Enabling Network Policy for Prometheus will secure connections to Alert Manager and Kube State Metrics by only accepting connections from Prometheus Server. All inbound connections to Prometheus Server are still allowed. + +To enable network policy for Prometheus, install a networking plugin that implements the Kubernetes NetworkPolicy spec, and set `networkPolicy.enabled` to true. + +If NetworkPolicy is enabled for Prometheus' scrape targets, you may also need to manually create a networkpolicy which allows it. diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/NOTES.txt b/charts/k10/k10/5.0.200/charts/prometheus/templates/NOTES.txt new file mode 100644 index 000000000..0e8868f0b --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/NOTES.txt @@ -0,0 +1,112 @@ +{{- if .Values.server.enabled -}} +The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.server.ingress.enabled -}} +From outside the cluster, the server URL(s) are: +{{- range .Values.server.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Prometheus server URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.server.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.server.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} +{{- else if contains "ClusterIP" .Values.server.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090 +{{- end }} +{{- end }} + +{{- if .Values.server.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Server pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{ if .Values.alertmanager.enabled }} +The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.alertmanager.ingress.enabled -}} +From outside the cluster, the alertmanager URL(s) are: +{{- range .Values.alertmanager.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Alertmanager URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.alertmanager.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }} +{{- else if contains "ClusterIP" .Values.alertmanager.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.alertmanager.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093 +{{- end }} +{{- end }} + +{{- if .Values.alertmanager.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the AlertManager pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} +{{- else }} +################################################################################# +###### WARNING: Pod Security Policy has been moved to a global property. ##### +###### use .Values.podSecurityPolicy.enabled with pod-based ##### +###### annotations ##### +###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) ##### +################################################################################# +{{- end }} + +{{ if .Values.pushgateway.enabled }} +The Prometheus PushGateway can be accessed via port {{ .Values.pushgateway.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.pushgateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.pushgateway.ingress.enabled -}} +From outside the cluster, the pushgateway URL(s) are: +{{- range .Values.pushgateway.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the PushGateway URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.pushgateway.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.pushgateway.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.pushgateway.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.pushgateway.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.pushgateway.service.servicePort }} +{{- else if contains "ClusterIP" .Values.pushgateway.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.pushgateway.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091 +{{- end }} +{{- end }} +{{- end }} + +For more information on running Prometheus, visit: +https://prometheus.io/ diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/_definitions.tpl b/charts/k10/k10/5.0.200/charts/prometheus/templates/_definitions.tpl new file mode 100644 index 000000000..67f989898 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/_definitions.tpl @@ -0,0 +1,3 @@ +{{/* Autogenerated, do NOT modify */}} +{{- define "k10.prometheusImageTag" -}}v2.34.0{{- end -}} +{{- define "k10.prometheusConfigMapReloaderImageTag" -}}v0.5.0{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/_helpers.tpl b/charts/k10/k10/5.0.200/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 000000000..287ed192a --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,400 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create unified labels for prometheus components +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ template "prometheus.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "prometheus.common.metaLabels" -}} +chart: {{ template "prometheus.chart" . }} +heritage: {{ .Release.Service }} +{{- end -}} + +{{- define "prometheus.alertmanager.labels" -}} +{{ include "prometheus.alertmanager.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.alertmanager.matchLabels" -}} +component: {{ .Values.alertmanager.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.labels" -}} +{{ include "prometheus.nodeExporter.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.matchLabels" -}} +component: {{ .Values.nodeExporter.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.labels" -}} +{{ include "prometheus.pushgateway.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.matchLabels" -}} +component: {{ .Values.pushgateway.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.cmreloadimage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/configmap-reload:%s" .Values.global.airgapped.repository (include "get.cmReloadImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.cmReloadImageRepo" .) (include "get.cmReloadImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s" (get .Values.global.images "configmap-reload") }} +{{- end -}} +{{- end }} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.serverimage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/prometheus:%s" .Values.global.airgapped.repository (include "get.promImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.promImageRepo" .) (include "get.promImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s" (get .Values.global.images "prometheus") }} +{{- end -}} +{{- end }} + + +{{/* +Figure out the configmap-reload image tag +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.cmReloadImageTag"}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Figure out the prometheus image tag +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.promImageTag"}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.prometheusImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.prometheusImageTag" .) }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.prometheusImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.prometheusImageTag" .) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Figure out the configmap-reload image repo +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.cmReloadImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/configmap-reload" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.configmapReload.prometheus.image.repository }} +{{- end }} +{{- end }} + +{{/* +Figure out the prom image repo +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.promImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/prometheus" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.server.image.repository }} +{{- end }} +{{- end }} + +{{/* +Create a fully qualified alertmanager name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "prometheus.alertmanager.fullname" -}} +{{- if .Values.alertmanager.fullnameOverride -}} +{{- .Values.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified node-exporter name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.nodeExporter.fullname" -}} +{{- if .Values.nodeExporter.fullnameOverride -}} +{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.fullname" -}} +{{- if .Values.server.fullnameOverride -}} +{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server clusterrole name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.clusterrolefullname" -}} +{{- if .Values.server.clusterRoleNameOverride -}} +{{- .Values.server.clusterRoleNameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- if .Values.server.fullnameOverride -}} +{{- printf "%s-%s" .Release.Name .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified pushgateway name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.pushgateway.fullname" -}} +{{- if .Values.pushgateway.fullnameOverride -}} +{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "prometheus.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "prometheus.deployment.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "prometheus.daemonset.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "prometheus.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "prometheus.podSecurityPolicy.apiVersion" -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "prometheus.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the alertmanager component +*/}} +{{- define "prometheus.serviceAccountName.alertmanager" -}} +{{- if .Values.serviceAccounts.alertmanager.create -}} + {{ default (include "prometheus.alertmanager.fullname" .) .Values.serviceAccounts.alertmanager.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.alertmanager.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the nodeExporter component +*/}} +{{- define "prometheus.serviceAccountName.nodeExporter" -}} +{{- if .Values.serviceAccounts.nodeExporter.create -}} + {{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.nodeExporter.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the pushgateway component +*/}} +{{- define "prometheus.serviceAccountName.pushgateway" -}} +{{- if .Values.serviceAccounts.pushgateway.create -}} + {{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.pushgateway.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the server component +*/}} +{{- define "prometheus.serviceAccountName.server" -}} +{{- if .Values.serviceAccounts.server.create -}} + {{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.server.name }} +{{- end -}} +{{- end -}} + +{{/* +Define the prometheus.namespace template if set with forceNamespace or .Release.Namespace is set +*/}} +{{- define "prometheus.namespace" -}} +{{- if .Values.forceNamespace -}} +{{ printf "namespace: %s" .Values.forceNamespace }} +{{- else -}} +{{ printf "namespace: %s" .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/clusterrole.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/clusterrole.yaml new file mode 100644 index 000000000..c732ff4e5 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml new file mode 100644 index 000000000..6f13e98b5 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if (not .Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + name: {{ .Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/cm.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/cm.yaml new file mode 100644 index 000000000..cb09bf067 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/cm.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: +{{- $root := . -}} +{{- range $key, $value := .Values.alertmanagerFiles }} + {{- if $key | regexMatch ".*\\.ya?ml$" }} + {{ $key }}: | +{{ toYaml $value | default "{}" | indent 4 }} + {{- else }} + {{ $key }}: {{ toYaml $value | indent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/deploy.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/deploy.yaml new file mode 100644 index 000000000..86335698a --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/deploy.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.alertmanager.enabled (not .Values.alertmanager.statefulSet.enabled) -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.alertmanager.deploymentAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + {{- if .Values.alertmanager.strategy }} + strategy: +{{ toYaml .Values.alertmanager.strategy | trim | indent 4 }} + {{ if eq .Values.alertmanager.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} + {{- if .Values.alertmanager.extraInitContainers }} + initContainers: +{{ toYaml .Values.alertmanager.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/{{ .Values.alertmanager.configFileName }} + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.service.enableMeshPeer }} + - --cluster.listen-address=0.0.0.0:6783 + - --cluster.advertise-address=[$(POD_IP)]:6783 + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + {{- range .Values.alertmanager.clusterPeers }} + - --cluster.peer={{ . }} + {{- end }} + + ports: + - containerPort: 9093 + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/-/ready + port: 9093 + {{- if .Values.alertmanager.probeHeaders }} + httpHeaders: + {{- range .Values.alertmanager.probeHeaders }} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.alertmanager.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.alertmanager.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.alertmanager.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.alertmanager.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.alertmanager.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + - name: storage-volume + {{- if .Values.alertmanager.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.alertmanager.persistentVolume.existingClaim }}{{ .Values.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/headless-svc.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/headless-svc.yaml new file mode 100644 index 000000000..8c402c408 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.statefulSet.headless.labels }} +{{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9093 +{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/ingress.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/ingress.yaml new file mode 100644 index 000000000..6e856360b --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/ingress.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.alertmanager.fullname" . }} +{{- $servicePort := .Values.alertmanager.service.servicePort -}} +{{- $ingressPath := .Values.alertmanager.ingress.path -}} +{{- $ingressPathType := .Values.alertmanager.ingress.pathType -}} +{{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.alertmanager.ingress.annotations }} + annotations: +{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- range $key, $value := .Values.alertmanager.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.alertmanager.ingress.ingressClassName }} + ingressClassName: {{ .Values.alertmanager.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.alertmanager.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.alertmanager.ingress.tls }} + tls: +{{ toYaml .Values.alertmanager.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/netpol.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/netpol.yaml new file mode 100644 index 000000000..e44ade60e --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9093 +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/pdb.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/pdb.yaml new file mode 100644 index 000000000..41a92f364 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alertmanager.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.alertmanager.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/psp.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/psp.yaml new file mode 100644 index 000000000..64fb13003 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/psp.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + annotations: +{{- if .Values.alertmanager.podSecurityPolicy.annotations }} +{{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/pvc.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/pvc.yaml new file mode 100644 index 000000000..8c7d9233b --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/pvc.yaml @@ -0,0 +1,43 @@ +{{- if not .Values.alertmanager.statefulSet.enabled -}} +{{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}} +{{- if not .Values.alertmanager.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }} +{{- if .Values.alertmanager.persistentVolume.storageClass }} + {{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" + {{- end }} +{{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- if .Values.alertmanager.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" +{{- if .Values.alertmanager.persistentVolume.selector }} + selector: + {{- toYaml .Values.alertmanager.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/role.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/role.yaml new file mode 100644 index 000000000..ce60eaf0a --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/role.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}} +{{- range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +rules: +{{- if $.Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/rolebinding.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/rolebinding.yaml new file mode 100644 index 000000000..906d6522d --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}} +{{ range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + name: {{ $.Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} +{{ end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/service.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/service.yaml new file mode 100644 index 000000000..9edc9ac65 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/service.yaml @@ -0,0 +1,53 @@ +{{- if .Values.alertmanager.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.service.annotations }} + annotations: +{{ toYaml .Values.alertmanager.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.service.labels }} +{{ toYaml .Values.alertmanager.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.alertmanager.service.clusterIP }} + clusterIP: {{ .Values.alertmanager.service.clusterIP }} +{{- end }} +{{- if .Values.alertmanager.service.externalIPs }} + externalIPs: +{{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.alertmanager.service.servicePort }} + protocol: TCP + targetPort: 9093 + {{- if .Values.alertmanager.service.nodePort }} + nodePort: {{ .Values.alertmanager.service.nodePort }} + {{- end }} +{{- if .Values.alertmanager.service.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- if .Values.alertmanager.service.sessionAffinity }} + sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }} +{{- end }} + type: "{{ .Values.alertmanager.service.type }}" +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/serviceaccount.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/serviceaccount.yaml new file mode 100644 index 000000000..a5d996a85 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.alertmanager.annotations | indent 4 }} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/sts.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/sts.yaml new file mode 100644 index 000000000..eee09dc6f --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/alertmanager/sts.yaml @@ -0,0 +1,194 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.alertmanager.statefulSet.annotations }} + annotations: + {{ toYaml .Values.alertmanager.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + {{- if .Values.alertmanager.statefulSet.labels}} + {{ toYaml .Values.alertmanager.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + podManagementPolicy: {{ .Values.alertmanager.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} +{{- end }} +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/alertmanager.yml + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - --cluster.advertise-address=[$(POD_IP)]:6783 + - --cluster.listen-address=0.0.0.0:6783 + {{- range $n := until (.Values.alertmanager.replicaCount | int) }} + - --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783 + {{- end }} + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - containerPort: 6783 + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/#/status + port: 9093 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.port }} + ports: + - containerPort: {{ .Values.configmapReload.alertmanager.port }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.alertmanager.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/daemonset.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/daemonset.yaml new file mode 100644 index 000000000..d1d5cf064 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/daemonset.yaml @@ -0,0 +1,150 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: {{ template "prometheus.daemonset.apiVersion" . }} +kind: DaemonSet +metadata: +{{- if .Values.nodeExporter.deploymentAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.deploymentAnnotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }} + {{- if .Values.nodeExporter.updateStrategy }} + updateStrategy: +{{ toYaml .Values.nodeExporter.updateStrategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.nodeExporter.podAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} +{{- if .Values.nodeExporter.pod.labels }} +{{ toYaml .Values.nodeExporter.pod.labels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }} + {{- if .Values.nodeExporter.extraInitContainers }} + initContainers: +{{ toYaml .Values.nodeExporter.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.nodeExporter.priorityClassName }} + priorityClassName: "{{ .Values.nodeExporter.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.nodeExporter.name }} + image: "{{ .Values.nodeExporter.image.repository }}:{{ .Values.nodeExporter.image.tag }}" + imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}" + args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + {{- if .Values.nodeExporter.hostRootfs }} + - --path.rootfs=/host/root + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + - --web.listen-address=:{{ .Values.nodeExporter.service.hostPort }} + {{- end }} + {{- range $key, $value := .Values.nodeExporter.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + containerPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + containerPort: 9100 + {{- end }} + hostPort: {{ .Values.nodeExporter.service.hostPort }} + resources: +{{ toYaml .Values.nodeExporter.resources | indent 12 }} + {{- if .Values.nodeExporter.container.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.container.securityContext | indent 12 }} + {{- end }} + volumeMounts: + - name: proc + mountPath: /host/proc + readOnly: true + - name: sys + mountPath: /host/sys + readOnly: true + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + mountPath: /host/root + mountPropagation: HostToContainer + readOnly: true + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.nodeExporter.hostPID }} + hostPID: true + {{- end }} + {{- if .Values.nodeExporter.tolerations }} + tolerations: +{{ toYaml .Values.nodeExporter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeExporter.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.nodeExporter.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.securityContext | indent 8 }} + {{- end }} + volumes: + - name: proc + hostPath: + path: /proc + - name: sys + hostPath: + path: /sys + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + hostPath: + path: / + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/psp.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/psp.yaml new file mode 100644 index 000000000..bd9c73bee --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/psp.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + annotations: +{{- if .Values.nodeExporter.podSecurityPolicy.annotations }} +{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'hostPath' + - 'secret' + allowedHostPaths: + - pathPrefix: /proc + readOnly: true + - pathPrefix: /sys + readOnly: true + - pathPrefix: / + readOnly: true + {{- range .Values.nodeExporter.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: {{ .Values.nodeExporter.hostNetwork }} + hostPID: {{ .Values.nodeExporter.hostPID }} + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + hostPorts: + - min: 1 + max: 65535 +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/role.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/role.yaml new file mode 100644 index 000000000..d8ef3ed90 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/role.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "prometheus.nodeExporter.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/rolebinding.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/rolebinding.yaml new file mode 100644 index 000000000..06914b70a --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +roleRef: + kind: Role + name: {{ template "prometheus.nodeExporter.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/serviceaccount.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/serviceaccount.yaml new file mode 100644 index 000000000..0cf91afba --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.nodeExporter.annotations | indent 4 }} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/svc.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/svc.yaml new file mode 100644 index 000000000..26d1eaa21 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/node-exporter/svc.yaml @@ -0,0 +1,47 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.nodeExporter.service.annotations }} + annotations: +{{ toYaml .Values.nodeExporter.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{- if .Values.nodeExporter.service.labels }} +{{ toYaml .Values.nodeExporter.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.nodeExporter.service.clusterIP }} + clusterIP: {{ .Values.nodeExporter.service.clusterIP }} +{{- end }} +{{- if .Values.nodeExporter.service.externalIPs }} + externalIPs: +{{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + port: {{ .Values.nodeExporter.service.hostPort }} + protocol: TCP + targetPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + port: {{ .Values.nodeExporter.service.servicePort }} + protocol: TCP + targetPort: 9100 + {{- end }} + selector: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} + type: "{{ .Values.nodeExporter.service.type }}" +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/clusterrole.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/clusterrole.yaml new file mode 100644 index 000000000..76ecf053f --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.pushgateway.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml new file mode 100644 index 000000000..15770ee50 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.pushgateway.fullname" . }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/deploy.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/deploy.yaml new file mode 100644 index 000000000..ffdbfcc42 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/deploy.yaml @@ -0,0 +1,119 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.pushgateway.deploymentAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + replicas: {{ .Values.pushgateway.replicaCount }} + {{- if .Values.pushgateway.strategy }} + strategy: +{{ toYaml .Values.pushgateway.strategy | trim | indent 4 }} + {{ if eq .Values.pushgateway.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.pushgateway.podAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 8 }} + {{- if .Values.pushgateway.podLabels }} + {{ toYaml .Values.pushgateway.podLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} + {{- if .Values.pushgateway.extraInitContainers }} + initContainers: +{{ toYaml .Values.pushgateway.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.pushgateway.priorityClassName }} + priorityClassName: "{{ .Values.pushgateway.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.pushgateway.name }} + image: "{{ .Values.pushgateway.image.repository }}:{{ .Values.pushgateway.image.tag }}" + imagePullPolicy: "{{ .Values.pushgateway.image.pullPolicy }}" + args: + {{- range $key, $value := .Values.pushgateway.extraArgs }} + {{- $stringvalue := toString $value }} + {{- if eq $stringvalue "true" }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + ports: + - containerPort: 9091 + livenessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy + {{- else }} + path: /-/healthy + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + readinessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready + {{- else }} + path: /-/ready + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + resources: +{{ toYaml .Values.pushgateway.resources | indent 12 }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumeMounts: + - name: storage-volume + mountPath: "{{ .Values.pushgateway.persistentVolume.mountPath }}" + subPath: "{{ .Values.pushgateway.persistentVolume.subPath }}" + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pushgateway.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.pushgateway.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.securityContext }} + securityContext: +{{ toYaml .Values.pushgateway.securityContext | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.tolerations }} + tolerations: +{{ toYaml .Values.pushgateway.tolerations | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.affinity }} + affinity: +{{ toYaml .Values.pushgateway.affinity | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumes: + - name: storage-volume + persistentVolumeClaim: + claimName: {{ if .Values.pushgateway.persistentVolume.existingClaim }}{{ .Values.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }} + {{- end -}} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/ingress.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/ingress.yaml new file mode 100644 index 000000000..5f176aed4 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/ingress.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.pushgateway.fullname" . }} +{{- $servicePort := .Values.pushgateway.service.servicePort -}} +{{- $ingressPath := .Values.pushgateway.ingress.path -}} +{{- $ingressPathType := .Values.pushgateway.ingress.pathType -}} +{{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.pushgateway.ingress.annotations }} + annotations: +{{ toYaml .Values.pushgateway.ingress.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.pushgateway.ingress.ingressClassName }} + ingressClassName: {{ .Values.pushgateway.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.pushgateway.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.pushgateway.ingress.tls }} + tls: +{{ toYaml .Values.pushgateway.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/netpol.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/netpol.yaml new file mode 100644 index 000000000..c8d1fb37e --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9091 +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/pdb.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/pdb.yaml new file mode 100644 index 000000000..50beb486d --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pushgateway.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.pushgateway.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/psp.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/psp.yaml new file mode 100644 index 000000000..1ca3267f8 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/psp.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + annotations: +{{- if .Values.pushgateway.podSecurityPolicy.annotations }} +{{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'persistentVolumeClaim' + - 'secret' + allowedHostPaths: + - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/pvc.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/pvc.yaml new file mode 100644 index 000000000..e9cf6a120 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/pvc.yaml @@ -0,0 +1,37 @@ +{{- if .Values.pushgateway.persistentVolume.enabled -}} +{{- if not .Values.pushgateway.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.pushgateway.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} +{{- if .Values.pushgateway.persistentVolume.storageClass }} + {{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" + {{- end }} +{{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.pushgateway.persistentVolume.size }}" +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/service.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/service.yaml new file mode 100644 index 000000000..f05f17c42 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/service.yaml @@ -0,0 +1,41 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.pushgateway.service.annotations }} + annotations: +{{ toYaml .Values.pushgateway.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +{{- if .Values.pushgateway.service.labels }} +{{ toYaml .Values.pushgateway.service.labels | indent 4}} +{{- end }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.pushgateway.service.clusterIP }} + clusterIP: {{ .Values.pushgateway.service.clusterIP }} +{{- end }} +{{- if .Values.pushgateway.service.externalIPs }} + externalIPs: +{{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.pushgateway.service.servicePort }} + protocol: TCP + targetPort: 9091 + selector: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} + type: "{{ .Values.pushgateway.service.type }}" +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/serviceaccount.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/serviceaccount.yaml new file mode 100644 index 000000000..8c0b876f3 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/pushgateway/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.pushgateway.annotations | indent 4 }} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/clusterrole.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/clusterrole.yaml new file mode 100644 index 000000000..539c56304 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/clusterrole.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.clusterrolefullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.server.fullname" . }} +{{- end }} + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/clusterrolebinding.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/clusterrolebinding.yaml new file mode 100644 index 000000000..3c42e5827 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.namespaces) (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.clusterrolefullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.server.clusterrolefullname" . }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/cm.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/cm.yaml new file mode 100644 index 000000000..a0a813ae2 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/cm.yaml @@ -0,0 +1,85 @@ +{{- if .Values.server.enabled -}} +{{- if (empty .Values.server.configMapOverrideName) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: +{{- $root := . -}} +{{- range $key, $value := .Values.ruleFiles }} + {{ $key }}: {{- toYaml $value | indent 2 }} +{{- end }} +{{- range $key, $value := .Values.serverFiles }} + {{ $key }}: | +{{- if eq $key "prometheus.yml" }} + global: +{{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} +{{- if $root.Values.server.remoteWrite }} + remote_write: +{{ $root.Values.server.remoteWrite | toYaml | indent 4 }} +{{- end }} +{{- if $root.Values.server.remoteRead }} + remote_read: +{{ $root.Values.server.remoteRead | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if eq $key "alerts" }} +{{- if and (not (empty $value)) (empty $value.groups) }} + groups: +{{- range $ruleKey, $ruleValue := $value }} + - name: {{ $ruleKey -}}.rules + rules: +{{ $ruleValue | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} +{{- else }} +{{ toYaml $value | indent 4 }} +{{- end }} +{{- else }} +{{ toYaml $value | default "{}" | indent 4 }} +{{- end }} +{{- if eq $key "prometheus.yml" -}} +{{- if $root.Values.extraScrapeConfigs }} +{{ tpl $root.Values.extraScrapeConfigs $root | indent 4 }} +{{- end -}} +{{- if or ($root.Values.alertmanager.enabled) ($root.Values.server.alertmanagers) }} + alerting: +{{- if $root.Values.alertRelabelConfigs }} +{{ $root.Values.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} + alertmanagers: +{{- if $root.Values.server.alertmanagers }} +{{ toYaml $root.Values.server.alertmanagers | indent 8 }} +{{- else }} + - kubernetes_sd_configs: + - role: pod + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- if $root.Values.alertmanager.prefixURL }} + path_prefix: {{ $root.Values.alertmanager.prefixURL }} + {{- end }} + relabel_configs: + - source_labels: [__meta_kubernetes_namespace] + regex: {{ $root.Release.Namespace }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_app] + regex: {{ template "prometheus.name" $root }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_component] + regex: alertmanager + action: keep + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_probe] + regex: {{ index $root.Values.alertmanager.podAnnotations "prometheus.io/probe" | default ".*" }} + action: keep + - source_labels: [__meta_kubernetes_pod_container_port_number] + regex: "9093" + action: keep +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/deploy.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/deploy.yaml new file mode 100644 index 000000000..704fe9132 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/deploy.yaml @@ -0,0 +1,329 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.server.deploymentAnnotations }} + annotations: + {{ toYaml .Values.server.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + {{- if .Values.server.strategy }} + strategy: +{{ toYaml .Values.server.strategy | trim | indent 4 }} + {{ if eq .Values.server.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ include "get.serverimage" .}}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + {{- if .Values.server.startupProbe.enabled }} + startupProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + failureThreshold: {{ .Values.server.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if (or .Values.global.imagePullSecret .Values.imagePullSecrets) }} + imagePullSecrets: + {{- if .Values.global.imagePullSecret }} + - name: {{ .Values.global.imagePullSecret }} + {{- end }} + {{- if .Values.imagePullSecrets }} +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} + - name: storage-volume + {{- if .Values.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/headless-svc.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/headless-svc.yaml new file mode 100644 index 000000000..d519f4e0e --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/headless-svc.yaml @@ -0,0 +1,37 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.statefulSet.headless.labels }} +{{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.server.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.statefulSet.headless.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.statefulSet.headless.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.statefulSet.headless.gRPC.nodePort }} + nodePort: {{ .Values.server.statefulSet.headless.gRPC.nodePort }} + {{- end }} + {{- end }} + + selector: + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/ingress.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/ingress.yaml new file mode 100644 index 000000000..000f39cab --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/ingress.yaml @@ -0,0 +1,59 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.server.fullname" . }} +{{- $servicePort := .Values.server.service.servicePort -}} +{{- $ingressPath := .Values.server.ingress.path -}} +{{- $ingressPathType := .Values.server.ingress.pathType -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: +{{ toYaml .Values.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- range $key, $value := .Values.server.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.server.ingress.tls }} + tls: +{{ toYaml .Values.server.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/netpol.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/netpol.yaml new file mode 100644 index 000000000..c8870e9ff --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/netpol.yaml @@ -0,0 +1,18 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.networkPolicy.enabled }} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + ingress: + - ports: + - port: 9090 +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/pdb.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/pdb.yaml new file mode 100644 index 000000000..364cb5b49 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.server.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.server.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/psp.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/psp.yaml new file mode 100644 index 000000000..e2b885f16 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/psp.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + annotations: +{{- if .Values.server.podSecurityPolicy.annotations }} +{{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: + - 'CHOWN' + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} + {{- range .Values.server.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/pvc.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/pvc.yaml new file mode 100644 index 000000000..ffc903f00 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/pvc.yaml @@ -0,0 +1,45 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +{{- if .Values.server.persistentVolume.enabled -}} +{{- if not .Values.server.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} +{{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} +{{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- if .Values.server.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.server.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" +{{- if .Values.server.persistentVolume.selector }} + selector: + {{- toYaml .Values.server.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/rolebinding.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/rolebinding.yaml new file mode 100644 index 000000000..93ce3ee13 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.server.useExistingClusterRoleName .Values.server.namespaces -}} +{{ range $.Values.server.namespaces -}} +--- +apiVersion: {{ template "rbac.apiVersion" $ }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" $ | nindent 4 }} + name: {{ template "prometheus.server.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.server.useExistingClusterRoleName }} +{{ end -}} +{{ end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/service.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/service.yaml new file mode 100644 index 000000000..68f988927 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/service.yaml @@ -0,0 +1,60 @@ +{{- if .Values.server.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.service.annotations }} + annotations: +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.service.labels }} +{{ toYaml .Values.server.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} +{{- end }} +{{- if .Values.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.server.service.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.service.nodePort }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + {{- if .Values.server.service.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.service.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.service.gRPC.nodePort }} + nodePort: {{ .Values.server.service.gRPC.nodePort }} + {{- end }} + {{- end }} + selector: + {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} + statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} + {{- else -}} + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- if .Values.server.service.sessionAffinity }} + sessionAffinity: {{ .Values.server.service.sessionAffinity }} +{{- end }} + {{- end }} + type: "{{ .Values.server.service.type }}" +{{- end -}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/serviceaccount.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/serviceaccount.yaml new file mode 100644 index 000000000..9c0502ab7 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.serviceAccounts.server.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/sts.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/sts.yaml new file mode 100644 index 000000000..7bd0e7823 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/sts.yaml @@ -0,0 +1,313 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.server.statefulSet.annotations }} + annotations: + {{ toYaml .Values.server.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- if .Values.server.statefulSet.labels}} + {{ toYaml .Values.server.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.server.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + podManagementPolicy: {{ .Values.server.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ include "get.serverimage" .}}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if (or .Values.global.imagePullSecret .Values.imagePullSecrets) }} + imagePullSecrets: + {{- if .Values.global.imagePullSecrets }} + - name: {{ .Values.global.imagePullSecret }} + {{- end }} + {{- if .Values.imagePullSecrets }} +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} +{{- if .Values.server.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/templates/server/vpa.yaml b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/vpa.yaml new file mode 100644 index 000000000..981a9b485 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/templates/server/vpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }}-vpa +{{ include "prometheus.namespace" . | indent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" +{{- if .Values.server.statefulSet.enabled }} + kind: StatefulSet +{{- else }} + kind: Deployment +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + updatePolicy: + updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} +{{- end -}} {{/* .Values.server.enabled */}} diff --git a/charts/k10/k10/5.0.200/charts/prometheus/values.yaml b/charts/k10/k10/5.0.200/charts/prometheus/values.yaml new file mode 100644 index 000000000..a43960373 --- /dev/null +++ b/charts/k10/k10/5.0.200/charts/prometheus/values.yaml @@ -0,0 +1,1844 @@ +k10image: + registry: gcr.io + repository: kasten-images + +rbac: + create: true + +podSecurityPolicy: + enabled: false + +imagePullSecrets: +# - name: "image-pull-secret" + +## Define serviceAccount names for components. Defaults to component's fully qualified name. +## +serviceAccounts: + alertmanager: + create: true + name: + annotations: {} + nodeExporter: + create: true + name: + annotations: {} + pushgateway: + create: true + name: + annotations: {} + server: + create: true + name: + annotations: {} + +alertmanager: + ## If false, alertmanager will not be installed + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY + ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. + useClusterRole: true + + ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + useExistingRole: false + + ## alertmanager container name + ## + name: alertmanager + + ## alertmanager container image + ## + image: + repository: quay.io/prometheus/alertmanager + tag: v0.23.0 + pullPolicy: IfNotPresent + + ## alertmanager priorityClassName + ## + priorityClassName: "" + + ## Custom HTTP headers for Readiness Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + + ## Additional alertmanager container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + baseURL: "http://localhost:9093" + + ## Additional alertmanager container environment variable + ## For instance to add a http_proxy + ## + extraEnv: {} + + ## Additional alertmanager Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + + ## Additional alertmanager Configmap mounts + extraConfigmapMounts: [] + # - name: template-files + # mountPath: /etc/config/templates.d + # configMap: alertmanager-template-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config + ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configFromSecret: "" + + ## The configuration file name to be loaded to alertmanager + ## Must match the key within configuration loaded from ConfigMap/Secret + ## + configFileName: alertmanager.yml + + ingress: + ## If true, alertmanager Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## alertmanager Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## alertmanager Ingress additional labels + ## + extraLabels: {} + + ## alertmanager Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - alertmanager.domain.com + # - domain.com/alertmanager + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## alertmanager Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - alertmanager.domain.com + + ## Alertmanager Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for alertmanager scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for alertmanager pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, alertmanager will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## alertmanager data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## alertmanager data Persistent Volume Claim annotations + ## + annotations: {} + + ## alertmanager data Persistent Volume existing claim name + ## Requires alertmanager.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## alertmanager data Persistent Volume mount root path + ## + mountPath: /data + + ## alertmanager data Persistent Volume size + ## + size: 2Gi + + ## alertmanager data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## alertmanager data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of alertmanager data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + emptyDir: + ## alertmanager emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to alertmanager pods + ## + podAnnotations: {} + ## Tell prometheus to use a specific set of alertmanager pods + ## instead of all alertmanager pods found in the same namespace + ## Useful if you deploy multiple releases within the same namespace + ## + ## prometheus.io/probe: alertmanager-teamA + + ## Labels to be added to Prometheus AlertManager pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + enableMeshPeer: false + + servicePort: 80 + + ## alertmanager resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Custom DNS configuration to be added to alertmanager pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to alertmanager pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + ## List of IP addresses at which the alertmanager service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + # nodePort: 30000 + sessionAffinity: None + type: ClusterIP + + ## List of initial peers + ## Ref: https://github.com/prometheus/alertmanager/blob/main/README.md#high-availability + clusterPeers: [] + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/jimmidyson/configmap-reload +## +configmapReload: + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + alertmanager: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + +kubeStateMetrics: + ## If false, kube-state-metrics sub-chart will not be installed + ## + enabled: true + +## kube-state-metrics sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics +## +# kube-state-metrics: + +nodeExporter: + ## If false, node-exporter will not be installed + ## + enabled: true + + ## If true, node-exporter pods share the host network namespace + ## + hostNetwork: true + + ## If true, node-exporter pods share the host PID namespace + ## + hostPID: true + + ## If true, node-exporter pods mounts host / at /host/root + ## + hostRootfs: true + + ## node-exporter container name + ## + name: node-exporter + + ## node-exporter container image + ## + image: + repository: quay.io/prometheus/node-exporter + tag: v1.3.0 + pullPolicy: IfNotPresent + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## node-exporter priorityClassName + ## + priorityClassName: "" + + ## Custom Update Strategy + ## + updateStrategy: + type: RollingUpdate + + ## Additional node-exporter container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional node-exporter hostPath mounts + ## + extraHostPathMounts: [] + # - name: textfile-dir + # mountPath: /srv/txt_collector + # hostPath: /var/lib/node-exporter + # readOnly: true + # mountPropagation: HostToContainer + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # configMap: certs-configmap + # readOnly: true + + ## Node tolerations for node-exporter scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for node-exporter pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to node-exporter pods + ## + podAnnotations: {} + + ## Labels to be added to node-exporter pods + ## + pod: + labels: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## node-exporter resource limits & requests + ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + container: + securityContext: + allowPrivilegeEscalation: false + # Custom DNS configuration to be added to node-exporter pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to node-exporter pods + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + + service: + annotations: + prometheus.io/scrape: "true" + labels: {} + + # Exposed as a headless service: + # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: None + + ## List of IP addresses at which the node-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + hostPort: 9100 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9100 + type: ClusterIP + +server: + ## Prometheus server container name + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a RoleBinding in the defined namespaces ONLY + ## + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## + ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. + ## + # useExistingClusterRoleName: nameofclusterrole + + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + # namespaces: + # - yournamespace + + name: server + + # sidecarContainers - add more containers to prometheus server + # Key/Value where Key is the sidecar `- name: ` + # Example: + # sidecarContainers: + # webserver: + # image: nginx + sidecarContainers: {} + + # sidecarTemplateValues - context to be used in template for sidecarContainers + # Example: + # sidecarTemplateValues: *your-custom-globals + # sidecarContainers: + # webserver: |- + # {{ include "webserver-container-template" . }} + # Template for `webserver-container-template` might looks like this: + # image: "{{ .Values.server.sidecarTemplateValues.repository }}:{{ .Values.server.sidecarTemplateValues.tag }}" + # ... + # + sidecarTemplateValues: {} + + ## Prometheus server container image + ## + image: + repository: quay.io/prometheus/prometheus + tag: v2.34.0 + pullPolicy: IfNotPresent + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## EnableServiceLinks indicates whether information about services should be injected + ## into pod's environment variables, matching the syntax of Docker links. + ## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0. + ## + enableServiceLinks: true + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access prometheus + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + # List of flags to override default parameters, e.g: + # - --enable-feature=agent + # - --storage.agent.retention.max-time=30m + defaultFlagsOverride: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + + ### The data directory used by prometheus to set --storage.tsdb.path + ### When empty server.persistentVolume.mountPath is used instead + storagePath: "" + + global: + ## How frequently to scrape targets by default + ## + scrape_interval: 1m + ## How long until a scrape request times out + ## + scrape_timeout: 10s + ## How frequently to evaluate rules + ## + evaluation_interval: 1m + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: [] + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: [] + + ## Custom HTTP headers for Liveness/Readiness/Startup Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + + ## Additional Prometheus server container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + # strategy: + # type: Recreate + + ## hostAliases allows adding entries to /etc/hosts inside the containers + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "example.com" + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 8Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + emptyDir: + ## Prometheus server emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + tcpSocketProbeEnabled: false + probeScheme: HTTP + readinessProbeInitialDelay: 30 + readinessProbePeriodSeconds: 5 + readinessProbeTimeout: 4 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbePeriodSeconds: 15 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + startupProbe: + enabled: false + periodSeconds: 5 + failureThreshold: 30 + timeoutSeconds: 10 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + # When hostNetwork is enabled, you probably want to set this to ClusterFirstWithHostNet + dnsPolicy: ClusterFirst + + # Use hostPort + # hostPort: 9090 + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-server' + + # Custom DNS configuration to be added to prometheus server pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + ## Security context to be added to server pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + ## If false, no Service will be created for the Prometheus server + ## + enabled: true + + annotations: {} + labels: {} + clusterIP: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: "15d" + +pushgateway: + ## If false, pushgateway will not be installed + ## + enabled: true + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## pushgateway container name + ## + name: pushgateway + + ## pushgateway container image + ## + image: + repository: prom/pushgateway + tag: v1.4.2 + pullPolicy: IfNotPresent + + ## pushgateway priorityClassName + ## + priorityClassName: "" + + ## Additional pushgateway container arguments + ## + ## for example: persistence.file: /data/pushgateway.data + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ingress: + ## If true, pushgateway Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## pushgateway Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## pushgateway Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - pushgateway.domain.com + # - domain.com/pushgateway + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## pushgateway Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - pushgateway.domain.com + + ## Node tolerations for pushgateway scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for pushgateway pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to pushgateway pods + ## + podAnnotations: {} + + ## Labels to be added to pushgateway pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## pushgateway resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-pushgateway' + + # Custom DNS configuration to be added to push-gateway pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to push-gateway pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + + service: + annotations: + prometheus.io/probe: pushgateway + labels: {} + clusterIP: "" + + ## List of IP addresses at which the pushgateway service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9091 + type: ClusterIP + + ## pushgateway Deployment Strategy type + # strategy: + # type: Recreate + + persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## + enabled: false + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## pushgateway data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + +## alertmanager ConfigMap entries +## +alertmanagerFiles: + alertmanager.yml: + global: {} + # slack_api_url: '' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation) +ruleFiles: {} + +## Prometheus server ConfigMap entries +## +serverFiles: + + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + rules: {} + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + # Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: 'kubernetes-apiservers' + + kubernetes_sd_configs: + - role: endpoints + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of + # `true`, except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints' + honor_labels: true + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + # Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + - job_name: 'prometheus-pushgateway' + honor_labels: true + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: pushgateway + + # Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: 'kubernetes-services' + honor_labels: true + + metrics_path: /probe + params: + module: [http_2xx] + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: service + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true`, + # except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods' + honor_labels: true + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + + # Example Scrape config for pods which should be scraped slower. An useful example + # would be stackriver-exporter which queries an API on every scrape of the pod + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + +# adds additional scrape configs to prometheus.yml +# must be a string so you have to add a | after extraScrapeConfigs: +# example adds prometheus-blackbox-exporter scrape config +extraScrapeConfigs: + # - job_name: 'prometheus-blackbox-exporter' + # metrics_path: /probe + # params: + # module: [http_2xx] + # static_configs: + # - targets: + # - https://example.com + # relabel_configs: + # - source_labels: [__address__] + # target_label: __param_target + # - source_labels: [__param_target] + # target_label: instance + # - target_label: __address__ + # replacement: prometheus-blackbox-exporter:9115 + +# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager +# useful in H/A prometheus with different external labels but the same alerts +alertRelabelConfigs: + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + +# Force namespace of namespaced resources +forceNamespace: null diff --git a/charts/k10/k10/5.0.200/config.json b/charts/k10/k10/5.0.200/config.json new file mode 100644 index 000000000..e69de29bb diff --git a/charts/k10/k10/5.0.200/eula.txt b/charts/k10/k10/5.0.200/eula.txt new file mode 100644 index 000000000..19f9fc076 --- /dev/null +++ b/charts/k10/k10/5.0.200/eula.txt @@ -0,0 +1,459 @@ +KASTEN END USER LICENSE AGREEMENT + +This End User License Agreement is a binding agreement between Kasten, Inc., a +Delaware Corporation ("Kasten"), and you ("Licensee"), and establishes the terms +under which Licensee may use the Software and Documentation (as defined below), +including without limitation terms and conditions relating to license grant, +intellectual property rights, disclaimers /exclusions / limitations of warranty, +indemnity and liability, governing law and limitation periods. All components +collectively are referred to herein as the "Agreement." + +LICENSEE ACKNOWLEDGES IT HAS HAD THE OPPORTUNITY TO REVIEW THE AGREEMENT, PRIOR +TO ACCEPTANCE OF THIS AGREEMENT. LICENSEE'S ACCEPTANCE OF THIS AGREEMENT IS +EVIDENCED BY LICENSEE'S DOWNLOADING, COPYING, INSTALLING OR USING THE KASTEN +SOFTWARE. IF YOU ARE ACTING ON BEHALF OF A COMPANY, YOU REPRESENT THAT YOU ARE +AUTHORIZED TO BIND THE COMPANY. IF YOU DO NOT AGREE TO ALL TERMS OF THIS +AGREEMENT, DO NOT DOWNLOAD, COPY, INSTALL, OR USE THE SOFTWARE, AND PERMANENTLY +DELETE THE SOFTWARE. + +1. DEFINITIONS + +1.1 "Authorized Persons" means trained technical employees and contractors of +Licensee who are subject to a written agreement with Licensee that includes use +and confidentiality restrictions that are at least as protective as those set +forth in this Agreement. + +1.2 "Authorized Reseller" means a distributor or reseller, including cloud +computing platform providers, authorized by Kasten to resell licenses to the +Software through the channel through or in the territory in which Licensee is +purchasing. + +1.3 "Confidential Information" means all non-public information disclosed in +written, oral or visual form by either party to the other. Confidential +Information may include, but is not limited to, services, pricing information, +computer programs, source code, names and expertise of employees and +consultants, know-how, and other technical, business, financial and product +development information. "Confidential Information" does not include any +information that the receiving party can demonstrate by its written records (1) +was rightfully known to it without obligation of confidentiality prior to its +disclosure hereunder by the disclosing party; (2) is or becomes publicly known +through no wrongful act of the receiving party; (3) has been rightfully received +without obligation of confidentiality from a third party authorized to make such +a disclosure; or (4) is independently developed by the receiving party without +reference to confidential information disclosed hereunder. + +1.4 "Documentation" means any administration guides, installation and user +guides, and release notes that are provided by Kasten to Licensee with the +Software. + +1.5 "Intellectual Property Rights" means patents, design patents, copyrights, +trademarks, Confidential Information, know-how, trade secrets, moral rights, and +any other intellectual property rights recognized in any country or jurisdiction +in the world. + +1.6 "Node" means a single physical or virtual computing machine recognizable by +the Software as a unique device. Nodes must be owned or leased by Licensee or an +entity controlled by, controlling or under common control with Licensee. + +1.7 "Edition" means a unique identifier for each distinct product that is made +available by Kasten and that can be licensed, including summary information +regarding any associated functionality, features, or restrictions specific to +the Edition. + +1.8 "Open Source Software" means software delivered to Licensee hereunder that +is subject to the provisions of any open source license agreement. + +1.9 "Purchase Agreement" means a separate commercial agreement, if applicable, +between Kasten and the Licensee that contains the terms for the licensing of a +specific Edition of the Software. + +1.10 "Software" means any and all software product Editions licensed to Licensee +under this Agreement, all as developed by Kasten and delivered to Licensee +hereunder. Software also includes any Updates provided by Kasten to Licensee. +For the avoidance of doubt, the definition of Software shall exclude any +Third-Party Software and Open Source Software. + +1.11 "Third-Party Software" means certain software Kasten licenses from third +parties and provides to Licensee with the Software, which may include Open +Source Software. + +1.12 "Update" means a revision of the Software that Kasten makes available to +customers at no additional cost. The Update includes, if and when applicable and +available, bug fix patches, maintenance release, minor release, or new major +releases. Updates are limited only to the Software licensed by Licensee, and +specifically exclude new product offerings, features, options or functionality +of the Software that Kasten may choose to license separately, or for an +additional fee. + +1.13 "Use" means to install activate the processing capabilities of the +Software, load, execute, access, employ the Software, or display information +resulting from such capabilities. + + +2. LICENSE GRANT AND RESTRICTIONS + +2.1 Enterprise License. Subject to Licensee"s compliance with the terms and +conditions of this Agreement (including any additional restrictions on +Licensee"s use of the Software set forth in the Purchase Agreement, if one +exists, between Licensee and Kasten), Kasten grants to Licensee a non-exclusive, +non-transferable (except in connection with a permitted assignment of this +Agreement under Section 14.10 (Assignment), non-sublicensable, limited term +license to install and use the Software, in object code form only, solely for +Licensee"s use, unless terminated in accordance with Section 4 (Term and +Termination). + +2.2 Starter License. This section shall only apply when the Licensee licenses +Starter Edition of the Software. The license granted herein is for a maximum of +5 Nodes and for a period of 12 months from the date of the Software release that +embeds the specific license instance. Updating to a newer Software (minor or +major) release will always extend the validity of the license by 12 months. If +the Licensee wishes to upgrade to an Enterprise License instead, the Licensee +will have to enter into a Purchase Agreement with Kasten which will supersede +this Agreement. The Licensee is required to provide accurate email and company +information, if representing a company, when accepting this Agreement. Under no +circumstances will a Starter License be construed to mean that the Licensee is +authorized to distribute the Software to any third party for any reason +whatsoever. + +2.3 Evaluation License. This section shall only apply when the Licensee has +licensed the Software for an initial evaluation period. The license granted +herein is valid only one time 30 days, starting from date of installation, +unless otherwise explicitly designated by Kasten ("Evaluation Period"). Under +this license the Software can only be used for evaluation purposes. Under no +circumstances will an Evaluation License be construed to mean that the Licensee +is authorized to distribute the Software to any third party for any reason +whatsoever. If the Licensee wishes to upgrade to an Enterprise License instead, +the Licensee will have to enter into a Purchase Agreement with Kasten which will +supersede this Agreement.. If the Licensee does not wish to upgrade to an +Enterprise License at the end of the Evaluation Period the Licensee"s rights +under the Agreement shall terminate, and the Licensee shall delete all Kasten +Software. + +2.4 License Restrictions. Except to the extent permitted under this Agreement, +Licensee will not nor will Licensee allow any third party to: (i) copy, modify, +adapt, translate or otherwise create derivative works of the Software or the +Documentation; (ii) reverse engineer, decompile, disassemble or otherwise +attempt to discover the source code of the Software; (iii) rent, lease, sell, +assign or otherwise transfer rights in or to the Software or Documentation; (iv) +remove any proprietary notices or labels from the Software or Documentation; (v) +publicly disseminate performance information or analysis (including, without +limitation, benchmarks) relating to the Software. Licensee will comply with all +applicable laws and regulations in Licensee"s use of and access to the Software +and Documentation. + +2.5 Responsibility for Use. The Software and Documentation may be used only by +Authorized Persons and in conformance with this Agreement. Licensee shall be +responsible for the proper use and protection of the Software and Documentation +and is responsible for: (i) installing, managing, operating, and physically +controlling the Software and the results obtained from using the Software; (ii) +using the Software within the operating environment specified in the +Documentation; and; (iii) establishing and maintaining such recovery and data +protection and security procedures as necessary for Licensee's service and +operation and/or as may be specified by Kasten from time to time. + +2.6 United States Government Users. The Software licensed under this Agreement +is "commercial computer software" as that term is described in DFAR +252.227-7014(a)(1). If acquired by or on behalf of a civilian agency, the U.S. +Government acquires this commercial computer software and/or commercial computer +software documentation subject to the terms and this Agreement as specified in +48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal +Acquisition Regulations ("FAR") and its successors. If acquired by or on behalf +of any agency within the Department of Defense ("DOD"), the U.S. Government +acquires this commercial computer software and/or commercial computer software +documentation subject to the terms of this Agreement as specified in 48 C.F.R. +227.7202 of the DOD FAR Supplement and its successors. + + +3. SUPPORT + +3.1 During the Term (as defined below) and subject to Licensee’s compliance +with the terms and conditions of this Agreement, Licensee may submit queries and +requests for support for Enterprise Licenses by submitting Service Requests via Veeam +Support Portal (https://my.veeam.com). Support is not provided for Starter and Evaluation +Licenses. Licensee shall be entitled to the support service-level agreement specified +in the relevant order form or purchase order (“Order Form”) between Licensee and the +Reseller and as set forth in Kasten’s Support Policy, a copy of which can be found +at https://www.kasten.io/support-services-policy. Licensee shall also be permitted to +download and install all Updates released by Kasten during the Term and made generally +available to users of the Software. Software versions with all updates and upgrades +installed is supported for six months from the date of release of that version. + +3.2 Starter Edition Support. If the Licensee has licensed Starter Edition of +the Software, you will have access to the Kasten K10 Support Community +(https://community.veeam.com/groups/kasten-k10-support-92), but Kasten cannot guarantee +a service level of any sort. Should a higher level of support be needed, Licensee has +the option to consider entering into a Purchase Agreement with Kasten for licensing a +different Edition of the Software. + + + +4. TERM AND TERMINATION + +4.1 Term. The term of this Agreement, except for Starter and Evaluation +Licenses, shall commence on the Effective Date and shall, unless terminated +earlier in accordance with the provisions of Section 4.2 below, remain in force +for the Subscription Period as set forth in the applicable Order Form(s) (the +"Term"). The parties may extend the Term of this Agreement beyond the +Subscription Period by executing additional Order Form(s) and Licensee"s payment +of additional licensing fees. The term of this Agreement for the Starter and +Evaluation Licenses will coincide with the term for Starter Edition (as stated +in section 2.2) and the term for Evaluation Period (as stated in section 2.3), +respectively + +4.2 Termination. Either party may immediately terminate this +Agreement and the licenses granted hereunder if the other party (1) becomes +insolvent and"becomes unwilling or unable to meet its obligations under this +Agreement, (2) files a petition in bankruptcy, (3) is subject to the filing of +an involuntary petition for bankruptcy which is not rescinded within a period of +forty-five (45) days, (4) fails to cure a material breach of any material term +or condition of this Agreement within thirty (30) days of receipt of written +notice specifying such breach, or (5) materially breaches its obligations of +confidentiality hereunder. + +4.3 Effects of Termination. Upon expiration or +termination of this Agreement for any reason, (i) any amounts owed to Kasten +under this Agreement will be immediately due and payable; (ii) all licensed +rights granted in this Agreement will immediately cease; and (iii) Licensee will +promptly discontinue all use of the Software and Documentation and return to +Kasten any Kasten Confidential Information in Licensee"s possession or control. + +4.4 Survival. The following Sections of this Agreement will remain in effect +following the expiration or termination of these General Terms for any reason: +4.3 (Effects of Termination), 4.4 (Survival), 5 (Third Party Software) 5 +(Confidentiality), 9 (Ownership), 10.2 (Third-Party Software), 10.3 (Warranty +Disclaimer), 11 (Limitations of Liability), 12.2 (Exceptions to Kasten +Obligation), 13 (Export) and 14 (General). + + +5. THIRD PARTY AND OPEN SOURCE SOFTWARE Certain Third-Party Software or Open +Source Software (Kasten can provide a list upon request) that may be provided +with the Software may be subject to various other terms and conditions imposed +by the licensors of such Third-Party Software or Open Source Software. The +terms of Licensee"s use of the Third-Party Software or Open Source Software is +subject to and governed by the respective Third-Party Software and Open Source +licenses, except that this Section 5 (Third-Party Software), Section 10.2 (Third +Party Software), 10.3 (Warranty Disclaimer), Section 11 (Limitations of +Liability), and Section 14 (General) of this Agreement also govern Licensee"s +use of the Third-Party Software. To the extent applicable to Licensee"s use of +such Third-Party Software and Open Source, Licensee agrees to comply with the +terms and conditions contained in all such Third-Party Software and Open Source +licenses. + + +6. CONFIDENTIALITY Neither party will use any Confidential Information of the +other party except as expressly permitted by this Agreement or as expressly +authorized in writing by the disclosing party. The receiving party shall use +the same degree of care to protect the disclosing party"s Confidential +Information as it uses to protect its own Confidential Information of like +nature, but in no circumstances less than a commercially reasonable standard of +care. The receiving party may not disclose the disclosing party"s Confidential +Information to any person or entity other than to (i) (a) Authorized Persons in +the case the receiving party is Licensee, and (b) Kasten"s employees and +contractors in the case the receiving party is Kasten, and (ii) who need access +to such Confidential Information solely for the purpose of fulfilling that +party"s obligations or exercising that party"s rights hereunder. The foregoing +obligations will not restrict the receiving party from disclosing Confidential +Information of the disclosing party: (1) pursuant to the order or requirement of +a court, administrative agency, or other governmental body, provided that the +receiving party required to make such a disclosure gives reasonable notice to +the disclosing party prior to such disclosure; and (2) on a confidential basis +to its legal and financial advisors. Kasten may identify Licensee in its +customer lists in online and print marketing materials. + + +7. FEES Fees for Enterprise License shall be set forth in separate Order Form(s) +attached to a Purchase Agreement, between the Licensee and Kasten. + +If Licensee has obtained the Software through an Authorized Reseller, fees for +licensing shall be invoiced directly by the Authorized Reseller. + +If no Purchase Agreement exists, during the term of this Agreement, Kasten +shall license the Starter Edition only and no other Edition of the Software +"at no charge" to Licensee. + + +8. USAGE DATA Kasten may collect, accumulate, and aggregate certain usage +statistics in order to analyze usage of the Software, make improvements, and +potentially develop new products. Kasten may use aggregated anonymized data for +any purpose that Kasten, at its own discretion, may consider appropriate. + + +9. OWNERSHIP As between Kasten and Licensee, all right, title and interest in +the Software, Documentation and any other Kasten materials furnished or made +available hereunder, all modifications and enhancements thereof, and all +suggestions, ideas and feedback proposed by Licensee regarding the Software and +Documentation, including all copyright rights, patent rights and other +Intellectual Property Rights in each of the foregoing, belong to and are +retained solely by Kasten or Kasten"s licensors and providers, as applicable. +Licensee hereby does and will irrevocably assign to Kasten all evaluations, +ideas, feedback and suggestions made by Licensee to Kasten regarding the +Software and Documentation (collectively, "Feedback") and all Intellectual +Property Rights in and to the Feedback. Except as expressly provided herein, no +licenses of any kind are granted hereunder, whether by implication, estoppel, or +otherwise. + + +10. LIMITED WARRANTY AND DISCLAIMERS + +10.1 Limited Warranty. Kasten warrants for a period of thirty (30) days from +the Effective Date that the Software will materially conform to Kasten"s +then-current Documentation (the "Warranty Period") when properly installed on a +computer for which a license is granted hereunder. Licensee"s exclusive remedy +for a breach of this Section 10.1 is that Kasten shall, at its option, use +commercially reasonable efforts to correct or replace the Software, or refund +all or a portion of the fees paid by Licensee pursuant to the Purchase +Agreement. Kasten, in its sole discretion, may revise this limited warranty from +time to time. + +10.2 Third-Party Software. Except as expressly set forth in this Agreement, +Third-Party Software (including any Open Source Software) are provided on an +"as-is" basis at the sole risk of Licensee. Notwithstanding any language to the +contrary in this Agreement, Kasten makes no express or implied warranties of any +kind with respect to Third-Party Software provided to Licensee and shall not be +liable for any damages regarding the use or operation of the Third-Party +Software furnished under this Agreement. Any and all express or implied +warranties, if any, arising from the license of Third-Party Software shall be +those warranties running from the third party manufacturer or licensor to +Licensee. + +10.3 Warranty Disclaimer. EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, +KASTEN AND ITS SUPPLIERS MAKE NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, +STATUTORY OR OTHERWISE, RELATING TO THE SOFTWARE OR TO KASTEN"S MAINTENANCE, +PROFESSIONAL OR OTHER SERVICES. KASTEN SPECIFICALLY DISCLAIMS ALL IMPLIED +WARRANTIES OF DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE +AND NON-INFRINGEMENT. KASTEN AND ITS SUPPLIERS AND LICENSORS DO NOT WARRANT OR +REPRESENT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE +UNINTERRUPTED OR ERROR-FREE. THIS DISCLAIMER SHALL APPLY NOTWITHSTANDING THE +FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. EXCEPT +AS STATED ABOVE, KASTEN AND ITS SUPPLIERS PROVIDE THE SOFTWARE ON AN "AS IS" +BASIS. KASTEN PROVIDES NO WARRANTIES WITH RESPECT TO THIRD PARTY SOFTWARE AND +OPEN SOURCE SOFTWARE. + + +11. LIMITATIONS OF LIABILITY + +11.1 EXCLUSION OF CERTAIN DAMAGES. EXCEPT FOR BREACHES OF SECTION 6 +(CONFIDENTIALITY) OR SECTION 9 (OWNERSHIP), IN NO EVENT WILL EITHER PARTY BE +LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL OR +RELIANCE DAMAGES, INCLUDING ANY LOST DATA, LOSS OF USE AND LOST PROFITS, ARISING +FROM OR RELATING TO THIS AGREEMENT, THE SOFTWARE OR DOCUMENTATION, EVEN IF SUCH +PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF, OR COULD REASONABLY HAVE +PREVENTED, SUCH DAMAGES. + +11.2 LIMITATION OF DAMAGES. EXCEPT FOR THE BREACHES OF SECTION 6 +(CONFIDENTIALITY) OR SECTION 9 (OWNERSHIP), EACH PARTY"S TOTAL CUMULATIVE +LIABILITY ARISING FROM OR RELATED TO THIS AGREEMENT OR THE SOFTWARE, +DOCUMENTATION, OR SERVICES PROVIDED BY KASTEN, WILL NOT EXCEED THE AMOUNT OF +FEES PAID OR PAYABLE BY LICENSEE FOR THE SOFTWARE, DOCUMENTATION OR SERVICES +GIVING RISE TO THE CLAIM IN THE TWELVE (12) MONTHS FOLLOWING THE EFFECTIVE DATE. +LICENSEE AGREES THAT KASTEN"S SUPPLIERS AND LICENSORS WILL HAVE NO LIABILITY OF +ANY KIND UNDER OR AS A RESULT OF THIS AGREEMENT. IN THE CASE OF KASTEN"S +INDEMNIFICATION OBLIGATIONS, KASTEN"S CUMULATIVE LIABILITY UNDER THIS AGREEMENT +SHALL BE LIMITED TO THE SUM OF THE LICENSE FEES PAID OR PAYABLE BY LICENSEE FOR +THE SOFTWARE, DOCUMENTATION OR SERVICES GIVING RISE TO THE CLAIM IN THE TWELVE +(12) MONTHS FOLLOWING THE EFFECTIVE DATE. + +11.3 THIRD PARTY SOFTWARE. NOTWITHSTANDING ANY LANGUAGE TO THE CONTRARY IN THIS +AGREEMENT, KASTEN SHALL NOT BE LIABLE FOR ANY DAMAGES REGARDING THE USE OR +OPERATION OF ANY THIRD-PARTY SOFTWARE FURNISHED UNDER THIS AGREEMENT. + +11.4 LIMITATION OF ACTIONS. IN NO EVENT MAY LICENSEE BRING ANY CAUSE OF ACTION +RELATED TO THIS AGREEMENT MORE THAN ONE (1) YEAR AFTER THE OCCURRENCE OF THE +EVENT GIVING RISE TO THE LIABILITY. + + +12. EXPORT +The Software, Documentation and related technical data may be subject +to U.S. export control laws, including without limitation the U.S. Export +Administration Act and its associated regulations, and may be subject to export +or import regulations in other countries. Licensee shall comply with all such +regulations and agrees to obtain all necessary licenses to export, re-export, or +import the Software, Documentation and related technical data. + + +13. GENERAL + +13.1 No Agency. Kasten and Licensee each acknowledge and agree that the +relationship established by this Agreement is that of independent contractors, +and nothing contained in this Agreement shall be construed to: (1) give either +party the power to direct or control the daytoday activities of the other; (2) +deem the parties to be acting as partners, joint venturers, coowners or +otherwise as participants in a joint undertaking; or (3) permit either party or +any of either party"s officers, directors, employees, agents or representatives +to create or assume any obligation on behalf of or for the account of the other +party for any purpose whatsoever. + +13.2 Compliance with Laws. Each party agrees to comply with all applicable +laws, regulations, and ordinances relating to their performance hereunder. +Without limiting the foregoing, Licensee warrants and covenants that it will +comply with all then current laws and regulations of the United States and other +jurisdictions relating or applicable to Licensee"s use of the Software and +Documentation including, without limitation, those concerning Intellectual +Property Rights, invasion of privacy, defamation, and the import and export of +Software and Documentation. + +13.3 Force Majeure. Except for the duty to pay money, neither party shall be +liable hereunder by reason of any failure or delay in the performance of its +obligations hereunder on account of strikes, riots, fires, flood, storm, +explosions, acts of God, war, governmental action, earthquakes, or any other +cause which is beyond the reasonable control of such party. + +13.4 Governing Law; Venue and Jurisdiction. This Agreement shall be interpreted +according to the laws of the State of California without regard to or +application of choiceoflaw rules or principles. The parties expressly agree +that the United Nations Convention on Contracts for the International Sale of +Goods and the Uniform Computer Information Transactions Act will not apply. Any +legal action or proceeding arising under this Agreement will be brought +exclusively in the federal or state courts located in Santa Clara County, +California and the parties hereby consent to the personal jurisdiction and venue +therein. + +13.5 Injunctive Relief. The parties agree that monetary damages would not be an +adequate remedy for the breach of certain provisions of this Agreement, +including, without limitation, all provisions concerning infringement, +confidentiality and nondisclosure, or limitation on permitted use of the +Software or Documentation. The parties further agree that, in the event of such +breach, injunctive relief would be necessary to prevent irreparable injury. +Accordingly, either party shall have the right to seek injunctive relief or +similar equitable remedies to enforce such party's rights under the pertinent +provisions of this Agreement, without limiting its right to pursue any other +legal remedies available to it. + +13.6 Entire Agreement and Waiver. This Agreement and any exhibits hereto shall +constitute the entire agreement and contains all terms and conditions between +Kasten and Licensee with respect to the subject matter hereof and all prior +agreements, representations, and statement with respect to such subject matter +are superseded hereby. This Agreement may be changed only by written agreement +signed by both Kasten and Licensee. No failure of either party to exercise or +enforce any of its rights under this Agreement shall act as a waiver of +subsequent breaches; and the waiver of any breach shall not act as a waiver of +subsequent breaches. + +13.7 Severability. In the event any provision of this Agreement is held by a +court or other tribunal of competent jurisdiction to be unenforceable, that +provision will be enforced to the maximum extent permissible under applicable +law and the other provisions of this Agreement will remain in full force and +effect. The parties further agree that in the event such provision is an +essential part of this Agreement, they will begin negotiations for a suitable +replacement provision. + +13.8 Counterparts. This Agreement may be executed in any number of +counterparts, each of which, when so executed and delivered (including by +facsimile), shall be deemed an original, and all of which shall constitute one +and the same agreement. + +13.9 Binding Effect. This Agreement shall be binding upon and shall inure to +the benefit of the respective parties hereto, their respective successors and +permitted assigns. + +13.10 Assignment. Neither party may, without the prior written consent of the +other party (which shall not be unreasonably withheld), assign this Agreement, +in whole or in part, either voluntarily or by operation of law, and any attempt +to do so shall be a material default of this Agreement and shall be void. +Notwithstanding the foregoing, Kasten may assign its rights and benefits and +delegate its duties and obligations under this Agreement without the consent of +Licensee in connection with a merger, reorganization or sale of all or +substantially all relevant assets of the assigning party; in each case provided +that such successor assumes the assigning party"s obligations under this +Agreement. + diff --git a/charts/k10/k10/5.0.200/files/favicon.png b/charts/k10/k10/5.0.200/files/favicon.png new file mode 100644 index 000000000..fb617ce12 Binary files /dev/null and b/charts/k10/k10/5.0.200/files/favicon.png differ diff --git a/charts/k10/k10/5.0.200/files/kasten-logo.svg b/charts/k10/k10/5.0.200/files/kasten-logo.svg new file mode 100644 index 000000000..0d0ef14ee --- /dev/null +++ b/charts/k10/k10/5.0.200/files/kasten-logo.svg @@ -0,0 +1,24 @@ + + + + + + diff --git a/charts/k10/k10/5.0.200/files/styles.css b/charts/k10/k10/5.0.200/files/styles.css new file mode 100644 index 000000000..2d9205711 --- /dev/null +++ b/charts/k10/k10/5.0.200/files/styles.css @@ -0,0 +1,113 @@ +.theme-body { + background-color: #efefef; + color: #333; + font-family: 'Source Sans Pro', Helvetica, sans-serif; +} + +.theme-navbar { + background-color: #fff; + box-shadow: 0 2px 2px rgba(0, 0, 0, 0.2); + color: #333; + font-size: 13px; + font-weight: 100; + height: 46px; + overflow: hidden; + padding: 0 10px; +} + +.theme-navbar__logo-wrap { + display: inline-block; + height: 100%; + overflow: hidden; + padding: 10px 15px; + width: 300px; +} + +.theme-navbar__logo { + height: 100%; + max-height: 25px; +} + +.theme-heading { + font-size: 20px; + font-weight: 500; + margin-bottom: 10px; + margin-top: 0; +} + +.theme-panel { + background-color: #fff; + box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); + padding: 30px; +} + +.theme-btn-provider { + background-color: #fff; + color: #333; + min-width: 250px; +} + +.theme-btn-provider:hover { + color: #999; +} + +.theme-btn--primary { + background-color: #333; + border: none; + color: #fff; + min-width: 200px; + padding: 6px 12px; +} + +.theme-btn--primary:hover { + background-color: #666; + color: #fff; +} + +.theme-btn--success { + background-color: #2FC98E; + color: #fff; + width: 250px; +} + +.theme-btn--success:hover { + background-color: #49E3A8; +} + +.theme-form-row { + display: block; + margin: 20px auto; +} + +.theme-form-input { + border-radius: 4px; + border: 1px solid #CCC; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + color: #666; + display: block; + font-size: 14px; + height: 36px; + line-height: 1.42857143; + margin: auto; + padding: 6px 12px; + width: 250px; +} + +.theme-form-input:focus, +.theme-form-input:active { + border-color: #66AFE9; + outline: none; +} + +.theme-form-label { + font-size: 13px; + font-weight: 600; + margin: 4px auto; + position: relative; + text-align: left; + width: 250px; +} + +.theme-link-back { + margin-top: 4px; +} diff --git a/charts/k10/k10/5.0.200/license b/charts/k10/k10/5.0.200/license new file mode 100644 index 000000000..fb23dbb82 --- /dev/null +++ b/charts/k10/k10/5.0.200/license @@ -0,0 +1 @@ +Y3VzdG9tZXJOYW1lOiBzdGFydGVyLWxpY2Vuc2UKZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAyMC0wMS0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczogbnVsbAppZDogc3RhcnRlci00ZjE4NDJjMC0wNzQ1LTQxYTUtYWFhNy1hMDFkNzQ4YjFjMzAKcHJvZHVjdDogSzEwCnJlc3RyaWN0aW9uczoKICBub2RlczogJzEwJwpzZXJ2aWNlQWNjb3VudEtleTogbnVsbAp2ZXJzaW9uOiB2MS4wLjAKc2lnbmF0dXJlOiBqT1N5NDNQZG5ZMFVCZitValhOdU1oUEFSb1J2ZkpzWElQWnhBWFNCaGpKbUwxNlNodi8vVzgyV2NMeGZJM25NZTA0TThtRU03eThPcnArQks1ekxpeFd3clpncmZSbTBEaWlELyttRjR5U3l1Rko0QW1neHV6NDhQTmdnU1VyWUM3S1FVcFYxSEJZV1ZaNm9udEJDeE1rVWtkaDVqdzZJdWMzN3lDaktIYy92bWZaenBzTVhybmxUdGhha2RjVVk0azNyVHJDa3VDcnFUMkpjM1o1amFGalZSZW1Zd1NBVXpkRldNazdQdkp3eHVFdE5rNitPV0pCVERQbnNYdldKdjdNc3NneDBJTmdtNUlJWDRVeEVhQWI4QXpTNkMyQ21XQzlhWURFTDg1aEFpeWhONXUwU0tQczA3ZXB0R1VHYmc3cWtPUVN0d0NhcDFKUURvbDVDT0E9PQo= diff --git a/charts/k10/k10/5.0.200/questions.yaml b/charts/k10/k10/5.0.200/questions.yaml new file mode 100644 index 000000000..713fcb116 --- /dev/null +++ b/charts/k10/k10/5.0.200/questions.yaml @@ -0,0 +1,295 @@ +questions: +# ======================== +# SECRETS And Configuration +# ======================== + +### AWS Configuration + +- variable: secrets.awsAccessKeyId + description: "AWS access key ID (required for AWS deployment)" + type: password + label: AWS Access Key ID + required: false + group: "AWS Configuration" + +- variable: secrets.awsSecretAccessKey + description: "AWS access key secret (required for AWS deployment)" + type: password + label: AWS Secret Access Key + required: false + group: "AWS Configuration" + +- variable: secrets.awsIamRole + description: "ARN of the AWS IAM role assumed by K10 to perform any AWS operation." + type: string + label: ARN of the AWS IAM role + required: false + group: "AWS Configuration" + +- variable: awsConfig.assumeRoleDuration + description: "Duration of a session token generated by AWS for an IAM role" + type: string + label: Role Duration + required: false + default: "" + group: "AWS Configuration" + +- variable: awsConfig.efsBackupVaultName + description: "Specifies the AWS EFS backup vault name" + type: string + label: EFS Backup Vault Name + required: false + default: "k10vault" + group: "AWS Configuration" + +### Google Cloud Configuration + +- variable: secrets.googleApiKey + description: "Required If cluster is deployed on Google Cloud" + type: multiline + label: Non-default base64 encoded GCP Service Account key file + required: false + group: "GoogleApi Configuration" + +### Azure Configuration + +- variable: secrets.azureTenantId + description: "Azure tenant ID (required for Azure deployment)" + type: string + label: Tenant ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureClientId + description: "Azure Service App ID" + type: password + label: Service App ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureClientSecret + description: "Azure Service App secret" + type: password + label: Service App secret + required: false + group: "Azure Configuration" + +- variable: secrets.azureResourceGroup + description: "Resource Group name that was created for the Kubernetes cluster" + type: string + label: Resource Group + required: false + group: "Azure Configuration" + +- variable: secrets.azureSubscriptionID + description: "Subscription ID in your Azure tenant" + type: string + label: Subscription ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureResourceMgrEndpoint + description: "Resource management endpoint for the Azure Stack instance" + type: string + label: Resource management endpoint + required: false + group: "Azure Configuration" + +- variable: secrets.azureADEndpoint + description: "Azure Active Directory login endpoint" + type: string + label: Active Directory login endpoint + required: false + group: "Azure Configuration" + +- variable: secrets.azureADResourceID + description: "Azure Active Directory resource ID to obtain AD tokens" + type: string + label: Active Directory resource ID + required: false + group: "Azure Configuration" + +# ======================== +# Authentication +# ======================== + +- variable: auth.basicAuth.enabled + description: "Configures basic authentication for the K10 dashboard" + type: boolean + label: Enable Basic Authentication + required: false + group: "Authentication" + show_subquestion_if: true + subquestions: + - variable: auth.basicAuth.htpasswd + description: "A username and password pair separated by a colon character" + type: password + label: Authentication Details (htpasswd) + - variable: auth.basicAuth.secretName + description: "Name of an existing Secret that contains a file generated with htpasswd" + type: string + label: Secret Name + +- variable: auth.tokenAuth.enabled + description: "Configures token based authentication for the K10 dashboard" + type: boolean + label: Enable Token Based Authentication + required: false + group: "Authentication" + +- variable: auth.oidcAuth.enabled + description: "Configures Open ID Connect based authentication for the K10 dashboard" + type: boolean + label: Enable OpenID Connect Based Authentication + required: false + group: "Authentication" + show_subquestion_if: true + subquestions: + - variable: auth.oidcAuth.providerURL + description: "URL for the OIDC Provider" + type: string + label: OIDC Provider URL + - variable: auth.oidcAuth.redirectURL + description: "URL for the K10 gateway Provider" + type: string + label: OIDC Redirect URL + - variable: auth.oidcAuth.scopes + description: "Space separated OIDC scopes required for userinfo. Example: `profile email`" + type: string + label: OIDC scopes + - variable: auth.oidcAuth.prompt + description: "The type of prompt to be used during authentication (none, consent, login, or select_account)" + type: enum + options: + - none + - consent + - login + - select_account + default: none + label: The type of prompt to be used during authentication (none, consent, login, or select_account) + - variable: auth.oidcAuth.clientID + description: "Client ID given by the OIDC provider for K10" + type: password + label: OIDC Client ID + - variable: auth.oidcAuth.clientSecret + description: "Client secret given by the OIDC provider for K10" + type: password + label: OIDC Client Secret + - variable: auth.oidcAuth.usernameClaim + description: "The claim to be used as the username" + type: string + label: OIDC UserName Claim + - variable: auth.oidcAuth.usernamePrefix + description: "Prefix that has to be used with the username obtained from the username claim" + type: string + label: OIDC UserName Prefix + - variable: auth.oidcAuth.groupClaim + description: "Name of a custom OpenID Connect claim for specifying user groups" + type: string + label: OIDC group Claim + - variable: auth.oidcAuth.groupPrefix + description: "All groups will be prefixed with this value to prevent conflicts" + type: string + label: OIDC group Prefix + +# ======================== +# External Gateway +# ======================== + +- variable: externalGateway.create + description: "Configures an external gateway for K10 API services" + type: boolean + label: Create External Gateway + required: false + group: "External Gateway" + show_subquestion_if: true + subquestions: + - variable: externalGateway.annotations + description: "Standard annotations for the services" + type: multiline + default: "" + label: Annotation + - variable: externalGateway.fqdn.name + description: "Domain name for the K10 API services" + type: string + label: Domain Name + - variable: externalGateway.fqdn.type + description: "Supported gateway type: `route53-mapper` or `external-dns`" + type: string + label: Gateway Type route53-mapper or external-dns + - variable: externalGateway.awsSSLCertARN + description: "ARN for the AWS ACM SSL certificate used in the K10 API server" + type: multiline + label: ARN for the AWS ACM SSL certificate + +# ======================== +# Storage Management +# ======================== + +- variable: global.persistence.storageClass + label: StorageClass Name + description: "Specifies StorageClass Name to be used for PVCs" + type: string + required: false + default: "" + group: "Storage Management" + +- variable: prometheus.server.persistentVolume.storageClass + type: string + label: StorageClass Name for Prometheus PVC + description: "StorageClassName used to create Prometheus PVC. Setting this option overwrites global StorageClass value" + default: "" + required: false + group: "Storage Management" + +- variable: prometheus.server.persistentVolume.enabled + type: boolean + label: Enable PVC for Prometheus server + description: "If true, K10 Prometheus server will create a Persistent Volume Claim" + default: true + required: false + group: "Storage Management" + +- variable: global.persistence.enabled + type: boolean + label: Storage Enabled + description: "If true, K10 will use Persistent Volume Claim" + default: true + required: false + group: "Storage Management" + +# ======================== +# Service Account +# ======================== + +- variable: serviceAccount.name + description: "Name of a service account in the target namespace that has cluster-admin permissions. This is needed for the K10 to be able to protect cluster resources." + type: string + label: Service Account Name + required: false + group: "Service Account" + +# ======================== +# License +# ======================== + +- variable: license + description: "License string obtained from Kasten" + type: multiline + label: License String + group: "License" +- variable: eula.accept + description: "Whether to enable accept EULA before installation" + type: boolean + label: Enable accept EULA before installation + group: "License" + show_subquestion_if: true + subquestions: + - variable: eula.company + description: "Company name. Required field if EULA is accepted" + type: string + label: Company Name + - variable: eula.email + description: "Contact email. Required field if EULA is accepted" + type: string + label: Contact Email diff --git a/charts/k10/k10/5.0.200/templates/NOTES.txt b/charts/k10/k10/5.0.200/templates/NOTES.txt new file mode 100644 index 000000000..240f3062d --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/NOTES.txt @@ -0,0 +1,47 @@ +Thank you for installing Kasten’s K10 Data Management Platform! + +Documentation can be found at https://docs.kasten.io/. + +How to access the K10 Dashboard: + +{{ if .Values.ingress.create }} +You are using the system's default ingress controller. Please ask your +administrator for instructions on how to access the cluster. + +WebUI location: https://{{ default "Your ingress endpoint" .Values.ingress.host }}/{{ default .Release.Name .Values.ingress.urlPath }} +{{ end }} + +The K10 dashboard is not exposed externally. To establish a connection to it use the following `kubectl` command: + +`kubectl --namespace {{ .Release.Namespace }} port-forward service/gateway 8080:{{ .Values.service.externalPort }}` + +The Kasten dashboard will be available at: `http{{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}s{{ end }}://127.0.0.1:8080/{{ .Release.Name }}/#/` + +{{ if.Values.externalGateway.create }} +{{ if .Values.externalGateway.fqdn.name }} + +The K10 Dashboard is accessible via {{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}https{{ else }}http{{ end }}://{{ .Values.externalGateway.fqdn.name }}/{{ .Release.Name }}/#/ + +{{ else }} + +The K10 Dashboard is accessible via a LoadBalancer. Find the service's EXTERNAL IP using: + `kubectl get svc gateway-ext --namespace {{ .Release.Namespace }} -o wide` +And use it in following URL + `http://SERVICE_EXTERNAL_IP/{{ .Release.Name }}/#/` +{{ end }} +{{ end }} + +{{ if and ( .Values.metering.awsManagedLicense ) ( not .Values.metering.licenseConfigSecretName ) }} + +IAM Role created during installation need to have permissions that allow K10 to +perform operations on EBS and, if needed, EFS and S3. Please create a policy +with required permissions, and use the commands below to attach the policy to +the service account. + +`ROLE_NAME=$(kubectl get serviceaccount {{ .Values.serviceAccount.name }} -n {{ .Release.Namespace }} -ojsonpath="{.metadata.annotations['eks\.amazonaws\.com/role-arn']}" | awk -F '/' '{ print $(NF) }')` +`aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn ` + +Refer to `https://docs.kasten.io/latest/install/aws-containers-anywhere/aws-containers-anywhere.html#attaching-permissions-for-eks-installations` +for more information. + +{{ end }} \ No newline at end of file diff --git a/charts/k10/k10/5.0.200/templates/_definitions.tpl b/charts/k10/k10/5.0.200/templates/_definitions.tpl new file mode 100644 index 000000000..256cd003e --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/_definitions.tpl @@ -0,0 +1,185 @@ +{{/* Autogenerated, do NOT modify */}} +{{- define "k10.additionalServices" -}}frontend kanister {{- end -}} +{{- define "k10.restServices" -}}admin auth bloblifecyclemanager catalog controllermanager crypto dashboardbff events executor jobs logging metering mccontrollermanager state vbrintegrationapi {{- end -}} +{{- define "k10.services" -}}aggregatedapis {{- end -}} +{{- define "k10.exposedServices" -}}auth dashboardbff vbrintegrationapi {{- end -}} +{{- define "k10.statelessServices" -}}admin aggregatedapis auth bloblifecyclemanager controllermanager crypto dashboardbff events executor mccontrollermanager state vbrintegrationapi {{- end -}} +{{- define "k10.colocatedServices" -}}admin: + isExposed: false + port: 8001 + primary: state +bloblifecyclemanager: + isExposed: true + port: 8001 + primary: crypto +events: + isExposed: true + port: 8002 + primary: crypto +vbrintegrationapi: + isExposed: true + port: 8001 + primary: dashboardbff +{{- end -}} +{{- define "k10.colocatedServiceLookup" -}}crypto: +- bloblifecyclemanager +- events +dashboardbff: +- vbrintegrationapi +state: +- admin +{{- end -}} +{{- define "k10.aggregatedAPIs" -}}actions apps vault {{- end -}} +{{- define "k10.configAPIs" -}}config{{- end -}} +{{- define "k10.profiles" -}}profiles{{- end -}} +{{- define "k10.policies" -}}policies{{- end -}} +{{- define "k10.reportingAPIs" -}}reporting{{- end -}} +{{- define "k10.distAPIs" -}}dist{{- end -}} +{{- define "k10.actionsAPIs" -}}actions{{- end -}} +{{- define "k10.backupActions" -}}backupactions{{- end -}} +{{- define "k10.backupActionsDetails" -}}backupactions/details{{- end -}} +{{- define "k10.reportActions" -}}reportactions{{- end -}} +{{- define "k10.reportActionsDetails" -}}reportactions/details{{- end -}} +{{- define "k10.restoreActions" -}}restoreactions{{- end -}} +{{- define "k10.restoreActionsDetails" -}}restoreactions/details{{- end -}} +{{- define "k10.importActions" -}}importactions{{- end -}} +{{- define "k10.exportActions" -}}exportactions{{- end -}} +{{- define "k10.exportActionsDetails" -}}exportactions/details{{- end -}} +{{- define "k10.retireActions" -}}retireactions{{- end -}} +{{- define "k10.runActions" -}}runactions{{- end -}} +{{- define "k10.backupClusterActions" -}}backupclusteractions{{- end -}} +{{- define "k10.backupClusterActionsDetails" -}}backupclusteractions/details{{- end -}} +{{- define "k10.restoreClusterActions" -}}restoreclusteractions{{- end -}} +{{- define "k10.restoreClusterActionsDetails" -}}restoreclusteractions/details{{- end -}} +{{- define "k10.cancelActions" -}}cancelactions{{- end -}} +{{- define "k10.appsAPIs" -}}apps{{- end -}} +{{- define "k10.restorePoints" -}}restorepoints{{- end -}} +{{- define "k10.restorePointsDetails" -}}restorepoints/details{{- end -}} +{{- define "k10.clusterRestorePoints" -}}clusterrestorepoints{{- end -}} +{{- define "k10.clusterRestorePointsDetails" -}}clusterrestorepoints/details{{- end -}} +{{- define "k10.applications" -}}applications{{- end -}} +{{- define "k10.applicationsDetails" -}}applications/details{{- end -}} +{{- define "k10.vaultAPIs" -}}vault{{- end -}} +{{- define "k10.passkey" -}}passkeys{{- end -}} +{{- define "k10.authAPIs" -}}auth{{- end -}} +{{- define "k10.defaultConcurrentSnapshotConversions" -}}3{{- end -}} +{{- define "k10.defaultConcurrentWorkloadSnapshots" -}}5{{- end -}} +{{- define "k10.defaultK10DataStoreParallelUpload" -}}8{{- end -}} +{{- define "k10.defaultK10DataStoreGeneralContentCacheSizeMB" -}}0{{- end -}} +{{- define "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10DataStoreRestoreContentCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10DataStoreRestoreMetadataCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10BackupBufferFileHeadroomFactor" -}}1.1{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeSnapshots" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeCopies" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeRestores" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterCsiSnapshots" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterProviderSnapshots" -}}10{{- end -}} +{{- define "k10.defaultAssumeRoleDuration" -}}60m{{- end -}} +{{- define "k10.defaultKanisterBackupTimeout" -}}45{{- end -}} +{{- define "k10.defaultKanisterRestoreTimeout" -}}600{{- end -}} +{{- define "k10.defaultKanisterDeleteTimeout" -}}45{{- end -}} +{{- define "k10.defaultKanisterHookTimeout" -}}20{{- end -}} +{{- define "k10.defaultKanisterCheckRepoTimeout" -}}20{{- end -}} +{{- define "k10.defaultKanisterStatsTimeout" -}}20{{- end -}} +{{- define "k10.defaultKanisterEFSPostRestoreTimeout" -}}45{{- end -}} +{{- define "k10.cloudProviders" -}} aws google azure {{- end -}} +{{- define "k10.serviceResources" -}} +admin-svc: + admin-svc: + requests: + cpu: 2m + memory: 160Mi +aggregatedapis-svc: + aggregatedapis-svc: + requests: + cpu: 90m + memory: 180Mi +auth-svc: + auth-svc: + requests: + cpu: 2m + memory: 30Mi +bloblifecyclemanager-svc: + bloblifecyclemanager-svc: + requests: + cpu: 10m + memory: 40Mi +catalog-svc: + catalog-svc: + requests: + cpu: 200m + memory: 780Mi + kanister-sidecar: + limits: + cpu: 1200m + memory: 800Mi + requests: + cpu: 100m + memory: 800Mi +controllermanager-svc: + controllermanager-svc: + requests: + cpu: 5m + memory: 30Mi +crypto-svc: + crypto-svc: + requests: + cpu: 1m + memory: 30Mi +dashboardbff-svc: + dashboardbff-svc: + requests: + cpu: 8m + memory: 40Mi +events-svc: + events-svc: + requests: + cpu: 3m + memory: 500Mi +executor-svc: + executor-svc: + requests: + cpu: 3m + memory: 50Mi + tools: + requests: + cpu: 1m + memory: 2Mi +frontend-svc: + frontend-svc: + requests: + cpu: 1m + memory: 40Mi +jobs-svc: + jobs-svc: + requests: + cpu: 30m + memory: 380Mi +kanister-svc: + kanister-svc: + requests: + cpu: 1m + memory: 30Mi +logging-svc: + logging-svc: + requests: + cpu: 2m + memory: 40Mi +metering-svc: + metering-svc: + requests: + cpu: 2m + memory: 30Mi +state-svc: + state-svc: + requests: + cpu: 2m + memory: 30Mi +{{- end -}} +{{- define "k10.multiClusterVersion" -}}2{{- end -}} +{{- define "k10.mcExternalPort" -}}18000{{- end -}} +{{- define "k10.ambassadorImageTag" -}}3.0.0{{- end -}} +{{- define "k10.kanisterToolsImageTag" -}}0.80.0{{- end -}} +{{- define "k10.dexImageTag" -}}v2.24.0{{- end -}} +{{- define "k10.rhAmbassadorImageTag" -}}2.1.2{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/_helpers.tpl b/charts/k10/k10/5.0.200/templates/_helpers.tpl new file mode 100644 index 000000000..5326fc66b --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/_helpers.tpl @@ -0,0 +1,688 @@ +{{/* Check if basic auth is needed */}} +{{- define "basicauth.check" -}} + {{- if .Values.auth.basicAuth.enabled }} + {{- print true }} + {{- end -}} {{/* End of check for auth.basicAuth.enabled */}} +{{- end -}} + +{{/* +Check if trusted root CA certificate related configmap settings +have been configured +*/}} +{{- define "check.cacertconfigmap" -}} +{{- if .Values.cacertconfigmap.name -}} +{{- print true -}} +{{- else -}} +{{- print false -}} +{{- end -}} +{{- end -}} + +{{/* +Check if the auth options are implemented using Dex +*/}} +{{- define "check.dexAuth" -}} +{{- if or .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* Check the only 1 auth is specified */}} +{{- define "singleAuth.check" -}} +{{- $count := dict "count" (int 0) -}} +{{- $authList := list .Values.auth.basicAuth.enabled .Values.auth.tokenAuth.enabled .Values.auth.oidcAuth.enabled .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- range $i, $val := $authList }} +{{ if $val }} +{{ $c := add1 $count.count | set $count "count" }} +{{ if gt $count.count 1 }} +{{- fail "Multiple auth types were selected. Only one type can be enabled." }} +{{ end }} +{{ end }} +{{- end }} +{{- end -}}{{/* Check the only 1 auth is specified */}} + +{{/* Check if Auth is enabled */}} +{{- define "authEnabled.check" -}} +{{- $count := dict "count" (int 0) -}} +{{- $authList := list .Values.auth.basicAuth.enabled .Values.auth.tokenAuth.enabled .Values.auth.oidcAuth.enabled .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- range $i, $val := $authList }} +{{ if $val }} +{{ $c := add1 $count.count | set $count "count" }} +{{ end }} +{{- end }} +{{- if eq $count.count 0}} + {{- fail "Auth is required to expose access to K10." }} +{{- end }} +{{- end -}}{{/*end of check */}} + +{{/* Return ingress class name annotation */}} +{{- define "ingressClassAnnotation" -}} +{{- if .Values.ingress.class -}} +kubernetes.io/ingress.class: {{ .Values.ingress.class | quote }} +{{- end -}} +{{- end -}} + +{{/* Helm required labels */}} +{{- define "helm.labels" -}} +heritage: {{ .Release.Service }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/name: {{ .Chart.Name }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{ include "k10.common.matchLabels" . }} +{{- end -}} + +{{- define "k10.common.matchLabels" -}} +app: {{ .Chart.Name }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "k10.defaultRBACLabels" -}} +k10.kasten.io/default-rbac-object: "true" +{{- end -}} + +{{/* Expand the name of the chart. */}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "serviceAccountName" -}} +{{- if and .Values.metering.awsMarketplace ( not .Values.serviceAccount.name ) -}} + {{ print "k10-metering" }} +{{- else if .Values.serviceAccount.create -}} + {{ default (include "fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the metering service account to use +*/}} +{{- define "meteringServiceAccountName" -}} +{{- if and .Values.metering.awsManagedLicense ( not .Values.serviceAccount.name ) ( not .Values.metering.serviceAccount.name ) ( not .Values.metering.licenseConfigSecretName ) -}} + {{ print "k10-metering" }} +{{- else -}} + {{ default (include "serviceAccountName" .) .Values.metering.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Prints annotations based on .Values.fqdn.type +*/}} +{{- define "dnsAnnotations" -}} +{{- if .Values.externalGateway.fqdn.name -}} +{{- if eq "route53-mapper" ( default "" .Values.externalGateway.fqdn.type) }} +domainName: {{ .Values.externalGateway.fqdn.name | quote }} +{{- end }} +{{- if eq "external-dns" (default "" .Values.externalGateway.fqdn.type) }} +external-dns.alpha.kubernetes.io/hostname: {{ .Values.externalGateway.fqdn.name | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Prometheus scrape config template for k10 services +*/}} +{{- define "k10.prometheusScrape" -}} +{{- $admin_port := default 8877 .main.Values.service.gatewayAdminPort -}} +- job_name: {{ .k10service }} + metrics_path: /metrics + {{- if eq "aggregatedapis" .k10service }} + scheme: https + tls_config: + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- else }} + scheme: http + {{- end }} + static_configs: + - targets: + {{- if eq "gateway" .k10service }} + - {{ .k10service }}-admin.{{ .main.Release.Namespace }}.svc.{{ .main.Values.cluster.domainName }}:{{ $admin_port }} + {{- else if eq "aggregatedapis" .k10service }} + - {{ .k10service }}-svc.{{ .main.Release.Namespace }}.svc.{{ .main.Values.cluster.domainName }}:443 + {{- else }} + {{- $service := default .k10service (index (include "k10.colocatedServices" . | fromYaml) .k10service).primary }} + {{- $port := default .main.Values.service.externalPort (index (include "k10.colocatedServices" . | fromYaml) .k10service).port }} + - {{ $service }}-svc.{{ .main.Release.Namespace }}.svc.{{ .main.Values.cluster.domainName }}:{{ $port }} + {{- end }} + labels: + application: {{ .main.Release.Name }} + service: {{ .k10service }} +{{- end -}} + +{{/* +Prometheus scrape config template for k10 services +*/}} +{{- define "k10.prometheusTargetConfig" -}} +{{- $admin_port := default 8877 .main.Values.service.gatewayAdminPort | toString -}} +- service: {{ .k10service }} + metricsPath: /metrics + {{- if eq "aggregatedapis" .k10service }} + scheme: https + tls_config: + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- else }} + scheme: http + {{- end }} + {{- $serviceFqdn := "" }} + {{- $servicePort := "" }} + {{- if eq "gateway" .k10service -}} + {{- $serviceFqdn = printf "%s-admin.%s.svc.%s" .k10service .main.Release.Namespace .main.Values.cluster.domainName -}} + {{- $servicePort = $admin_port -}} + {{- else if eq "aggregatedapis" .k10service -}} + {{- $serviceFqdn = printf "%s-svc.%s.svc.%s" .k10service .main.Release.Namespace .main.Values.cluster.domainName -}} + {{- $servicePort = "443" -}} + {{- else -}} + {{- $service := default .k10service (index (include "k10.colocatedServices" . | fromYaml) .k10service).primary -}} + {{- $port := default .main.Values.service.externalPort (index (include "k10.colocatedServices" . | fromYaml) .k10service).port | toString -}} + {{- $serviceFqdn = printf "%s-svc.%s.svc.%s" $service .main.Release.Namespace .main.Values.cluster.domainName -}} + {{- $servicePort = $port -}} + {{- end }} + fqdn: {{ $serviceFqdn }} + port: {{ $servicePort }} + application: {{ .main.Release.Name }} +{{- end -}} + +{{/* +Expands the name of the Prometheus chart. It is equivalent to what the +"prometheus.name" template does. It is needed because the referenced values in a +template are relative to where/when the template is called from, and not where +the template is defined at. This means that the value of .Chart.Name and +.Values.nameOverride are different depending on whether the template is called +from within the Prometheus chart or the K10 chart. +*/}} +{{- define "k10.prometheus.name" -}} +{{- default "prometheus" .Values.prometheus.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expands the name of the Prometheus service created to expose the prometheus server. +*/}} +{{- define "k10.prometheus.service.name" -}} +{{- default (printf "%s-%s-%s" .Release.Name "prometheus" .Values.prometheus.server.name) .Values.prometheus.server.fullnameOverride }} +{{- end -}} + +{{/* +Checks if EULA is accepted via cmd +Enforces eula.company and eula.email as required fields +returns configMap fields +*/}} +{{- define "k10.eula.fields" -}} +{{- if .Values.eula.accept -}} +accepted: "true" +company: {{ required "eula.company is required field if eula is accepted" .Values.eula.company }} +email: {{ required "eula.email is required field if eula is accepted" .Values.eula.email }} +{{- else -}} +accepted: "" +company: "" +email: "" +{{- end }} +{{- end -}} + +{{/* +Helper to determine the API Domain +*/}} +{{- define "apiDomain" -}} +{{- if .Values.useNamespacedAPI -}} +kio.{{- replace "-" "." .Release.Namespace -}} +{{- else -}} +kio.kasten.io +{{- end -}} +{{- end -}} + +{{/* +Get dex image, if user wants to +install certified version of upstream +images or not +*/}} +{{- define "k10.dexImage" -}} +{{- if not .Values.rhMarketPlace }} +{{- printf "%s:%s" ( include "k10.dexImageRepo" . ) (include "k10.dexTag" .) }} +{{- else }} +{{- printf "%s" (get .Values.images "dex") }} +{{- end -}} +{{- end -}} + +{{/* +Get dex image repo based on conditions +if its airgapped and red hat images are +required +*/}} +{{- define "k10.dexImageRepo" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/dex" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/dex" .Values.image.registry .Values.image.repository }} +{{- end}} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/dex" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/%s" .Values.dexImage.registry .Values.dexImage.repository .Values.dexImage.image }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Get dex image tag based on conditions +if its airgapped and red hat images are +required +*/}} +{{- define "k10.dexTag" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.dexImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.dexImageTag" .) }} +{{- end}} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.dexImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.dexImageTag" .) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Get ambassador image base on whether +we or not we are installing k10 on openshift +*/}} +{{- define "k10.ambImage" -}} +{{- if not .Values.global.rhMarketPlace }} +{{- printf "%s:%s" ( include "k10.ambImageRepo" .) (include "k10.ambImageTag" .) }} +{{- else }} +{{- printf "%s" (get .Values.global.images "emissary") }} +{{- end -}} +{{- end -}} + +{{- define "k10.ambImageRepo" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/emissary" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/emissary" .Values.image.registry .Values.image.repository }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/emissary" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/%s" .Values.ambassadorImage.registry .Values.ambassadorImage.repository .Values.ambassadorImage.image }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "k10.ambImageTag" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.rhAmbassadorImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.rhAmbassadorImageTag" .) }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.ambassadorImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.ambassadorImageTag" .) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Check if AWS creds are specified +*/}} +{{- define "check.awscreds" -}} +{{- if or .Values.secrets.awsAccessKeyId .Values.secrets.awsSecretAccessKey -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if kanister-tools image has k10- in name +this means we need to overwrite kanister image in the system +*/}} +{{- define "overwite.kanisterToolsImage" -}} +{{- if or .Values.global.airgapped.repository .Values.global.rhMarketPlace -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Figure out the kanisterToolsImage.image based on +the value of airgapped.repository value +The details on how these image are being generated +is in below issue +https://kasten.atlassian.net/browse/K10-4036 +Using substr to remove repo from kanisterToolsImage +*/}} +{{- define "get.kanisterToolsImage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/%s:k10-%s" (.Values.global.airgapped.repository) (.Values.kanisterToolsImage.image) (include "k10.kanisterToolsImageTag" .) -}} +{{- else }} +{{- printf "%s/%s/%s:%s" (.Values.kanisterToolsImage.registry) (.Values.kanisterToolsImage.repository) (.Values.kanisterToolsImage.image) (include "k10.kanisterToolsImageTag" .) -}} +{{- end }} +{{- else }} +{{- printf "%s" (get .Values.global.images "kanister-tools") -}} +{{- end }} +{{- end }} + +{{/* +Check if Google creds are specified +*/}} +{{- define "check.googlecreds" -}} +{{- if .Values.secrets.googleApiKey -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if IBM SL api key is specified +*/}} +{{- define "check.ibmslcreds" -}} +{{- if or .Values.secrets.ibmSoftLayerApiKey .Values.secrets.ibmSoftLayerApiUsername -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Azure creds are specified +*/}} +{{- define "check.azurecreds" -}} +{{- if or (or .Values.secrets.azureTenantId .Values.secrets.azureClientId) .Values.secrets.azureClientSecret -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vsphere creds are specified +*/}} +{{- define "check.vspherecreds" -}} +{{- if or (or .Values.secrets.vsphereEndpoint .Values.secrets.vsphereUsername) .Values.secrets.vspherePassword -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vault creds are specified +*/}} +{{- define "check.vaultcreds" -}} +{{- if .Values.vault.secretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Checks and enforces only 1 set of cloud creds is specified +*/}} +{{- define "enforce.singlecloudcreds" -}} +{{- $count := dict "count" (int 0) -}} +{{- $main := . -}} +{{- range $ind, $cloud_provider := include "k10.cloudProviders" . | splitList " " }} +{{ if eq (include (printf "check.%screds" $cloud_provider) $main) "true" }} +{{ $c := add1 $count.count | set $count "count" }} +{{ if gt $count.count 1 }} +{{- fail "Credentials for different cloud providers were provided but only one is allowed. Please verify your .secrets.* values." }} +{{ end }} +{{ end }} +{{- end }} +{{- end -}} + +{{/* +Converts .Values.features into k10-features: map[string]: "value" +*/}} +{{- define "k10.features" -}} +{{ range $n, $v := .Values.features }} +{{ $n }}: {{ $v | quote -}} +{{ end }} +{{- end -}} + +{{/* +Returns a license base64 either from file or from values +or prints it for awsmarketplace or awsManagedLicense +*/}} +{{- define "k10.getlicense" -}} +{{- if .Values.metering.awsMarketplace -}} +{{- print "Y3VzdG9tZXJOYW1lOiBhd3MtbWFya2V0cGxhY2UKZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAxOC0wOC0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczoKICBjbG91ZE1ldGVyaW5nOiBhd3MKaWQ6IGF3cy1ta3QtNWMxMDlmZDUtYWI0Yy00YTE0LWJiY2QtNTg3MGU2Yzk0MzRiCnByb2R1Y3Q6IEsxMApyZXN0cmljdGlvbnM6IG51bGwKdmVyc2lvbjogdjEuMC4wCnNpZ25hdHVyZTogY3ZEdTNTWHljaTJoSmFpazR3THMwTk9mcTNFekYxQ1pqLzRJMUZVZlBXS0JETHpuZmh2eXFFOGUvMDZxNG9PNkRoVHFSQlY3VFNJMzVkQzJ4alllaGp3cWwxNHNKT3ZyVERKZXNFWVdyMVFxZGVGVjVDd21HczhHR0VzNGNTVk5JQXVseGNTUG9oZ2x2UlRJRm0wVWpUOEtKTzlSTHVyUGxyRjlGMnpnK0RvM2UyTmVnamZ6eTVuMUZtd24xWUNlbUd4anhFaks0djB3L2lqSGlwTGQzWVBVZUh5Vm9mZHRodGV0YmhSUGJBVnVTalkrQllnRklnSW9wUlhpYnpTaEMvbCs0eTFEYzcyTDZXNWM0eUxMWFB1SVFQU3FjUWRiYnlwQ1dYYjFOT3B3aWtKMkpsR0thMldScFE4ZUFJNU9WQktqZXpuZ3FPa0lRUC91RFBtSXFBPT0K" -}} +{{- else if or ( .Values.metering.awsManagedLicense ) ( .Values.metering.licenseConfigSecretName ) -}} +{{- print "Y3VzdG9tZXJOYW1lOiBhd3MtdG90ZW0KZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAyMS0wOS0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczoKICBleHRlcm5hbExpY2Vuc2U6IGF3cwogIHByb2R1Y3RTS1U6IGI4YzgyMWQ5LWJmNDAtNDE4ZC1iYTBiLTgxMjBiZjc3ZThmOQogIGtleUZpbmdlcnByaW50OiBhd3M6Mjk0NDA2ODkxMzExOkFXUy9NYXJrZXRwbGFjZTppc3N1ZXItZmluZ2VycHJpbnQKaWQ6IGF3cy1leHQtMWUxMTVlZjMtM2YyMC00MTJlLTgzODItMmE1NWUxMTc1OTFlCnByb2R1Y3Q6IEsxMApyZXN0cmljdGlvbnM6CiAgbm9kZXM6ICczJwp2ZXJzaW9uOiB2MS4wLjAKc2lnbmF0dXJlOiBkeEtLN3pPUXdzZFBOY2I1NExzV2hvUXNWeWZSVDNHVHZ0VkRuR1Vvb2VxSGlwYStTY25HTjZSNmdmdmtWdTRQNHh4RmV1TFZQU3k2VnJYeExOTE1RZmh2NFpBSHVrYmFNd3E5UXhGNkpGSmVXbTdzQmdtTUVpWVJ2SnFZVFcyMlNoakZEU1RWejY5c2JBTXNFMUd0VTdXKytITGk0dnhybjVhYkd6RkRHZW5iRE5tcXJQT3dSa3JIdTlHTFQ1WmZTNDFUL0hBMjNZZnlsTU54MGFlK2t5TGZvZXNuK3FKQzdld2NPWjh4eE94bFRJR3RuWDZ4UU5DTk5iYjhSMm5XbmljNVd0OElEc2VDR3lLMEVVRW9YL09jNFhsWVVra3FGQ0xPdVhuWDMxeFZNZ1NFQnVEWExFd3Y3K2RlSmcvb0pMaW9EVHEvWUNuM0lnem9VR2NTMGc9PQo=" -}} +{{- else -}} +{{- print (default (.Files.Get "license") .Values.license) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns resource usage given a pod name and container name +*/}} +{{- define "k10.resource.request" -}} +{{- $resourceDefaultList := (include "k10.serviceResources" .main | fromYaml) }} +{{- $podName := .k10_service_pod_name }} +{{- $containerName := .k10_service_container_name }} +{{- $resourceValue := "" }} +{{- if (hasKey $resourceDefaultList $podName) }} + {{- $resourceValue = index (index $resourceDefaultList $podName) $containerName }} +{{- end }} +{{- if (hasKey .main.Values.resources $podName) }} + {{- if (hasKey (index .main.Values.resources $podName) $containerName) }} + {{- $resourceValue = index (index .main.Values.resources $podName) $containerName }} + {{- end }} +{{- end }} +{{- /* If no resource usage value was provided, do not include the resources section */}} +{{- /* This allows users to set unlimited resources by providing a service key that is empty (e.g. `--set resources.=`) */}} +{{- if $resourceValue }} +resources: +{{- $resourceValue | toYaml | trim | nindent 2 }} +{{- else if eq .main.Release.Namespace "default" }} +resources: + requests: + cpu: "0.01" +{{- end }} +{{- end -}} + +{{- define "kanisterToolsResources" }} +{{- if .Values.genericVolumeSnapshot.resources.requests.memory }} +KanisterToolsMemoryRequests: {{ .Values.genericVolumeSnapshot.resources.requests.memory | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }} +KanisterToolsCPURequests: {{ .Values.genericVolumeSnapshot.resources.requests.cpu | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.memory }} +KanisterToolsMemoryLimits: {{ .Values.genericVolumeSnapshot.resources.limits.memory | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }} +KanisterToolsCPULimits: {{ .Values.genericVolumeSnapshot.resources.limits.cpu | quote }} +{{- end }} +{{- end }} + +{{- define "get.kanisterPodCustomLabels" -}} +{{- if .Values.kanisterPodCustomLabels }} +KanisterPodCustomLabels: {{ .Values.kanisterPodCustomLabels | quote }} +{{- end }} +{{- end }} + +{{- define "get.kanisterPodCustomAnnotations" -}} +{{- if .Values.kanisterPodCustomAnnotations }} +KanisterPodCustomAnnotations: {{ .Values.kanisterPodCustomAnnotations | quote }} +{{- end }} +{{- end }} + +{{/* +Lookup and return only enabled colocated services +*/}} +{{- define "get.enabledColocatedSvcList" -}} +{{- $enabledColocatedSvcList := dict }} +{{- $colocatedList := include "k10.colocatedServiceLookup" . | fromYaml }} +{{- range $primary, $secondaryList := $colocatedList }} + {{- $enabledSecondarySvcList := list }} + {{- range $skip, $secondary := $secondaryList }} + {{- if or (not (hasKey $.Values.optionalColocatedServices $secondary)) ((index $.Values.optionalColocatedServices $secondary).enabled) }} + {{- $enabledSecondarySvcList = append $enabledSecondarySvcList $secondary }} + {{- end }} + {{- end }} + {{- if gt (len $enabledSecondarySvcList) 0 }} + {{- $enabledColocatedSvcList = set $enabledColocatedSvcList $primary $enabledSecondarySvcList }} + {{- end }} +{{- end }} +{{- $enabledColocatedSvcList | toYaml | trim | nindent 0}} +{{- end -}} + +{{- define "get.serviceContainersInPod" -}} +{{- $podService := .k10_service_pod }} +{{- $colocatedList := include "k10.colocatedServices" . | fromYaml }} +{{- $colocatedLookupByPod := include "get.enabledColocatedSvcList" .main | fromYaml }} +{{- $containerList := list $podService }} +{{- if hasKey $colocatedLookupByPod $podService }} + {{- $containerList = concat $containerList (index $colocatedLookupByPod $podService)}} +{{- end }} +{{- $containerList | join " " }} +{{- end -}} + +{{- define "get.statefulRestServicesInPod" -}} +{{- $statefulRestSvcsInPod := list }} +{{- $podService := .k10_service_pod }} +{{- $containerList := (dict "main" .main "k10_service_pod" $podService | include "get.serviceContainersInPod" | splitList " ") }} +{{- if .main.Values.global.persistence.enabled }} + {{- range $skip, $containerInPod := $containerList }} + {{- $isRestService := has $containerInPod (include "k10.restServices" . | splitList " ") }} + {{- $isStatelessService := has $containerInPod (include "k10.statelessServices" . | splitList " ") }} + {{- if and $isRestService (not $isStatelessService) }} + {{- $statefulRestSvcsInPod = append $statefulRestSvcsInPod $containerInPod }} + {{- end }} + {{- end }} +{{- end }} +{{- $statefulRestSvcsInPod | join " " }} +{{- end -}} + +{{- define "k10.ingressPath" -}} + {{- if and .Values.global.ingress.create .Values.global.route.enabled -}} + {{ fail "Either enable ingress or route"}} + {{- end -}} + {{- if .Values.global.ingress.create -}} + {{ if .Values.global.ingress.urlPath }} + {{- print .Values.global.ingress.urlPath -}} + {{ else }} + {{- print .Release.Name -}} + {{- end -}} + {{- else if .Values.global.route.enabled -}} + {{ if .Values.global.route.path }} + {{- print .Values.global.route.path -}} + {{ else }} + {{- print .Release.Name -}} + {{- end -}} + {{ else }} + {{- print .Release.Name -}} + {{- end -}} +{{- end -}} + + +{{/* +Check if encryption keys are specified +*/}} +{{- define "check.primaryKey" -}} +{{- if (or .Values.encryption.primaryKey.awsCmkKeyId .Values.encryption.primaryKey.vaultTransitKeyName) -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.validateMonitoringProperties" -}} +{{- include "check.monitoringPrefix" . -}} +{{- include "check.monitoringFullNameOverride" . -}} +{{- end -}} + +{{- define "check.monitoringPrefix" -}} +{{- if eq .Values.prometheus.server.enabled .Values.grafana.enabled -}} +{{- if not (eq .Values.prometheus.server.prefixURL .Values.grafana.prometheusPrefixURL) -}} +{{ fail "Prometheus and Grafana prefixURL should match. Please check values of prometheus.server.prefixURL and grafana.prometheusPrefixURL" }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "check.monitoringFullNameOverride" -}} +{{- if eq .Values.prometheus.server.enabled .Values.grafana.enabled -}} +{{- if not (eq .Values.prometheus.server.fullnameOverride .Values.grafana.prometheusName) -}} +{{ fail "The Prometheus name overrides must match. Please check values of prometheus.server.fullnameOverride and grafana.prometheusName" }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "check.validateImagePullSecrets" -}} + {{/* Validate image pull secrets if a custom Docker config is provided */}} + {{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath ) -}} + {{- if (and .Values.grafana.enabled (not .Values.global.imagePullSecret) (not .Values.grafana.image.pullSecrets)) -}} + {{ fail "A custom Docker config was provided, but Grafana is not configured to use it. Please check that global.imagePullSecret is set correctly." }} + {{- end -}} + {{- if (and .Values.prometheus.server.enabled (not .Values.global.imagePullSecret) (not .Values.prometheus.imagePullSecrets)) -}} + {{ fail "A custom Docker config was provided, but Prometheus is not configured to use it. Please check that global.imagePullSecret is set correctly." }} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "k10.imagePullSecrets" }} +{{- $imagePullSecrets := list .Values.global.imagePullSecret }}{{/* May be empty, but the compact below will handle that */}} +{{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) }} + {{- $imagePullSecrets = concat $imagePullSecrets (list "k10-ecr") }} +{{- end }} +{{- $imagePullSecrets = $imagePullSecrets | compact | uniq }} + +{{- if $imagePullSecrets }} +imagePullSecrets: + {{- range $imagePullSecrets }} + {{/* Check if the name is not empty string */}} + - name: {{ . }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Below helper template functions are referred from chart +https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/templates/_helpers.tpl +*/}} + +{{/* +Return kubernetes version +*/}} +{{- define "k10.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "k10.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "extensions/v1beta1" -}} + {{- print "extensions/v1beta1" -}} + {{- else -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Is ingress part of stable APIVersion. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + + +{{- define "check.validatePrometheusConfig" -}} + {{if and ( and .Values.global.prometheus.external.host .Values.global.prometheus.external.port) .Values.prometheus.server.enabled}} + {{ fail "Both internal and external Prometheus configs are not allowed at same time"}} + {{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/_k10_container.tpl b/charts/k10/k10/5.0.200/templates/_k10_container.tpl new file mode 100644 index 000000000..bd2516c5e --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/_k10_container.tpl @@ -0,0 +1,671 @@ +{{- define "k10-containers" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $colocatedList := include "k10.colocatedServices" . | fromYaml }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} + containers: +{{- range $skip, $container := $containerList }} + {{- $port := default $main_context.Values.service.externalPort (index $colocatedList $container).port }} + {{- $serviceStateful := has $container (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- dict "main" $main_context "k10_pod" $pod "k10_container" $container "externalPort" $port "stateful" $serviceStateful | include "k10-container" }} +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-containers" */}} + +{{- define "k10-container" }} +{{- $pod := .k10_pod }} +{{- $service := .k10_container }} +{{- $externalPort := .externalPort }} +{{- with .main }} + - name: {{ $service }}-svc + {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} +{{- if eq $service "aggregatedapis" }} + args: + - "--secure-port={{ .Values.service.aggregatedApiPort }}" + - "--cert-dir=/tmp/apiserver.local.config/certificates/" +{{- if .Values.useNamespacedAPI }} + - "--k10-api-domain={{ template "apiDomain" . }}" +{{- end }}{{/* .Values.useNamespacedAPI */}} +{{/* +We need this explicit conversion because installation using operator hub was failing +stating that types are not same for the equality check +*/}} +{{- else if not (eq (int .Values.service.externalPort) (int $externalPort) ) }} + args: + - "--port={{ $externalPort }}" + - "--host=0.0.0.0" +{{- end }}{{/* eq $service "aggregatedapis" */}} +{{- $podName := (printf "%s-svc" $service) }} +{{- $containerName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} + ports: +{{- if eq $service "aggregatedapis" }} + - containerPort: {{ .Values.service.aggregatedApiPort }} +{{- else }} + - containerPort: {{ $externalPort }} + {{- if eq $service "mccontrollermanager" }} + - containerPort: {{ include "k10.mcExternalPort" nil }} + {{- end }} +{{- end }} +{{- if eq $service "logging" }} + - containerPort: 24224 + protocol: TCP + - containerPort: 24225 + protocol: TCP +{{- end }} + livenessProbe: +{{- if eq $service "aggregatedapis" }} + tcpSocket: + port: {{ .Values.service.aggregatedApiPort }} + timeoutSeconds: 5 +{{- else }} + httpGet: + path: /v0/healthz + port: {{ $externalPort }} + timeoutSeconds: 1 +{{- end }} + initialDelaySeconds: 300 +{{- if ne $service "aggregatedapis" }} + readinessProbe: + httpGet: + path: /v0/healthz + port: {{ $externalPort }} + initialDelaySeconds: 3 +{{- end }} + env: +{{- if eq (include "check.googlecreds" .) "true" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/var/run/secrets/kasten.io/kasten-gke-sa.json" +{{- end }} +{{- if eq (include "check.ibmslcreds" .) "true" }} + - name: IBM_SL_API_KEY + valueFrom: + secretKeyRef: + name: ibmsl-secret + key: ibm_sl_key + - name: IBM_SL_API_USERNAME + valueFrom: + secretKeyRef: + name: ibmsl-secret + key: ibm_sl_username +{{- end }} +{{- if eq (include "check.azurecreds" .) "true" }} + - name: AZURE_TENANT_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_tenant_id + - name: AZURE_CLIENT_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_client_id + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_client_secret +{{- if .Values.secrets.azureResourceGroup }} + - name: AZURE_RESOURCE_GROUP + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_resource_group +{{- end }} +{{- if .Values.secrets.azureSubscriptionID }} + - name: AZURE_SUBSCRIPTION_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_subscription_id +{{- end }} +{{- if .Values.secrets.azureResourceMgrEndpoint }} + - name: AZURE_RESOURCE_MANAGER_ENDPOINT + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_resource_manager_endpoint +{{- end }} +{{- if .Values.secrets.azureADEndpoint }} + - name: AZURE_AD_ENDPOINT + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_ad_endpoint +{{- end }} +{{- if .Values.secrets.azureADResourceID }} + - name: AZURE_AD_RESOURCE + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_ad_resource_id +{{- end }} +{{- if .Values.secrets.azureCloudEnvID }} + - name: AZURE_CLOUD_ENV_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_cloud_env_id +{{- end }} +{{- end }} +{{- if eq (include "check.awscreds" .) "true" }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-creds + key: aws_access_key_id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-creds + key: aws_secret_access_key +{{- if .Values.secrets.awsIamRole }} + - name: K10_AWS_IAM_ROLE + valueFrom: + secretKeyRef: + name: aws-creds + key: role +{{- end }} +{{- end }} +{{- if eq (include "check.vaultcreds" .) "true" }} + - name: VAULT_ADDR + value: {{ .Values.vault.address }} + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.vault.secretName }} + key: vault_token +{{- end }} +{{- if eq (include "check.vspherecreds" .) "true" }} + - name: VSPHERE_ENDPOINT + valueFrom: + secretKeyRef: + name: vsphere-creds + key: vsphere_endpoint + - name: VSPHERE_USERNAME + valueFrom: + secretKeyRef: + name: vsphere-creds + key: vsphere_username + - name: VSPHERE_PASSWORD + valueFrom: + secretKeyRef: + name: vsphere-creds + key: vsphere_password +{{- end }} + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version +{{- if .Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} +{{- if eq $service "controllermanager" }} + - name: K10_STATEFUL + value: "{{ .Values.global.persistence.enabled }}" +{{- end }} + - name: MODEL_STORE_DIR +{{- if or (eq $service "state") (not .Values.global.persistence.enabled) }} + value: "/tmp/k10store" +{{- else }} + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname +{{- end }} +{{- if or (eq $service "kanister") (eq $service "executor")}} + - name: DATA_MOVER_IMAGE + value: {{ default .Chart.AppVersion .Values.image.tag | print .Values.image.registry "/" .Values.image.repository "/datamover:" }} + - name: KANISTER_POD_READY_WAIT_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodReadyWaitTimeout +{{- end }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel +{{- if .Values.kanisterPodCustomLabels }} + - name: KANISTER_POD_CUSTOM_LABELS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodCustomLabels +{{- end }} +{{- if .Values.kanisterPodCustomAnnotations }} + - name: KANISTER_POD_CUSTOM_ANNOTATIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: kanisterPodCustomAnnotations +{{- end }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONCURRENT_SNAP_CONVERSIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: concurrentSnapConversions + - name: CONCURRENT_WORKLOAD_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: concurrentWorkloadSnapshots + - name: K10_DATA_STORE_PARALLEL_UPLOAD + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreParallelUpload + - name: K10_DATA_STORE_GENERAL_CONTENT_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreGeneralContentCacheSizeMB + - name: K10_DATA_STORE_GENERAL_METADATA_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreGeneralMetadataCacheSizeMB + - name: K10_DATA_STORE_RESTORE_CONTENT_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreRestoreContentCacheSizeMB + - name: K10_DATA_STORE_RESTORE_METADATA_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreRestoreMetadataCacheSizeMB + - name: K10_LIMITER_GENERIC_VOLUME_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeSnapshots + - name: K10_LIMITER_GENERIC_VOLUME_COPIES + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeCopies + - name: K10_LIMITER_GENERIC_VOLUME_RESTORES + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeRestores + - name: K10_LIMITER_CSI_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterCsiSnapshots + - name: K10_LIMITER_PROVIDER_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterProviderSnapshots + - name: AWS_ASSUME_ROLE_DURATION + valueFrom: + configMapKeyRef: + name: k10-config + key: AWSAssumeRoleDuration +{{- if (eq $service "executor") }} + - name: KANISTER_BACKUP_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterBackupTimeout + - name: KANISTER_RESTORE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterRestoreTimeout + - name: KANISTER_DELETE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterDeleteTimeout + - name: KANISTER_HOOK_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterHookTimeout + - name: KANISTER_CHECKREPO_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterCheckRepoTimeout + - name: KANISTER_STATS_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterStatsTimeout + - name: KANISTER_EFSPOSTRESTORE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterEFSPostRestoreTimeout +{{- end }} +{{- if and (eq $service "executor") (.Values.awsConfig.efsBackupVaultName) }} + - name: EFS_BACKUP_VAULT_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: efsBackupVaultName +{{- end }} +{{- if and (eq $service "executor") (.Values.vmWare.taskTimeoutMin) }} + - name: VMWARE_GOM_TIMEOUT_MIN + valueFrom: + configMapKeyRef: + name: k10-config + key: vmWareTaskTimeoutMin +{{- end }} +{{- if .Values.useNamespacedAPI }} + - name: K10_API_DOMAIN + valueFrom: + configMapKeyRef: + name: k10-config + key: apiDomain +{{- end }} +{{- if .Values.jaeger.enabled }} + - name: JAEGER_AGENT_HOST + value: {{ .Values.jaeger.agentDNS }} +{{- end }} +{{- if .Values.auth.tokenAuth.enabled }} + - name: TOKEN_AUTH + valueFrom: + secretKeyRef: + name: k10-token-auth + key: auth +{{- end }} +{{- if eq "true" (include "overwite.kanisterToolsImage" .) }} + - name: KANISTER_TOOLS + valueFrom: + configMapKeyRef: + name: k10-config + key: overwriteKanisterTools +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: CACERT_CONFIGMAP_NAME + value: {{ .Values.cacertconfigmap.name }} +{{- end }} + - name: K10_RELEASE_NAME + value: {{ .Release.Name }} + - name: KANISTER_FUNCTION_VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: kanisterFunctionVersion +{{- if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }} + - name: K10_MUTATING_WEBHOOK_ENABLED + value: "true" + - name: K10_MUTATING_WEBHOOK_TLS_CERT_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: K10MutatingWebhookTLSCertDir + - name: K10_MUTATING_WEBHOOK_PORT + value: {{ .Values.injectKanisterSidecar.webhookServer.port | quote }} +{{- end }} +{{- if or (eq $service "controllermanager") (eq $service "kanister") }} +{{- if .Values.genericVolumeSnapshot.resources.requests.memory }} + - name: KANISTER_TOOLS_MEMORY_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsMemoryRequests +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }} + - name: KANISTER_TOOLS_CPU_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsCPURequests +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.memory }} + - name: KANISTER_TOOLS_MEMORY_LIMITS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsMemoryLimits +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }} + - name: KANISTER_TOOLS_CPU_LIMITS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsCPULimits +{{- end }} +{{- end }} +{{- if (list "dashboardbff" "controllermanager" "executor" | has $service) }} + {{- if .Values.prometheus.server.enabled }} + - name: K10_PROMETHEUS_HOST + value: {{ include "k10.prometheus.service.name" . }}-exp + - name: K10_PROMETHEUS_PORT + value: {{ .Values.prometheus.server.service.servicePort | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.prometheus.server.baseURL }} + {{- else -}} + {{- if and .Values.global.prometheus.external.host .Values.global.prometheus.external.port}} + - name: K10_PROMETHEUS_HOST + value: {{ .Values.global.prometheus.external.host }} + - name: K10_PROMETHEUS_PORT + value: {{ .Values.global.prometheus.external.port | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.global.prometheus.external.baseURL }} + {{- end -}} + {{- end }} + - name: K10_GRAFANA_ENABLED + value: {{ .Values.grafana.enabled | quote }} +{{- end }} +{{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} + volumeMounts: +{{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} + volumeMounts: +{{- else if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }} + volumeMounts: +{{- else if eq (include "check.cacertconfigmap" .) "true" }} + volumeMounts: +{{- end }} +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + mountPath: {{ .Values.global.persistence.mountPath | quote }} +{{- end }} +{{- if .Values.features }} + - name: k10-features + mountPath: "/mnt/k10-features" +{{- end }} +{{- if eq $service "logging" }} + - name: logging-configmap-storage + mountPath: "/mnt/conf" +{{- end }} +{{- if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }} + - name: mutating-webhook-certs + mountPath: /etc/ssl/certs/webhook + readOnly: true +{{- end }} +{{- if eq (include "basicauth.check" .) "true" }} + - name: k10-basic-auth + mountPath: "/var/run/secrets/kasten.io/k10-basic-auth" + readOnly: true +{{- end }} +{{- if (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: k10-oidc-auth + mountPath: "/var/run/secrets/kasten.io/k10-oidc-auth" + readOnly: true +{{- end }} +{{- if eq (include "check.googlecreds" .) "true" }} + - name: service-account + mountPath: "/var/run/secrets/kasten.io" +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- if .Values.toolsImage.enabled }} +{{- if eq $service "executor" }} + - name: tools + {{- dict "main" . "k10_service" "cephtool" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.toolsImage.pullPolicy }} +{{- $podName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "tools" | include "k10.resource.request" | indent 8}} +{{- end }} +{{- end }} {{/* .Values.toolsImage.enabled */}} +{{- if and (eq $service "catalog") $.stateful }} + - name: kanister-sidecar + image: {{ include "get.kanisterToolsImage" .}} + imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }} +{{- $podName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}} + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ .Values.global.persistence.mountPath | quote }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- end }} {{/* and (eq $service "catalog") $.stateful */}} +{{- if and ( eq $service "auth" ) ( or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: dex + image: {{ include "k10.dexImage" . }} +{{- if .Values.auth.ldap.enabled }} + command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"] +{{- else }} + command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] +{{- end }} + ports: + - name: http + containerPort: 8080 + volumeMounts: +{{- if .Values.auth.ldap.enabled }} + - name: dex-config + mountPath: /dex-config + - name: k10-logos-dex + mountPath: /web/themes/custom/ +{{- else }} + - name: config + mountPath: /etc/dex/cfg +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- end }} {{/* end of dex check */}} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-container" */}} + +{{- define "k10-init-container-header" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- $needsInitContainersHeader := false }} +{{- range $skip, $service := $containerList }} +{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }} + {{- $needsInitContainersHeader = true }} + {{- else if $serviceStateful }} + {{- $needsInitContainersHeader = true }} + {{- end }}{{/* initContainers header needed check */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- if $needsInitContainersHeader }} + initContainers: +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} + +{{- define "k10-init-container" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- range $skip, $service := $containerList }} +{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} +{{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }} + - name: dex-init + command: + - /dex/dexconfigmerge + args: + - --config-path=/etc/dex/cfg/config.yaml + - --secret-path=/var/run/secrets/kasten.io/bind-secret/bindPW + - --new-config-path=/dex-config/config.yaml + - --secret-field=bindPW + {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + volumeMounts: + - mountPath: /etc/dex/cfg + name: config + - mountPath: /dex-config + name: dex-config + - name: bind-secret + mountPath: "/var/run/secrets/kasten.io/bind-secret" + readOnly: true +{{- else if $serviceStateful }} + - name: upgrade-init + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: true + {{- dict "main" $main_context "k10_service" "upgrade" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ $main_context.Values.image.pullPolicy }} + env: + - name: MODEL_STORE_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }} +{{- if eq $service "catalog" }} + - name: schema-upgrade-check + {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ $main_context.Values.image.pullPolicy }} + env: +{{- if $main_context.Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} + - name: INIT_CONTAINER + value: "true" + - name: K10_RELEASE_NAME + value: {{ $main_context.Release.Name }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: MODEL_STORE_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }} +{{- end }}{{/* eq $service "catalog" */}} +{{- end }}{{/* initContainers definitions */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container" */}} diff --git a/charts/k10/k10/5.0.200/templates/_k10_metering.tpl b/charts/k10/k10/5.0.200/templates/_k10_metering.tpl new file mode 100644 index 000000000..7d46662cc --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/_k10_metering.tpl @@ -0,0 +1,287 @@ +{{/* Generate service spec */}} +{{/* because of https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/issues/165 +we have to start using .Values.reportingSecret instead +of correct version .Values.metering.reportingSecret */}} +{{- define "k10-metering" }} +{{ $service := .k10_service }} +{{ $main := .main }} +{{- with .main }} +{{- $servicePort := .Values.service.externalPort -}} +{{- $optionalServices := .Values.optionalColocatedServices -}} +{{- $rbac := .Values.prometheus.rbac.create -}} +{{- if $.stateful }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-pv-claim + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ default .Values.global.persistence.size (index .Values.global.persistence $service "size") }} +{{- if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +--- +{{- end }}{{/* if $.stateful */}} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ include "fullname" . }}-metering-config +data: + config: | +{{- if .Values.metering.reportingKey }} + identities: + - name: gcp + gcp: + encodedServiceAccountKey: {{ .Values.metering.reportingKey }} +{{- end }} + metrics: + - name: node_time + type: int + passthrough: {} + endpoints: + - name: on_disk +{{- if .Values.metering.reportingKey }} + - name: servicecontrol +{{- end }} + endpoints: + - name: on_disk + disk: +{{- if .Values.global.persistence.enabled }} + reportDir: /var/reports/ubbagent/reports +{{- else }} + reportDir: /tmp/reports/ubbagent/reports +{{- end }} + expireSeconds: 3600 +{{- if .Values.metering.reportingKey }} + - name: servicecontrol + servicecontrol: + identity: gcp + serviceName: kasten-k10.mp-kasten-public.appspot.com + consumerId: {{ .Values.metering.consumerId }} +{{- end }} + prometheusTargets: | +{{- range append (include "k10.restServices" . | splitList " ") "kanister" }} +{{- if or (not (hasKey $optionalServices .)) (index $optionalServices .).enabled }} +{{ $tmpcontx := dict "main" $main "k10service" . -}} +{{ include "k10.prometheusTargetConfig" $tmpcontx | trim | indent 4 -}} +{{- end }} +{{- end }} +{{- range include "k10.services" . | splitList " " }} +{{- if (or (ne . "aggregatedapis") ($rbac)) }} +{{ $tmpcontx := dict "main" $main "k10service" . -}} +{{ include "k10.prometheusTargetConfig" $tmpcontx | indent 4 -}} +{{- end }} +{{- end }} +{{- range include "k10.additionalServices" . | splitList " " }} +{{- if not (eq . "frontend") }} +{{ $tmpcontx := dict "main" $main "k10service" . -}} +{{ include "k10.prometheusTargetConfig" $tmpcontx | indent 4 -}} +{{- end }} +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-svc + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + replicas: {{ $.replicas }} + strategy: + type: Recreate + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: {{ $service }} + run: {{ $service }}-svc + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} + checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} + labels: +{{ include "helm.labels" . | indent 8 }} + component: {{ $service }} + run: {{ $service }}-svc + spec: + securityContext: +{{ toYaml .Values.services.securityContext | indent 8 }} + serviceAccountName: {{ template "meteringServiceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} +{{- if $.stateful }} + initContainers: + - name: upgrade-init + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: true + {{- dict "main" . "k10_service" "upgrade" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: MODEL_STORE_DIR + value: /var/reports/ + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: /var/reports/ +{{- end }} + containers: + - name: {{ $service }}-svc + {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} +{{- if eq .Release.Namespace "default" }} +{{- $podName := (printf "%s-svc" $service) }} +{{- $containerName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} +{{- end }} + ports: + - containerPort: {{ .Values.service.externalPort }} + livenessProbe: + httpGet: + path: /v0/healthz + port: {{ .Values.service.externalPort }} + initialDelaySeconds: 90 + timeoutSeconds: 1 + env: + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version +{{- if .Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace +{{- if .Values.useNamespacedAPI }} + - name: K10_API_DOMAIN + valueFrom: + configMapKeyRef: + name: k10-config + key: apiDomain +{{- end }} + - name: AGENT_CONFIG_FILE + value: /var/ubbagent/config.yaml + - name: AGENT_STATE_DIR +{{- if .Values.global.persistence.enabled }} + value: "/var/reports/ubbagent" +{{- else }} + value: "/tmp/reports/ubbagent" + - name: K10_REPORTING_DIR + value: "/tmp/reports/k10/syncV2" + - name: K10SYNCSTATUSDIR + value: "/tmp/reports/k10" + - name: GRACE_PERIOD_STORE + value: /tmp/reports/clustergraceperiod + - name: NODE_USAGE_STORE + value: /tmp/reports/node_usage_history +{{- end }} +{{- if eq "true" (include "overwite.kanisterToolsImage" .) }} + - name: KANISTER_TOOLS + valueFrom: + configMapKeyRef: + name: k10-config + key: overwriteKanisterTools +{{- end }} +{{- if .Values.metering.awsRegion }} + - name: AWS_REGION + value: {{ .Values.metering.awsRegion }} +{{- end }} +{{- if .Values.metering.mode }} + - name: K10REPORTMODE + value: {{ .Values.metering.mode }} +{{- end }} +{{- if .Values.metering.reportCollectionPeriod }} + - name: K10_REPORT_COLLECTION_PERIOD + value: {{ .Values.metering.reportCollectionPeriod | quote }} +{{- end }} +{{- if .Values.metering.reportPushPeriod }} + - name: K10_REPORT_PUSH_PERIOD + value: {{ .Values.metering.reportPushPeriod | quote }} +{{- end }} +{{- if .Values.metering.promoID }} + - name: K10_PROMOTION_ID + value: {{ .Values.metering.promoID }} +{{- end }} +{{- if .Values.reportingSecret }} + - name: AGENT_CONSUMER_ID + valueFrom: + secretKeyRef: + name: {{ .Values.reportingSecret }} + key: consumer-id + - name: AGENT_REPORTING_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.reportingSecret }} + key: reporting-key + - name: K10_RELEASE_NAME + value: {{ .Release.Name }} +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.metering.licenseConfigSecretName }} + key: iam_role +{{- end }} + volumeMounts: + - name: meter-config + mountPath: /var/ubbagent +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + mountPath: /var/reports/ +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" +{{- end }} + volumes: + - name: meter-config + configMap: + name: {{ include "fullname" . }}-metering-config + items: + - key: config + path: config.yaml + - key: prometheusTargets + path: prometheusTargets.yaml +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + persistentVolumeClaim: + claimName: {{ $service }}-pv-claim +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: awsmp-product-license + secret: + secretName: {{ .Values.metering.licenseConfigSecretName }} +{{- end }} +--- +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-metering" */}} diff --git a/charts/k10/k10/5.0.200/templates/_k10_serviceimage.tpl b/charts/k10/k10/5.0.200/templates/_k10_serviceimage.tpl new file mode 100644 index 000000000..d9e69a8a4 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/_k10_serviceimage.tpl @@ -0,0 +1,51 @@ +{{/* +Helper to get k10 service image +The details on how these image are being generated +is in below issue +https://kasten.atlassian.net/browse/K10-4036 +Using substr to remove repo from ambassadorImage +*/}} +{{- define "serviceImage" -}} +{{/* +we are maintaining the field .Values.images to override it when +we install the chart for red hat marketplace. If we dont +have the value specified use earlier flow, if it is, use the +value that is specified. +*/}} +{{- if not .main.Values.global.rhMarketPlace }} +{{- $serviceImage := "" -}} +{{- $tagFromDefs := "" -}} +{{- if .main.Values.global.airgapped.repository }} +{{- $serviceImage = default .main.Chart.AppVersion .main.Values.image.tag | print .main.Values.global.airgapped.repository "/" .k10_service ":" }} +{{- else if contains .main.Values.image.registry .main.Values.image.repository }} +{{- $serviceImage = default .main.Chart.AppVersion .main.Values.image.tag | print .main.Values.image.repository "/" .k10_service ":" }} +{{- else }} +{{- $serviceImage = default .main.Chart.AppVersion .main.Values.image.tag | print .main.Values.image.registry "/" .main.Values.image.repository "/" .k10_service ":" }} +{{- end }}{{/* if .main.Values.global.airgapped.repository */}} +{{- $serviceImageKey := print (replace "-" "" .k10_service) "Image" }} +{{- if eq $serviceImageKey "ambassadorImage" }} +{{- $tagFromDefs = (include "k10.ambassadorImageTag" .) }} +{{- else if eq $serviceImageKey "dexImage" }} +{{- $tagFromDefs = (include "k10.dexImageTag" .) }} +{{- end }}{{/* if eq $serviceImageKey "ambassadorImage" */}} +{{- if index .main.Values $serviceImageKey }} +{{- $service_values := index .main.Values $serviceImageKey }} +{{- if .main.Values.global.airgapped.repository }} +{{ $valuesImage := (splitList "/" (index $service_values "image")) }} +{{- if $tagFromDefs }} +image: {{ printf "%s/%s:k10-%s" .main.Values.global.airgapped.repository (index $valuesImage (sub (len $valuesImage) 1) ) $tagFromDefs -}} +{{- end }} +{{- else }}{{/* .main.Values.global.airgapped.repository */}} +{{- if $tagFromDefs }} +image: {{ printf "%s:%s" (index $service_values "image") $tagFromDefs }} +{{- else }} +image: {{ index $service_values "image" }} +{{- end }} +{{- end }}{{/* .main.Values.global.airgapped.repository */}} +{{- else }} +image: {{ $serviceImage }} +{{- end -}}{{/* index .main.Values $serviceImageKey */}} +{{- else }} +image: {{ printf "%s" (get .main.Values.global.images .k10_service) }} +{{- end }}{{/* if not .main.Values.images.executor */}} +{{- end -}}{{/* define "serviceImage" */}} diff --git a/charts/k10/k10/5.0.200/templates/_k10_template.tpl b/charts/k10/k10/5.0.200/templates/_k10_template.tpl new file mode 100644 index 000000000..ce25564b6 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/_k10_template.tpl @@ -0,0 +1,190 @@ +{{/* Generate service spec */}} +{{- define "k10-default" }} +{{- $service := .k10_service }} +{{- with .main }} +{{- $main_context := . }} +{{- range $skip, $statefulContainer := compact (dict "main" $main_context "k10_service_pod" $service | include "get.statefulRestServicesInPod" | splitList " ") }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ $main_context.Release.Namespace }} + name: {{ $statefulContainer }}-pv-claim + labels: +{{ include "helm.labels" $main_context | indent 4 }} + component: {{ $statefulContainer }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ index (index $main_context.Values.global.persistence $statefulContainer | default dict) "size" | default $main_context.Values.global.persistence.size }} +{{- if $main_context.Values.global.persistence.storageClass }} + {{- if (eq "-" $main_context.Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $main_context.Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +--- +{{- end }}{{/* if $.stateful */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-svc + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + replicas: {{ $.replicas }} + strategy: + type: Recreate + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: {{ $service }} + run: {{ $service }}-svc + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} + checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} +{{- if .Values.auth.ldap.restartPod }} + rollme: {{ randAlphaNum 5 | quote }} +{{- end}} + labels: +{{ include "helm.labels" . | indent 8 }} + component: {{ $service }} + run: {{ $service }}-svc + spec: +{{- if eq $service "executor" }} +{{- if .Values.services.executor.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.executor.hostNetwork */}} +{{- end }}{{/* eq $service "executor" */}} +{{- if eq $service "aggregatedapis" }} +{{- if .Values.services.aggregatedapis.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.aggregatedapis.hostNetwork */}} +{{- end }}{{/* eq $service "aggregatedapis" */}} +{{- if eq $service "dashboardbff" }} +{{- if .Values.services.dashboardbff.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.dashboardbff.hostNetwork */}} +{{- end }}{{/* eq $service "dashboardbff" */}} + securityContext: +{{ toYaml .Values.services.securityContext | indent 8 }} + serviceAccountName: {{ template "serviceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} +{{- /* initContainers: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-init-container-header") }} +{{- (dict "main" . "k10_pod" $service | include "k10-init-container") }} +{{- /* containers: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-containers") }} +{{- /* volumes: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-deployment-volumes-header") }} +{{- (dict "main" . "k10_pod" $service | include "k10-deployment-volumes") }} +--- +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-default" */}} + +{{- define "k10-deployment-volumes-header" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- $needsVolumesHeader := false }} +{{- range $skip, $service := $containerList }} + {{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- if or $serviceStateful (or (eq (include "check.googlecreds" $main_context) "true") (eq $service "auth" "logging")) }} + {{- $needsVolumesHeader = true }} + {{- else if or (or (eq (include "basicauth.check" $main_context) "true") (or $main_context.Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" $main_context) "true"))) $main_context.Values.features }} + {{- $needsVolumesHeader = true }} + {{- else if and (eq $service "controllermanager") ($main_context.Values.injectKanisterSidecar.enabled) }} + {{- $needsVolumesHeader = true }} + {{- else if eq (include "check.cacertconfigmap" $main_context) "true" }} + {{- $needsVolumesHeader = true }} + {{- else if and ( eq $service "auth" ) ( or $main_context.Values.auth.dex.enabled (eq (include "check.dexAuth" $main_context) "true")) }} + {{- $needsVolumesHeader = true }} + {{- end }}{{/* volumes header needed check */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- if $needsVolumesHeader }} + volumes: +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} + +{{- define "k10-deployment-volumes" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- if .Values.features }} + - name: k10-features + configMap: + name: k10-features +{{- end }} +{{- if eq (include "basicauth.check" .) "true" }} + - name: k10-basic-auth + secret: + secretName: {{ default "k10-basic-auth" .Values.auth.basicAuth.secretName }} +{{- end }} +{{- if .Values.auth.oidcAuth.enabled }} + - name: k10-oidc-auth + secret: + secretName: {{ default "k10-oidc-auth" .Values.auth.oidcAuth.secretName }} +{{- end }} +{{- if .Values.auth.openshift.enabled }} + - name: k10-oidc-auth + secret: + secretName: {{ default "k10-oidc-auth" .Values.auth.openshift.secretName }} +{{- end }} +{{- if .Values.auth.ldap.enabled }} + - name: k10-oidc-auth + secret: + secretName: {{ default "k10-oidc-auth" .Values.auth.ldap.secretName }} + - name: k10-logos-dex + configMap: + name: k10-logos-dex +{{- end }} +{{- range $skip, $statefulContainer := compact (dict "main" . "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + - name: {{ $statefulContainer }}-persistent-storage + persistentVolumeClaim: + claimName: {{ $statefulContainer }}-pv-claim +{{- end }} +{{- if eq (include "check.googlecreds" .) "true" }} + - name: service-account + secret: + secretName: google-secret +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + configMap: + name: {{ .Values.cacertconfigmap.name }} +{{- end }} +{{- $containersInThisPod := (dict "main" . "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- if has "logging" $containersInThisPod }} + - name: logging-configmap-storage + configMap: + name: fluentbit-configmap +{{- end }} +{{- if and (has "controllermanager" $containersInThisPod) (.Values.injectKanisterSidecar.enabled) }} + - name: mutating-webhook-certs + secret: + secretName: controllermanager-certs +{{- end }} +{{- if and ( has "auth" $containersInThisPod) (or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: config + configMap: + name: k10-dex + items: + - key: config.yaml + path: config.yaml +{{- if .Values.auth.ldap.enabled }} + - name: dex-config + emptyDir: {} + - name: bind-secret + secret: + secretName: {{ default "k10-dex" .Values.auth.ldap.bindPWSecretName }} +{{- end }} +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} diff --git a/charts/k10/k10/5.0.200/templates/api-tls-secrets.yaml b/charts/k10/k10/5.0.200/templates/api-tls-secrets.yaml new file mode 100644 index 000000000..6c863f7c6 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/api-tls-secrets.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: ambassador-certs +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secrets.apiTlsCrt }} + tls.key: {{ .Values.secrets.apiTlsKey }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/apiservice.yaml b/charts/k10/k10/5.0.200/templates/apiservice.yaml new file mode 100644 index 000000000..1811df48a --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/apiservice.yaml @@ -0,0 +1,25 @@ +{{/* Template to generate the aggregated APIService/Service objects */}} +{{- if .Values.apiservices.deployed -}} +{{- $main := . -}} +{{- $container_port := .Values.service.internalPort -}} +{{- $namespace := .Release.Namespace -}} +{{- range include "k10.aggregatedAPIs" . | splitList " " -}} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.{{ . }}.{{ template "apiDomain" $main }} + labels: + apiserver: "true" +{{ include "helm.labels" $ | indent 4 }} +spec: + version: v1alpha1 + group: {{ . }}.{{ template "apiDomain" $main }} + groupPriorityMinimum: 2000 + service: + namespace: {{$namespace}} + name: aggregatedapis-svc + versionPriority: 10 + insecureSkipTLSVerify: true +{{ end }} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/daemonsets.yaml b/charts/k10/k10/5.0.200/templates/daemonsets.yaml new file mode 100644 index 000000000..b8c50b505 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/daemonsets.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metering.redhatMarketplacePayg }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + namespace: {{ .Release.Namespace }} + name: k10-rhmp-paygo + labels: +{{ include "helm.labels" . | indent 4 }} + component: paygo +spec: + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: paygo + template: + metadata: + labels: +{{ include "helm.labels" . | indent 8 }} + component: paygo + spec: + containers: + - name: paygo + image: {{ .Values.global.images.paygo_daemonset }} + command: [ "sleep" ] + args: [ "36500d" ] +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/deployments.yaml b/charts/k10/k10/5.0.200/templates/deployments.yaml new file mode 100644 index 000000000..e259ff390 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/deployments.yaml @@ -0,0 +1,34 @@ +{{/* +Generates deployment specs for K10 services and other services such as +"frontend" and "kanister". +*/}} +{{- include "singleAuth.check" . -}} +{{- $main_context := . -}} +{{- $stateless_services := include "k10.statelessServices" . | splitList " " -}} +{{- $colocated_services := include "k10.colocatedServices" . | fromYaml -}} +{{ $service_list := include "k10.restServices" . | splitList " " }} +{{- if not (default .Values.features dict).multicluster -}} + {{- $service_list = without $service_list "mccontrollermanager" -}} +{{- end -}} +{{- range $skip, $k10_service := $service_list }} + {{ if not (hasKey $colocated_services $k10_service ) }} + {{/* Set $stateful for stateful services when .Values.global.persistence.enabled is true */}} + {{- $stateful := and $.Values.global.persistence.enabled (not (has $k10_service $stateless_services)) -}} + {{/* Set $replicas to .Values.executorReplicas for the exectutor service */}} + {{- $replicas := or (and (eq $k10_service "executor") $.Values.executorReplicas) 1 -}} + {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" $stateful "replicas" $replicas }} + {{ if eq $k10_service "metering" }} + {{- include "k10-metering" $tmp_contx -}} + {{ else }} + {{- include "k10-default" $tmp_contx -}} + {{ end }} + {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} +{{- end }} +{{/* +Generate deployment specs for additional services. These are stateless and have +1 replica. +*/}} +{{- range $skip, $k10_service := concat (include "k10.services" . | splitList " ") (include "k10.additionalServices" . | splitList " ") }} + {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" false "replicas" 1 }} + {{- include "k10-default" $tmp_contx -}} +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/fluentbit-configmap.yaml b/charts/k10/k10/5.0.200/templates/fluentbit-configmap.yaml new file mode 100644 index 000000000..71cecb966 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/fluentbit-configmap.yaml @@ -0,0 +1,34 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: fluentbit-configmap +data: + fluentbit.conf: | + [SERVICE] + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_PORT 24225 + + [INPUT] + Name tcp + Listen 0.0.0.0 + Port 24224 + + [OUTPUT] + Name stdout + Match * + + [OUTPUT] + Name file + Match * + File {{ .Values.global.persistence.mountPath }}/k10.log + logrotate.conf: | + {{ .Values.global.persistence.mountPath }}/k10.log { + create + missingok + rotate 6 + size 1G + } diff --git a/charts/k10/k10/5.0.200/templates/gateway-ext.yaml b/charts/k10/k10/5.0.200/templates/gateway-ext.yaml new file mode 100644 index 000000000..1e21d3dba --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/gateway-ext.yaml @@ -0,0 +1,33 @@ +{{/* Externally exposed service for gateway endpoint. */}} +{{- $container_port := .Values.service.internalPort -}} +{{- if .Values.externalGateway.create -}} +{{- include "authEnabled.check" . -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: gateway-ext + labels: + service: gateway + {{- if eq "route53-mapper" (default " " .Values.externalGateway.fqdn.type) }} + dns: route53 + {{- end }} +{{ include "helm.labels" . | indent 4 }} + annotations: + {{- if .Values.externalGateway.annotations }} +{{ toYaml .Values.externalGateway.annotations | indent 4 }} + {{- end }} +{{ include "dnsAnnotations" . | indent 4 }} + {{- if .Values.externalGateway.awsSSLCertARN }} + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.externalGateway.awsSSLCertARN }} + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + {{- end }} +spec: + type: LoadBalancer + ports: + - name: https + port: {{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}443{{ else }}80{{ end }} + targetPort: {{ $container_port }} + selector: + service: gateway +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/gateway.yaml b/charts/k10/k10/5.0.200/templates/gateway.yaml new file mode 100644 index 000000000..7ff17fa9c --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/gateway.yaml @@ -0,0 +1,144 @@ +{{- $container_port := .Values.service.internalPort -}} +{{- $service_port := .Values.service.externalPort -}} +{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} +--- +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + labels: + service: gateway +{{ include "helm.labels" . | indent 4 }} + name: gateway + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: AuthService + name: authentication + auth_service: "auth-svc:8000" + path_prefix: "/v0/authz" + allowed_request_headers: + - "x-forwarded-access-token" + --- + apiVersion: getambassador.io/v3alpha1 + kind: Host + name: ambassadorhost + hostname: "*" +{{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} + tlsSecret: + name: ambassador-certs +{{- end }} + requestPolicy: + insecure: + action: Route + --- + apiVersion: getambassador.io/v3alpha1 + kind: Listener + name: ambassadorlistener + port: {{ $container_port }} + securityModel: XFP + protocol: HTTPS + hostBinding: + namespace: + from: SELF + --- +{{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + apiVersion: getambassador.io/v3alpha1 + kind: KubernetesEndpointResolver + name: endpoint + --- +{{- end }} + apiVersion: getambassador.io/v3alpha1 + kind: Module + name: ambassador + config: + service_port: {{ $container_port }} +{{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + resolver: endpoint + load_balancer: + policy: round_robin +{{- end }} +spec: + ports: + - name: http + port: {{ $service_port }} + targetPort: {{ $container_port }} + selector: + service: gateway +--- +{{- if .Values.gateway.exposeAdminPort }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: gateway-admin + labels: + service: gateway +{{ include "helm.labels" . | indent 4 }} +spec: + ports: + - name: metrics + port: {{ $admin_port }} + targetPort: {{ $admin_port }} + selector: + service: gateway +--- +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ $.Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: gateway + name: gateway +spec: + replicas: 1 + selector: + matchLabels: + service: gateway + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} + checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} + labels: + service: gateway + component: gateway +{{ include "helm.labels" . | indent 8 }} + spec: + serviceAccountName: {{ template "serviceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} + containers: + - name: ambassador + image: {{ include "k10.ambImage" . }} + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 200m + memory: 300Mi + env: + - name: AMBASSADOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AMBASSADOR_SINGLE_NAMESPACE + value: "true" + - name: "AMBASSADOR_VERIFY_SSL_FALSE" + value: {{ .Values.gateway.insecureDisableSSLVerify | quote }} + livenessProbe: + httpGet: + path: /ambassador/v0/check_alive + port: {{ $admin_port }} + initialDelaySeconds: 30 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /ambassador/v0/check_ready + port: {{ $admin_port }} + initialDelaySeconds: 30 + periodSeconds: 3 + restartPolicy: Always diff --git a/charts/k10/k10/5.0.200/templates/grafana-scc.yaml b/charts/k10/k10/5.0.200/templates/grafana-scc.yaml new file mode 100644 index 000000000..f634498a4 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/grafana-scc.yaml @@ -0,0 +1,44 @@ +{{- if .Values.scc.create }} +{{- if .Values.grafana.enabled }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Name }}-grafana +allowPrivilegedContainer: false +allowHostNetwork: false +allowHostDirVolumePlugin: true +priority: null +allowedCapabilities: null +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +requiredDropCapabilities: + - KILL + - MKNOD + - SETUID + - SETGID +defaultAddCapabilities: [] +allowedCapabilities: [] +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +users: + - system:serviceaccount:{{.Release.Namespace}}:{{.Release.Name}}-grafana +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/ingress.yaml b/charts/k10/k10/5.0.200/templates/ingress.yaml new file mode 100644 index 000000000..48efc0530 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/ingress.yaml @@ -0,0 +1,46 @@ +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $service_port := .Values.service.externalPort -}} +{{ if .Values.ingress.create }} +{{ include "authEnabled.check" . }} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-ingress + annotations: +{{ include "ingressClassAnnotation" . | indent 4 }} + {{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + {{- end }} + {{- if .Values.ingress.annotations }} +{{ toYaml .Values.ingress.annotations | indent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls.enabled }} + tls: + - hosts: + - {{ required "ingress.host value is required for TLS configuration" .Values.ingress.host }} + secretName: {{ required "ingress.tls.secretName is required for TLS configuration" .Values.ingress.tls.secretName }} +{{- end }} + rules: + - http: + paths: + - path: /{{ default .Release.Name .Values.ingress.urlPath | trimPrefix "/" | trimSuffix "/" }}/ + pathType: {{ default "ImplementationSpecific" .Values.ingress.pathType }} + backend: + {{- if $ingressApiIsStable }} + service: + name: gateway + port: + number: {{ $service_port }} + {{- else }} + serviceName: gateway + servicePort: {{ $service_port }} + {{- end }} + {{- if .Values.ingress.host }} + host: {{ .Values.ingress.host }} + {{- end }} +{{ end }} diff --git a/charts/k10/k10/5.0.200/templates/k10-config.yaml b/charts/k10/k10/5.0.200/templates/k10-config.yaml new file mode 100644 index 000000000..2067261b2 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/k10-config.yaml @@ -0,0 +1,230 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-config +data: + loglevel: {{ .Values.logLevel | quote }} + {{- if .Values.clusterName }} + clustername: {{ quote .Values.clusterName }} + {{- end }} + version: {{ .Chart.AppVersion }} + multiClusterVersion: {{ include "k10.multiClusterVersion" . | quote }} + modelstoredirname: "//mnt/k10state/kasten-io/" + apiDomain: {{ include "apiDomain" . }} + concurrentSnapConversions: {{ include "k10.defaultConcurrentSnapshotConversions" . | quote }} + concurrentWorkloadSnapshots: {{ include "k10.defaultConcurrentWorkloadSnapshots" . | quote }} + k10DataStoreParallelUpload: {{ include "k10.defaultK10DataStoreParallelUpload" . | quote }} + k10DataStoreGeneralContentCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralContentCacheSizeMB" . | quote }} + k10DataStoreGeneralMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" . | quote }} + k10DataStoreRestoreContentCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreContentCacheSizeMB" . | quote }} + k10DataStoreRestoreMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreMetadataCacheSizeMB" . | quote }} + K10BackupBufferFileHeadroomFactor: {{ include "k10.defaultK10BackupBufferFileHeadroomFactor" . | quote }} + AWSAssumeRoleDuration: {{ default (include "k10.defaultAssumeRoleDuration" .) .Values.awsConfig.assumeRoleDuration | quote }} + KanisterBackupTimeout: {{ default (include "k10.defaultKanisterBackupTimeout" .) .Values.kanister.backupTimeout | quote }} + KanisterRestoreTimeout: {{ default (include "k10.defaultKanisterRestoreTimeout" .) .Values.kanister.restoreTimeout | quote }} + KanisterDeleteTimeout: {{ default (include "k10.defaultKanisterDeleteTimeout" .) .Values.kanister.deleteTimeout | quote }} + KanisterHookTimeout: {{ default (include "k10.defaultKanisterHookTimeout" .) .Values.kanister.hookTimeout | quote }} + KanisterCheckRepoTimeout: {{ default (include "k10.defaultKanisterCheckRepoTimeout" .) .Values.kanister.checkRepoTimeout | quote }} + KanisterStatsTimeout: {{ default (include "k10.defaultKanisterStatsTimeout" .) .Values.kanister.statsTimeout | quote }} + KanisterEFSPostRestoreTimeout: {{ default (include "k10.defaultKanisterEFSPostRestoreTimeout" .) .Values.kanister.efsPostRestoreTimeout | quote }} + KanisterPodReadyWaitTimeout: {{ .Values.kanister.podReadyWaitTimeout | quote }} + K10MutatingWebhookTLSCertDir: "/etc/ssl/certs/webhook" + + K10LimiterGenericVolumeSnapshots: {{ default (include "k10.defaultK10LimiterGenericVolumeSnapshots" .) .Values.limiter.genericVolumeSnapshots | quote }} + K10LimiterGenericVolumeCopies: {{ default (include "k10.defaultK10LimiterGenericVolumeCopies" .) .Values.limiter.genericVolumeCopies | quote }} + K10LimiterGenericVolumeRestores: {{ default (include "k10.defaultK10LimiterGenericVolumeRestores" .) .Values.limiter.genericVolumeRestores | quote }} + K10LimiterCsiSnapshots: {{ default (include "k10.defaultK10LimiterCsiSnapshots" .) .Values.limiter.csiSnapshots | quote }} + K10LimiterProviderSnapshots: {{ default (include "k10.defaultK10LimiterProviderSnapshots" .) .Values.limiter.providerSnapshots | quote }} + + {{- if .Values.awsConfig.efsBackupVaultName }} + efsBackupVaultName: {{ quote .Values.awsConfig.efsBackupVaultName }} + {{- end }} + + {{- if .Values.vmWare.taskTimeoutMin }} + vmWareTaskTimeoutMin: {{ quote .Values.vmWare.taskTimeoutMin }} + {{- end }} + +{{- include "get.kanisterPodCustomLabels" . | indent 2}} +{{- include "get.kanisterPodCustomAnnotations" . | indent 2}} + + {{- if .Values.kanisterFunctionVersion }} + kanisterFunctionVersion: {{ .Values.kanisterFunctionVersion | quote }} + {{- else }} + kanisterFunctionVersion: {{ quote "v1.0.0-alpha" }} + {{- end }} + {{- if eq "true" (include "overwite.kanisterToolsImage" .) }} + {{- if (include "get.kanisterToolsImage" .) }} + overwriteKanisterTools: {{ include "get.kanisterToolsImage" .}} + {{- end }} + {{- end }} +{{- include "kanisterToolsResources" . | indent 2 }} + +{{ if .Values.features }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-features +data: +{{ include "k10.features" . | indent 2}} +{{ end }} +{{ if .Values.auth.dex.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ .Values.auth.oidcAuth.providerURL }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + logger: + level: info + format: text + connectors: + - type: oidc + id: google + name: Google + config: + issuer: {{ .Values.auth.dex.providerURL }} + clientID: {{ .Values.auth.oidcAuth.clientID }} + clientSecret: {{ .Values.auth.oidcAuth.clientSecret }} + redirectURI: {{ .Values.auth.dex.redirectURL }} + scopes: + - openid + - profile + - email + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: {{ .Values.auth.oidcAuth.clientID }} + secret: {{ .Values.auth.oidcAuth.clientSecret }} + redirectURIs: + - {{ printf "%s/k10/auth-svc/v0/oidc/redirect" .Values.auth.oidcAuth.redirectURL }} + enablePasswordDB: true + staticPasswords: +{{ end }} +{{ if .Values.auth.openshift.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + logger: + level: info + format: text + connectors: + - type: openshift + id: openshift + name: OpenShift + config: + issuer: {{ .Values.auth.openshift.openshiftURL }} + clientID: {{printf "system:serviceaccount:%s:%s" .Release.Namespace .Values.auth.openshift.serviceAccount }} + clientSecret: {{ .Values.auth.openshift.clientSecret }} + redirectURI: {{ printf "%s/dex/callback" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} + insecureCA: {{ .Values.auth.openshift.insecureCA }} +{{- if and (eq (include "check.cacertconfigmap" .) "false") .Values.auth.openshift.useServiceAccountCA }} + rootCA: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt +{{- end }} + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: kasten + secret: kastensecret + redirectURIs: + - {{ printf "%s/auth-svc/v0/oidc/redirect" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} +{{ end }} +{{ if .Values.auth.ldap.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL) }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + frontend: + theme: custom + logoURL: theme/kasten-logo.svg + logger: + level: info + format: text + connectors: + - type: ldap + id: ldap + name: LDAP + config: + host: {{ .Values.auth.ldap.host }} + insecureNoSSL: {{ .Values.auth.ldap.insecureNoSSL }} + insecureSkipVerify: {{ .Values.auth.ldap.insecureSkipVerifySSL }} + startTLS: {{ .Values.auth.ldap.startTLS }} + bindDN: {{ .Values.auth.ldap.bindDN }} + bindPW: BIND_PASSWORD_PLACEHOLDER + userSearch: + baseDN: {{ .Values.auth.ldap.userSearch.baseDN }} + filter: {{ .Values.auth.ldap.userSearch.filter }} + username: {{ .Values.auth.ldap.userSearch.username }} + idAttr: {{ .Values.auth.ldap.userSearch.idAttr }} + emailAttr: {{ .Values.auth.ldap.userSearch.emailAttr }} + nameAttr: {{ .Values.auth.ldap.userSearch.nameAttr }} + preferredUsernameAttr: {{ .Values.auth.ldap.userSearch.preferredUsernameAttr }} + groupSearch: + baseDN: {{ .Values.auth.ldap.groupSearch.baseDN }} + filter: {{ .Values.auth.ldap.groupSearch.filter }} + nameAttr: {{ .Values.auth.ldap.groupSearch.nameAttr }} +{{- with .Values.auth.ldap.groupSearch.userMatchers }} + userMatchers: +{{ toYaml . | indent 10 }} +{{- end }} + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: kasten + secret: kastensecret + redirectURIs: + - {{ printf "%s/auth-svc/v0/oidc/redirect" (trimSuffix "/" .Values.auth.ldap.dashboardURL) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k10-logos-dex + namespace: {{ .Release.Namespace }} +binaryData: + {{- $files := .Files }} + {{- range tuple "files/favicon.png" "files/kasten-logo.svg" "files/styles.css" }} + {{ trimPrefix "files/" . }}: |- + {{ $files.Get . | b64enc }} + {{- end }} +{{ end }} diff --git a/charts/k10/k10/5.0.200/templates/k10-eula.yaml b/charts/k10/k10/5.0.200/templates/k10-eula.yaml new file mode 100644 index 000000000..21e251d6c --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/k10-eula.yaml @@ -0,0 +1,21 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-eula +data: + text: {{ .Files.Get "eula.txt" | quote }} +--- +{{ if .Values.eula.accept }} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-eula-info +data: +{{ include "k10.eula.fields" . | indent 2 }} +{{ end }} diff --git a/charts/k10/k10/5.0.200/templates/kopia-tls-certs.yaml b/charts/k10/k10/5.0.200/templates/kopia-tls-certs.yaml new file mode 100644 index 000000000..ac0635f51 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/kopia-tls-certs.yaml @@ -0,0 +1,33 @@ +# alternate names of the services. This renders to: [ component-svc.namespace, component-svc.namespace.svc ] +{{- $altNamesKopia := list ( printf "%s-svc.%s" "data-mover" .Release.Namespace ) ( printf "%s-svc.%s.svc" "data-mover" .Release.Namespace ) }} +# generate ca cert with 365 days of validity +{{- $caKopia := genCA ( printf "%s-svc-ca" "data-mover" ) 365 }} +# generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity +{{- $certKopia := genSignedCert ( printf "%s-svc" "data-mover" ) nil $altNamesKopia 365 $caKopia }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kopia-tls-cert + labels: +{{ include "helm.labels" . | indent 4 }} +{{- if .Values.global.rhMarketPlace }} + annotations: + "helm.sh/hook": "pre-install" +{{- end }} +data: + tls.crt: {{ $certKopia.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kopia-tls-key + labels: +{{ include "helm.labels" . | indent 4 }} +{{- if .Values.global.rhMarketPlace }} + annotations: + "helm.sh/hook": "pre-install" +{{- end }} +data: + tls.key: {{ $certKopia.Key | b64enc }} diff --git a/charts/k10/k10/5.0.200/templates/license.yaml b/charts/k10/k10/5.0.200/templates/license.yaml new file mode 100644 index 000000000..f409fb7e5 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/license.yaml @@ -0,0 +1,25 @@ +{{- if not ( or ( .Values.license ) ( .Values.metering.awsMarketplace ) ( .Values.metering.awsManagedLicense ) ( .Values.metering.licenseConfigSecretName ) ) }} +{{- if .Files.Get "triallicense" }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-trial-license +type: Opaque +data: + license: {{ print (.Files.Get "triallicense") }} +{{- end }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-license +type: Opaque +data: + license: {{ include "k10.getlicense" . }} diff --git a/charts/k10/k10/5.0.200/templates/mutatingwebhook.yaml b/charts/k10/k10/5.0.200/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..729df5865 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/mutatingwebhook.yaml @@ -0,0 +1,51 @@ +{{- if .Values.injectKanisterSidecar.enabled -}} +# alternate names of the services. This renders to: [ component-svc.namespace, component-svc.namespace.svc ] +{{- $altNames := list ( printf "%s-svc.%s" "controllermanager" .Release.Namespace ) ( printf "%s-svc.%s.svc" "controllermanager" .Release.Namespace ) }} +# generate ca cert with 365 days of validity +{{- $ca := genCA ( printf "%s-svc-ca" "controllermanager" ) 365 }} +# generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity +{{- $cert := genSignedCert ( printf "%s-svc" "controllermanager" ) nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: controllermanager-certs + labels: +{{ include "helm.labels" . | indent 4 }} +data: + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-sidecar-injector +webhooks: +- name: k10-sidecar-injector.kasten.io + admissionReviewVersions: ["v1", "v1beta1"] + failurePolicy: Ignore + sideEffects: None + clientConfig: + service: + name: controllermanager-svc + namespace: {{ .Release.Namespace }} + path: "/k10/mutate" + port: 443 + caBundle: {{ b64enc $ca.Cert }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["v1"] + resources: ["deployments", "statefulsets", "deploymentconfigs"] +{{- if .Values.injectKanisterSidecar.namespaceSelector }} + namespaceSelector: +{{ toYaml .Values.injectKanisterSidecar.namespaceSelector | indent 4 }} +{{- end }} +{{- if .Values.injectKanisterSidecar.objectSelector }} + objectSelector: +{{ toYaml .Values.injectKanisterSidecar.objectSelector | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/networkpolicy.yaml b/charts/k10/k10/5.0.200/templates/networkpolicy.yaml new file mode 100644 index 000000000..e26de567b --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/networkpolicy.yaml @@ -0,0 +1,216 @@ +{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} +{{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}} +{{- if .Values.networkPolicy.create }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: {} + policyTypes: + - Ingress +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: cross-services-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ .Values.service.externalPort }} +{{- if ( .Values.features | default dict).multicluster }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-gateway-to-mc-external + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + component: mccontrollermanager + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ include "k10.mcExternalPort" nil }} +{{- end }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: logging-allow-internal + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: logging-svc + ingress: + - from: + - podSelector: + matchLabels: + release: {{ .Release.Name }} + ports: + # Logging input port + - protocol: TCP + port: 24224 + - protocol: TCP + port: 24225 +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-external + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ingress: + - from: [] + ports: + - protocol: TCP + port: 8000 +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-all-api + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + run: aggregatedapis-svc + release: {{ .Release.Name }} + ingress: + - from: + ports: + - protocol: TCP + port: {{ .Values.service.aggregatedApiPort }} +{{- if .Values.gateway.exposeAdminPort }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-gateway-admin + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + service: gateway + ingress: + - from: + - podSelector: + matchLabels: + app: prometheus + component: server + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ $admin_port }} +{{- end -}} +{{- if .Values.injectKanisterSidecar.enabled }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-mutating-webhook + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: controllermanager-svc + ingress: + - from: + ports: + - protocol: TCP + port: {{ $mutating_webhook_port }} +{{- end -}} +{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: gateway-dex-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: auth-svc + ingress: + - from: + - podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: 8080 +{{- end -}} +{{- $mainCtx := . }} +{{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }} +{{- range $primary, $secondaryList := $colocatedList }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $primary }}-svc-allow-secondary-services + namespace: {{ $mainCtx.Release.Namespace }} + labels: +{{ include "helm.labels" $mainCtx | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ $mainCtx.Release.Name }} + run: {{ $primary }}-svc + ingress: + - from: + - podSelector: + matchLabels: + release: {{ $mainCtx.Release.Name }} + ports: + {{- range $skip, $secondary := $secondaryList }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + - protocol: TCP + port: {{ $colocConfig.port }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/prometheus-configmap.yaml b/charts/k10/k10/5.0.200/templates/prometheus-configmap.yaml new file mode 100644 index 000000000..ba858382d --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/prometheus-configmap.yaml @@ -0,0 +1,55 @@ +{{ $scrape_services := (include "k10.restServices" . | splitList " " ) }} +{{ include "check.validatePrometheusConfig" .}} +{{- if .Values.gateway.exposeAdminPort -}} + {{- $scrape_services = append (include "k10.restServices" . | splitList " " ) "gateway" -}} +{{- end -}} +{{- if not (default .Values.features dict).multicluster -}} + {{- $scrape_services = without $scrape_services "mccontrollermanager" -}} +{{- end -}} +{{- include "check.validateMonitoringProperties" .}} +{{- if .Values.prometheus.server.enabled -}} +{{- $rbac := .Values.prometheus.rbac.create -}} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-{{ .Values.prometheus.server.configMapOverrideName }} +data: + prometheus.yml: | + global: + scrape_interval: 1m + scrape_timeout: 10s + evaluation_interval: 1m + scrape_configs: + - job_name: httpServiceDiscovery + http_sd_configs: + - url: {{ printf "http://metering-svc.%s.svc.%s:8000/v0/listScrapeTargets" .Release.Namespace .Values.cluster.domainName }} +{{- if .Values.prometheus.scrapeCAdvisor }} + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor +{{- end}} + - job_name: prometheus + metrics_path: {{ .Values.prometheus.server.baseURL }}metrics + static_configs: + - targets: + - "localhost:9090" + labels: + app: prometheus + component: server +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/prometheus-service.yaml b/charts/k10/k10/5.0.200/templates/prometheus-service.yaml new file mode 100644 index 000000000..c916472c3 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/prometheus-service.yaml @@ -0,0 +1,45 @@ +{{/* Template to generate service spec for v0 rest services */}} +{{- if .Values.prometheus.server.enabled -}} +{{- $postfix := default .Release.Name .Values.ingress.urlPath -}} +{{- $os_postfix := default .Release.Name .Values.route.path -}} +{{- $service_port := .Values.prometheus.server.service.servicePort -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Release.Namespace }} + name: {{ include "k10.prometheus.service.name" . }}-exp + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ include "k10.prometheus.service.name" . }} + run: {{ include "k10.prometheus.service.name" . }} + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ include "k10.prometheus.service.name" . }}-mapping + {{- if .Values.prometheus.server.baseURL }} + rewrite: /{{ .Values.prometheus.server.baseURL | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + rewrite: / + {{- end }} + {{- if .Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/prometheus/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/prometheus/ + {{- end }} + service: {{ include "k10.prometheus.service.name" . }}:{{ $service_port }} + timeout_ms: 15000 + hostname: "*" + +spec: + ports: + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: 9090 + selector: + app: {{ include "k10.prometheus.name" . }} + component: {{ .Values.prometheus.server.name }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/rbac.yaml b/charts/k10/k10/5.0.200/templates/rbac.yaml new file mode 100644 index 000000000..2b510067d --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/rbac.yaml @@ -0,0 +1,239 @@ +{{- $main := . -}} +{{- $apiDomain := include "apiDomain" . -}} + +{{- $actionsAPIs := splitList " " (include "k10.actionsAPIs" .) -}} +{{- $aggregatedAPIs := splitList " " (include "k10.aggregatedAPIs" .) -}} +{{- $appsAPIs := splitList " " (include "k10.appsAPIs" .) -}} +{{- $authAPIs := splitList " " (include "k10.authAPIs" .) -}} +{{- $configAPIs := splitList " " (include "k10.configAPIs" .) -}} +{{- $distAPIs := splitList " " (include "k10.distAPIs" .) -}} +{{- $reportingAPIs := splitList " " (include "k10.reportingAPIs" .) -}} + +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ template "serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .) )}} +- kind: ServiceAccount + name: {{ template "meteringServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-admin +rules: +- apiGroups: +{{- range sortAlpha (concat $aggregatedAPIs $configAPIs $reportingAPIs) }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - "*" + verbs: + - "*" +- apiGroups: + - cr.kanister.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - get + - list +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-ns-admin + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + - "apps" + resources: + - deployments + - pods + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update +- apiGroups: + - "batch" + resources: + - jobs + verbs: + - get +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-mc-admin +rules: +- apiGroups: +{{- range sortAlpha (concat $authAPIs $configAPIs $distAPIs) }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - secrets + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-basic +rules: +- apiGroups: +{{- range sortAlpha $actionsAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.backupActions" $main}} + - {{ include "k10.backupActionsDetails" $main}} + - {{ include "k10.restoreActions" $main}} + - {{ include "k10.restoreActionsDetails" $main}} + - {{ include "k10.exportActions" $main}} + - {{ include "k10.exportActionsDetails" $main}} + - {{ include "k10.cancelActions" $main}} + verbs: + - "*" +- apiGroups: +{{- range sortAlpha $appsAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.restorePoints" $main}} + - {{ include "k10.restorePointsDetails" $main}} + - {{ include "k10.applications" $main}} + - {{ include "k10.applicationsDetails" $main}} + verbs: + - "*" +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: +{{- range sortAlpha $configAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.policies" $main}} + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-config-view +rules: +- apiGroups: +{{- range sortAlpha $configAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.profiles" $main}} + - {{ include "k10.policies" $main}} + verbs: + - get + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-ns-admin + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-ns-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/route.yaml b/charts/k10/k10/5.0.200/templates/route.yaml new file mode 100644 index 000000000..1ecd244be --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/route.yaml @@ -0,0 +1,36 @@ +{{- $route := .Values.route -}} +{{- if $route.enabled -}} +{{ include "authEnabled.check" . }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ .Release.Name }}-route + {{- with $route.annotations }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + {{- with $route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ $route.host }} + path: /{{ default .Release.Name $route.path | trimPrefix "/" | trimSuffix "/" }}/ + port: + targetPort: http + to: + kind: Service + name: gateway + weight: 100 + {{- if $route.tls.enabled }} + tls: + {{- if $route.tls.insecureEdgeTerminationPolicy }} + insecureEdgeTerminationPolicy: {{ $route.tls.insecureEdgeTerminationPolicy }} + {{- end }} + {{- if $route.tls.termination }} + termination: {{ $route.tls.termination }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/k10/k10/5.0.200/templates/scc.yaml b/charts/k10/k10/5.0.200/templates/scc.yaml new file mode 100644 index 000000000..df12af4e3 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/scc.yaml @@ -0,0 +1,43 @@ +{{- if .Values.scc.create }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Name }}-prometheus-server +allowPrivilegedContainer: false +allowHostNetwork: false +allowHostDirVolumePlugin: true +priority: null +allowedCapabilities: null +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +requiredDropCapabilities: +- CHOWN +- KILL +- MKNOD +- SETUID +- SETGID +defaultAddCapabilities: [] +allowedCapabilities: [] +priority: 0 +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +users: + - system:serviceaccount:{{.Release.Namespace}}:prometheus-server +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/secrets.yaml b/charts/k10/k10/5.0.200/templates/secrets.yaml new file mode 100644 index 000000000..ac309e717 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/secrets.yaml @@ -0,0 +1,242 @@ +{{- include "enforce.singlecloudcreds" . -}} +{{- include "check.validateImagePullSecrets" . -}} +{{- if eq (include "check.awscreds" . ) "true" }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: aws-creds +type: Opaque +data: + aws_access_key_id: {{ required "secrets.awsAccessKeyId field is required!" .Values.secrets.awsAccessKeyId | b64enc | quote }} + aws_secret_access_key: {{ required "secrets.awsSecretAccessKey field is required!" .Values.secrets.awsSecretAccessKey | b64enc | quote }} +{{- if .Values.secrets.awsIamRole }} + role: {{ .Values.secrets.awsIamRole | trim | b64enc | quote }} +{{- end }} +{{- end }} +{{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-ecr +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }} +{{- end }} +{{- if eq (include "check.googlecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: google-secret +type: Opaque +data: + kasten-gke-sa.json: {{ .Values.secrets.googleApiKey }} +{{- end }} +{{- if eq (include "check.ibmslcreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: ibmsl-secret +type: Opaque +data: + ibm_sl_key: {{ required "secrets.ibmSoftLayerApiKey field is required!" .Values.secrets.ibmSoftLayerApiKey | b64enc | quote }} + ibm_sl_username: {{ required "secrets.ibmSoftLayerApiUsername field is required!" .Values.secrets.ibmSoftLayerApiUsername | b64enc | quote }} +{{- end }} +{{- if eq (include "check.azurecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: azure-creds +type: Opaque +data: + azure_tenant_id: {{ required "secrets.azureTenantId field is required!" .Values.secrets.azureTenantId | b64enc | quote }} + azure_client_id: {{ required "secrets.azureClientId field is required!" .Values.secrets.azureClientId | b64enc | quote }} + azure_client_secret: {{ required "secrets.azureClientSecret field is required!" .Values.secrets.azureClientSecret | b64enc | quote }} + azure_resource_group: {{ default "" .Values.secrets.azureResourceGroup | b64enc | quote }} + azure_subscription_id: {{ default "" .Values.secrets.azureSubscriptionID | b64enc | quote }} + azure_resource_manager_endpoint: {{ default "" .Values.secrets.azureResourceMgrEndpoint | b64enc | quote }} + azure_ad_endpoint: {{ default "" .Values.secrets.azureADEndpoint | b64enc | quote }} + azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }} + azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }} +{{- end }} +{{- if eq (include "check.vspherecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: vsphere-creds +type: Opaque +data: + vsphere_endpoint: {{ required "secrets.vsphereEndpoint field is required!" .Values.secrets.vsphereEndpoint | b64enc | quote }} + vsphere_username: {{ required "secrets.vsphereUsername field is required!" .Values.secrets.vsphereUsername | b64enc | quote }} + vsphere_password: {{ required "secrets.vspherePassword field is required!" .Values.secrets.vspherePassword | b64enc | quote }} +{{- end }} +{{- if and (eq (include "basicauth.check" .) "true") (not .Values.auth.basicAuth.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-basic-auth + namespace: {{ .Release.Namespace }} +data: + auth: {{ required "auth.basicAuth.htpasswd field is required!" .Values.auth.basicAuth.htpasswd | b64enc | quote}} +type: Opaque +{{- end }} +{{- if .Values.auth.tokenAuth.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-token-auth + namespace: {{ .Release.Namespace }} +data: + auth: {{ "true" | b64enc | quote}} +type: Opaque +{{- end }} +{{- if and .Values.auth.oidcAuth.enabled (not .Values.auth.oidcAuth.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-oidc-auth + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.oidcAuth.providerURL field is required!" .Values.auth.oidcAuth.providerURL | b64enc | quote }} + redirect-url: {{ required "auth.oidcAuth.redirectURL field is required!" .Values.auth.oidcAuth.redirectURL | b64enc | quote }} + client-id: {{ required "auth.oidcAuth.clientID field is required!" .Values.auth.oidcAuth.clientID | b64enc | quote }} + client-secret: {{ required "auth.oidcAuth.clientSecret field is required!" .Values.auth.oidcAuth.clientSecret | b64enc | quote }} + scopes: {{ required "auth.oidcAuth.scopes field is required!" .Values.auth.oidcAuth.scopes | b64enc | quote }} + prompt: {{ default "select_account" .Values.auth.oidcAuth.prompt | b64enc | quote }} + usernameClaim: {{ default "sub" .Values.auth.oidcAuth.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.oidcAuth.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "" .Values.auth.oidcAuth.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.oidcAuth.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} + logout-url: {{ default "" .Values.auth.oidcAuth.logoutURL | b64enc | quote }} +type: Opaque +{{- end }} +{{- if and .Values.auth.openshift.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-oidc-auth + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.openshift.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL)) | b64enc | quote }} + {{- if .Values.route.enabled }} + redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }} + {{- else }} + redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }} + {{- end }} + client-id: {{ (printf "kasten") | b64enc | quote }} + client-secret: {{ (printf "kastensecret") | b64enc | quote }} + scopes: {{ (printf "groups profile email") | b64enc | quote }} + prompt: {{ (printf "select_account") | b64enc | quote }} + usernameClaim: {{ default "email" .Values.auth.openshift.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.openshift.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "groups" .Values.auth.openshift.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.openshift.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} +type: Opaque +{{- end }} +{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-oidc-auth + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.ldap.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL)) | b64enc | quote }} + {{- if .Values.route.enabled }} + redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }} + {{- else }} + redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }} + {{- end }} + client-id: {{ (printf "kasten") | b64enc | quote }} + client-secret: {{ (printf "kastensecret") | b64enc | quote }} + scopes: {{ (printf "groups profile email") | b64enc | quote }} + prompt: {{ (printf "select_account") | b64enc | quote }} + usernameClaim: {{ default "email" .Values.auth.ldap.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.ldap.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "groups" .Values.auth.ldap.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.ldap.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} +type: Opaque +{{- end }} +{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.bindPWSecretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + bindPW: {{ required "auth.ldap.bindPW field is required!" .Values.auth.ldap.bindPW | b64enc | quote }} +type: Opaque +{{- end }} +{{- if eq (include "check.primaryKey" . ) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-encryption-primary-key + namespace: {{ .Release.Namespace }} +data: + {{- if .Values.encryption.primaryKey.awsCmkKeyId }} + awscmkkeyid: {{ default "" .Values.encryption.primaryKey.awsCmkKeyId | trim | b64enc | quote }} + {{- end }} + {{- if .Values.encryption.primaryKey.vaultTransitKeyName }} + vaulttransitkeyname: {{ default "" .Values.encryption.primaryKey.vaultTransitKeyName | trim | b64enc | quote }} + vaulttransitpath: {{ default "transit" .Values.encryption.primaryKey.vaultTransitPath | trim | b64enc | quote }} + {{- end }} +type: Opaque +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/serviceaccount.yaml b/charts/k10/k10/5.0.200/templates/serviceaccount.yaml new file mode 100644 index 000000000..a7704e4e6 --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/serviceaccount.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.serviceAccount.create ( not .Values.metering.awsMarketplace ) ( not .Values.metering.awsManagedLicense ) }} +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.secrets.awsIamRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.secrets.awsIamRole }} +{{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ template "serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if and (not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .))) ( not .Values.metering.awsManagedLicense ) .Values.metering.serviceAccount.create }} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.metering.awsMarketPlaceIamRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.metering.awsMarketPlaceIamRole }} +{{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ template "meteringServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/k10/k10/5.0.200/templates/v0services.yaml b/charts/k10/k10/5.0.200/templates/v0services.yaml new file mode 100644 index 000000000..1ed8f746c --- /dev/null +++ b/charts/k10/k10/5.0.200/templates/v0services.yaml @@ -0,0 +1,195 @@ +{{/* Template to generate service spec for v0 rest services */}} +{{- $container_port := .Values.service.internalPort -}} +{{- $service_port := .Values.service.externalPort -}} +{{- $aggregated_api_port := .Values.service.aggregatedApiPort -}} +{{- $postfix := default .Release.Name .Values.ingress.urlPath -}} +{{- $colocated_services := include "k10.colocatedServices" . | fromYaml -}} +{{- $exposed_services := include "k10.exposedServices" . | splitList " " -}} +{{- $os_postfix := default .Release.Name .Values.route.path -}} +{{- $main_context := . -}} +{{ $service_list := append (include "k10.restServices" . | splitList " ") "frontend" }} +{{- if not (default .Values.features dict).multicluster -}} + {{- $service_list = without $service_list "mccontrollermanager" -}} +{{- end -}} +{{- range $service_list }} + {{- $exposed_service := (has . $exposed_services) }} + {{- $mc_exposed_service := (and (eq . "mccontrollermanager") (default $.Values.features dict).multicluster) }} + {{ if not (hasKey $colocated_services . ) }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: {{ . }}-svc + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ . }} + run: {{ . }}-svc +{{ if or $exposed_service (eq . "frontend") $mc_exposed_service }} + annotations: + getambassador.io/config: | + {{- if or $exposed_service (eq . "frontend") }} + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ . }}-mapping + {{- if $.Values.route.enabled }} + {{- if eq . "frontend" }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/{{ . }}-svc/ + {{- end }} + {{- else }} + {{- if eq . "frontend" }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/{{ . }}-svc/ + {{- end }} + {{- end }} + rewrite: / + service: {{ . }}-svc.{{ $.Release.Namespace }}:{{ $service_port }} + timeout_ms: 30000 + hostname: "*" + {{- end }} + {{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} + {{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + {{- if $colocConfig.isExposed }} + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ $secondary }}-mapping + prefix: /{{ $postfix }}/{{ $secondary }}-svc/ + rewrite: / + service: {{ $colocConfig.primary }}-svc.{{ $.Release.Namespace }}:{{ $colocConfig.port }} + timeout_ms: 30000 + hostname: "*" + {{- end }} + {{- end }} + {{- if $mc_exposed_service }} + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ . }}-mc-mapping + {{- if $.Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/mc/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/mc/ + {{- end }} + rewrite: / + service: {{ . }}-svc.{{ $.Release.Namespace }}:{{ include "k10.mcExternalPort" nil }} + bypass_auth: true + timeout_ms: 30000 + hostname: "*" + {{- end }} +{{- end }} +spec: + ports: + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: {{ $container_port }} + {{- if and (eq . "controllermanager") ($.Values.injectKanisterSidecar.enabled) }} + - name: https + protocol: TCP + port: 443 + targetPort: {{ $.Values.injectKanisterSidecar.webhookServer.port }} + {{- end }} +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + - name: {{ $secondary }} + protocol: TCP + port: {{ $colocConfig.port }} + targetPort: {{ $colocConfig.port }} +{{- end }} +{{- if eq . "logging" }} + - name: logging + protocol: TCP + port: 24224 + targetPort: 24224 + - name: logging-metrics + protocol: TCP + port: 24225 + targetPort: 24225 +{{- end }} +{{- if eq . "mccontrollermanager" }} + - name: mc-http + protocol: TCP + port: {{ include "k10.mcExternalPort" nil }} + targetPort: {{ include "k10.mcExternalPort" nil }} +{{- end }} + selector: + run: {{ . }}-svc +--- + {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} +{{ end -}}{{/* range append (include "k10.restServices" . | splitList " ") "frontend" */}} +{{- range append (include "k10.services" . | splitList " ") "kanister" }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: {{ . }}-svc + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ . }} + run: {{ . }}-svc +spec: + ports: + {{- if eq . "aggregatedapis" }} + - name: http + port: 443 + protocol: TCP + targetPort: {{ $aggregated_api_port }} + {{- else }} + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: {{ $container_port }} + {{- end }} +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + - name: {{ $secondary }} + protocol: TCP + port: {{ $colocConfig.port }} + targetPort: {{ $colocConfig.port }} +{{- end }} + selector: + run: {{ . }}-svc +--- +{{ end -}} +{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }} +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: dex-mapping + {{- if $.Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/dex/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/dex/ + {{- end }} + rewrite: "" + service: dex.{{ $.Release.Namespace }}:8000 + timeout_ms: 30000 + hostname: "*" + name: dex + namespace: {{ $.Release.Namespace }} + labels: +{{ include "helm.labels" $ | indent 4 }} + component: dex + run: auth-svc +spec: + ports: + - name: http + port: {{ $service_port }} + protocol: TCP + targetPort: 8080 + selector: + run: auth-svc + type: ClusterIP +{{ end -}} diff --git a/charts/k10/k10/5.0.200/triallicense b/charts/k10/k10/5.0.200/triallicense new file mode 100644 index 000000000..cfe6dd46b --- /dev/null +++ b/charts/k10/k10/5.0.200/triallicense @@ -0,0 +1 @@ +Y3VzdG9tZXJOYW1lOiB0cmlhbHN0YXJ0ZXItbGljZW5zZQpkYXRlRW5kOiAnMjEwMC0wMS0wMVQwMDowMDowMC4wMDBaJwpkYXRlU3RhcnQ6ICcyMDIwLTAxLTAxVDAwOjAwOjAwLjAwMFonCmZlYXR1cmVzOgogIHRyaWFsOiBudWxsCmlkOiB0cmlhbC0wOWY4MzE5Zi0xODBmLTRhOTAtOTE3My1kOTJiNzZmMTgzNWUKcHJvZHVjdDogSzEwCnJlc3RyaWN0aW9uczoKICBub2RlczogNTAwCnNlcnZpY2VBY2NvdW50S2V5OiBudWxsCnZlcnNpb246IHYxLjAuMApzaWduYXR1cmU6IEYxbnVLUFV5STJtbDJGMmV1VHdGOXNZRTZMVU5rQ3ZiR2tTV1ZkT0ZqdERCb1B6SjUyVWFsVkFmRjVmQUxpcm5BcVhkcERnYi9YcnpxSEYrTE0xS2pEMVdXUFd0ZUdXNFc1anBPSFN0T296Y0c5M0pUUHF5M2l6TVk3RmczZVFLYTZzWDhBdnFwOXArWXVBMWNwTENlQ2dsR2dnOTVzSUFmYmRMMTBmV2d2RmR6QUt4dUZLN2psRzVtbG1CRVF5R0hrYWdoZFIrVGxzeUNTNEFkbXVBOEZodVUwZnRBdXN0b1M3R2JKd1BuTFI3STFZY1Q4OW8wU2xRZEJ2Yjg2QzdKbm1OdnY0aHhiSUo5TTJvWGJPSnQ4ZnBNcjhNWFR6YWRMTWJzSndhZ3VBVHlNUWF2cExHNXRPb0U2ZE1uMVlFVDZLdWZiYy9NdThVRDVYYXlDYTdkZz09Cg== diff --git a/charts/k10/k10/5.0.200/values.schema.json b/charts/k10/k10/5.0.200/values.schema.json new file mode 100644 index 000000000..ff0a81afe --- /dev/null +++ b/charts/k10/k10/5.0.200/values.schema.json @@ -0,0 +1,1089 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + }, + "tag": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + } + } + }, + "scc": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "global": { + "type": "object", + "properties": { + "airgapped": { + "type": "object", + "properties": { + "repository": { + "type": "string" + } + } + }, + "persistence": { + "type": "object", + "properties": { + "mountPath": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "storageClass": { + "type": "string" + }, + "accessMode": { + "type": "string" + }, + "size": { + "type": "string" + }, + "metering": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "catalog": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "jobs": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "logging": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + } + } + }, + "upstreamCertifiedImages": { + "type": "boolean" + }, + "rhMarketPlace": { + "type": "boolean" + }, + "images": { + "type": "object", + "properties": { + "aggregatedapis": { + "type": "string" + }, + "auth": { + "type": "string" + }, + "catalog": { + "type": "string" + }, + "controllermanager": { + "type": "string" + }, + "crypto": { + "type": "string" + }, + "dashboardbff": { + "type": "string" + }, + "executor": { + "type": "string" + }, + "frontend": { + "type": "string" + }, + "jobs": { + "type": "string" + }, + "kanister": { + "type": "string" + }, + "logging": { + "type": "string" + }, + "metering": { + "type": "string" + }, + "state": { + "type": "string" + }, + "ambassador": { + "type": "string" + }, + "prometheus": { + "type": "string" + }, + "configmap-reload": { + "type": "string" + }, + "dex": { + "type": "string" + }, + "kanister-tools": { + "type": "string" + }, + "upgrade": { + "type": "string" + }, + "cephtool": { + "type": "string" + }, + "datamover": { + "type": "string" + } + } + } + } + }, + "metering": { + "type": "object", + "properties": { + "reportingKey": { + "type": "string" + }, + "consumerId": { + "type": "string" + }, + "awsMarketPlaceIamRole": { + "type": "string" + }, + "awsRegion": { + "type": "string" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "licenseConfigSecretName": { + "type": "string" + }, + "mode": { + "type": "string" + }, + "reportCollectionPeriod": { + "type": "integer" + }, + "reportPushPeriod": { + "type": "integer" + }, + "promoID": { + "type": "string" + } + } + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "annotations": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "insecureEdgeTerminationPolicy": { + "type": "string" + }, + "termination": { + "type": "string" + } + } + } + } + }, + "toolsImage": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "pullPolicy": { + "type": "string" + } + } + }, + "ambassadorImage": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + } + } + }, + "dexImage": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + } + } + }, + "kanisterToolsImage": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + } + } + }, + "eula": { + "type": "object", + "properties": { + "accept": { + "type": "boolean" + } + } + }, + "license": { + "type": "string" + }, + "prometheus": { + "type": "object", + "properties": { + "k10image": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + } + } + }, + "initChownData": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "alertmanager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "kubeStateMetrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "nodeExporter": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "pushgateway": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "scrapeCAdvisor": { + "type": "boolean" + }, + "server": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + } + } + }, + "retention": { + "type": "string" + }, + "strategy": { + "type": "object", + "properties": { + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "string" + }, + "maxUnavailable": { + "type": "string" + } + } + }, + "type": { + "type": "string" + } + } + }, + "persistentVolume": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "storageClass": { + "type": "string" + } + } + }, + "configMapOverrideName": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "baseURL": { + "type": "string" + }, + "prefixURL": { + "type": "string" + } + } + }, + "serviceAccounts": { + "type": "object", + "properties": { + "alertmanager": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "kubeStateMetrics": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "nodeExporter": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "pushgateway": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "server": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + } + } + } + } + }, + "service": { + "type": "object", + "properties": { + "externalPort": { + "type": "integer" + }, + "internalPort": { + "type": "integer" + }, + "aggregatedApiPort": { + "type": "integer" + }, + "gatewayAdminPort": { + "type": "integer" + } + } + }, + "secrets": { + "type": "object", + "properties": { + "awsAccessKeyId": { + "type": "string" + }, + "awsSecretAccessKey": { + "type": "string" + }, + "awsIamRole": { + "type": "string" + }, + "googleApiKey": { + "type": "string" + }, + "dockerConfig": { + "type": "string" + }, + "dockerConfigPath": { + "type": "string" + }, + "azureTenantId": { + "type": "string" + }, + "azureClientId": { + "type": "string" + }, + "azureClientSecret": { + "type": "string" + }, + "azureResourceGroup": { + "type": "string" + }, + "azureSubscriptionID": { + "type": "string" + }, + "azureResourceMgrEndpoint": { + "type": "string" + }, + "azureADEndpoint": { + "type": "string" + }, + "azureADResourceID": { + "type": "string" + }, + "apiTlsCrt": { + "type": "string" + }, + "apiTlsKey": { + "type": "string" + }, + "ibmSoftLayerApiKey": { + "type": "string" + }, + "ibmSoftLayerApiUsername": { + "type": "string" + }, + "vsphereEndpoint": { + "type": "string" + }, + "vsphereUsername": { + "type": "string" + }, + "vspherePassword": { + "type": "string" + } + } + }, + "clusterName": { + "type": "string" + }, + "executorReplicas": { + "type": "integer" + }, + "logLevel": { + "type": "string" + }, + "apiservices": { + "type": "object", + "properties": { + "deployed": { + "type": "boolean" + } + } + }, + "injectKanisterSidecar": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "namespaceSelector": { + "type": "object", + "properties": { + "matchLabels": { + "type": "object" + } + } + }, + "objectSelector": { + "type": "object", + "properties": { + "matchLabels": { + "type": "object" + } + } + }, + "webhookServer": { + "type": "object", + "properties": { + "port": { + "type": "integer" + } + } + } + } + }, + "kanisterPodCustomLabels": { + "type": "string" + }, + "kanisterPodCustomAnnotations": { + "type": "string" + }, + "resources": { + "type": "object" + }, + "services": { + "type": "object", + "properties": { + "executor": { + "type": "object", + "properties": { + "hostNetwork": { + "type": "boolean" + } + } + }, + "dashboardbff": { + "type": "object", + "properties": { + "hostNetwork": { + "type": "boolean" + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + } + } + } + } + }, + "apigateway": { + "type": "object", + "properties": { + "serviceResolver": { + "type": "string" + } + } + }, + "limiter": { + "type": "object", + "properties": { + "genericVolumeSnapshots": { + "type": "integer" + }, + "genericVolumeCopies": { + "type": "integer" + }, + "genericVolumeRestores": { + "type": "integer" + }, + "csiSnapshots": { + "type": "integer" + }, + "providerSnapshots": { + "type": "integer" + } + } + }, + "gateway": { + "type": "object", + "properties": { + "insecureDisableSSLVerify": { + "type": "boolean" + } + } + }, + "kanisterWithKopia": { + "type": "boolean" + }, + "ingress": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "class": { + "type": "string" + }, + "host": { + "type": "string" + }, + "urlPath": { + "type": "string" + } + } + }, + "genericVolumeSnapshot": { + "type": "object", + "properties": { + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string" + }, + "cpu": { + "type": "string" + } + } + }, + "limits": { + "type": "object", + "properties": { + "memory": { + "type": "string" + }, + "cpu": { + "type": "string" + } + } + } + } + } + } + } + }, + "jaeger": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "agentDNS": { + "type": "string" + } + } + }, + "cacertconfigmap": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + }, + "externalGateway": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "type": "object" + }, + "fqdn": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "awsSSLCertARN": { + "type": "string" + } + } + }, + "auth": { + "type": "object", + "properties": { + "groupAllowList": { + "type": "array", + "items": { + "type": "string" + } + }, + "basicAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "htpasswd": { + "type": "string" + } + } + }, + "tokenAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "oidcAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "providerURL": { + "type": "string" + }, + "redirectURL": { + "type": "string" + }, + "scopes": { + "type": "string" + }, + "prompt": { + "type": "string" + }, + "clientID": { + "type": "string" + }, + "clientSecret": { + "type": "string" + }, + "usernameClaim": { + "type": "string" + }, + "usernamePrefix": { + "type": "string" + }, + "groupClaim": { + "type": "string" + }, + "groupPrefix": { + "type": "string" + }, + "logoutURL": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "dex": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "providerURL": { + "type": "string" + }, + "redirectURL": { + "type": "string" + } + } + }, + "openshift": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "serviceAccount": { + "type": "string" + }, + "clientSecret": { + "type": "string" + }, + "dashboardURL": { + "type": "string" + }, + "openshiftURL": { + "type": "string" + }, + "insecureCA": { + "type": "boolean" + }, + "useServiceAccountCA": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "usernameClaim": { + "type": "string" + }, + "usernamePrefix": { + "type": "string" + }, + "groupnameClaim": { + "type": "string" + }, + "groupnamePrefix": { + "type": "string" + } + } + }, + "ldap": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "restartPod": { + "type": "boolean" + }, + "dashboardURL": { + "type": "string" + }, + "host": { + "type": "string" + }, + "insecureNoSSL": { + "type": "boolean" + }, + "insecureSkipVerifySSL": { + "type": "boolean" + }, + "startTLS": { + "type": "boolean" + }, + "bindDN": { + "type": "string" + }, + "bindPW": { + "type": "string" + }, + "bindPWSecretName": { + "type": "string" + }, + "userSearch": { + "type": "object", + "properties": { + "baseDN": { + "type": "string" + }, + "filter": { + "type": "string" + }, + "username": { + "type": "string" + }, + "idAttr": { + "type": "string" + }, + "emailAttr": { + "type": "string" + }, + "nameAttr": { + "type": "string" + }, + "preferredUsernameAttr": { + "type": "string" + } + } + }, + "groupSearch": { + "type": "object", + "properties": { + "baseDN": { + "type": "string" + }, + "filter": { + "type": "string" + }, + "userMatchers": { + "type": "array", + "items": { + "type": "string" + } + }, + "nameAttr": { + "type": "string" + } + } + }, + "secretName": { + "type": "string" + }, + "usernameClaim": { + "type": "string" + }, + "usernamePrefix": { + "type": "string" + }, + "groupnameClaim": { + "type": "string" + }, + "groupnamePrefix": { + "type": "string" + } + } + }, + "k10AdminUsers": { + "type": "array", + "items": { + "type": "string" + } + }, + "k10AdminGroups": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "cluster": { + "type": "object", + "properties": { + "domainName": { + "type": "string" + } + } + } +} diff --git a/charts/k10/k10/5.0.200/values.yaml b/charts/k10/k10/5.0.200/values.yaml new file mode 100644 index 000000000..31bf5f842 --- /dev/null +++ b/charts/k10/k10/5.0.200/values.yaml @@ -0,0 +1,463 @@ +# Default values for k10. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + registry: gcr.io + repository: kasten-images + image: '' + tag: '' + pullPolicy: Always + +rbac: + create: true +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is derived using the release and chart names. + name: "" + +scc: + create: false + +networkPolicy: + create: true + +# Empty value of airgapped.repository specifies that the installation is +# going to be online and if we provide this value using --set flag that +# means that the installation is going to be offline +global: + airgapped: + repository: '' + persistence: + mountPath: "/mnt/k10state" + enabled: true + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + accessMode: ReadWriteOnce + size: 20Gi + metering: + size: 2Gi + catalog: + size: "" + jobs: + size: "" + logging: + size: "" + grafana: + # Default value is set to 5Gi. This is the same as the default value + # from previous releases <= 4.5.1 where the Grafana sub chart used to + # reference grafana.persistence.size instead of the global values. + # Since the size remains the same across upgrades, the Grafana PVC + # is not deleted and recreated which means no Grafana data is lost + # while upgrading from <= 4.5.1 + size: 5Gi + ## Do we want to use certified version to upstream container images + ## TODO: @viveksinghggits, we don't need this anymore + upstreamCertifiedImages: false + ## Set it to true while generating helm operator + rhMarketPlace: false + ## these values should not be provided us, these are to be used by + ## red hat marketplace + images: + admin: '' + aggregatedapis: '' + ambassador: '' + auth: '' + bloblifecyclemanager: '' + catalog: '' + cephtool: '' + configmap-reload: '' + controllermanager: '' + crypto: '' + dashboardbff: '' + datamover: '' + dex: '' + emissary: '' + events: '' + executor: '' + frontend: '' + grafana: '' + jobs: '' + kanister-tools: '' + kanister: '' + logging: '' + metering: '' + paygo_daemonset: '' + prometheus: '' + state: '' + upgrade: '' + vbrintegrationapi: '' + imagePullSecret: '' + ingress: + create: false + urlPath: "" #url path for k10 gateway + route: + enabled: false + path: "" + prometheus: + external: + host: '' #FQDN of prometheus-service + port: '' + baseURL: '' + + +## OpenShift route configuration. +route: + enabled: false + # Host name for the route + host: "" + # Default path for the route + path: "" + + annotations: {} + # kubernetes.io/tls-acme: "true" + # haproxy.router.openshift.io/disable_cookies: "true" + # haproxy.router.openshift.io/balance: roundrobin + + labels: {} + # key: value + + # TLS configuration + tls: + enabled: false + # What to do in case of an insecure traffic edge termination + insecureEdgeTerminationPolicy: "Redirect" + # Where this TLS configuration should terminate + termination: "edge" + +toolsImage: + enabled: true + pullPolicy: Always + +ambassadorImage: + registry: docker.io + repository: emissaryingress + image: emissary + +dexImage: + registry: quay.io + repository: dexidp + image: dex + +kanisterToolsImage: + registry: ghcr.io + repository: kanisterio + image: kanister-tools + pullPolicy: Always + +ingress: + create: false + tls: + enabled: false + class: "" #Ingress controller type + host: "" #ingress object host name + urlPath: "" #url path for k10 gateway + pathType: "" + +eula: + accept: false #true value if EULA accepted + +license: "" #base64 encoded string provided by Kasten + +cluster: + domainName: "cluster.local" #default value is cluster.local + +prometheus: + k10image: + # take this value from image.repository + registry: gcr.io + repository: kasten-images + # Disabling init container + # which uses root cmds + initChownData: + enabled: false + rbac: + create: false + alertmanager: + enabled: false + kubeStateMetrics: + enabled: false + networkPolicy: + enabled: true + nodeExporter: + enabled: false + pushgateway: + enabled: false + scrapeCAdvisor: false + server: + # UID and groupid are from prometheus helm chart + enabled: true + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + retention: 30d + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 100% + type: RollingUpdate + persistentVolume: + enabled: true + storageClass: "" + configMapOverrideName: k10-prometheus-config + fullnameOverride: prometheus-server + baseURL: /k10/prometheus/ + prefixURL: /k10/prometheus + serviceAccounts: + alertmanager: + create: false + kubeStateMetrics: + create: false + nodeExporter: + create: false + pushgateway: + create: false + server: + create: true + +jaeger: + enabled: false + agentDNS: "" + +service: + externalPort: 8000 + internalPort: 8000 + aggregatedApiPort: 10250 + gatewayAdminPort: 8877 + +secrets: + awsAccessKeyId: '' + awsSecretAccessKey: '' + awsIamRole: '' + googleApiKey: '' + dockerConfig: '' + dockerConfigPath: '' + azureTenantId: '' + azureClientId: '' + azureClientSecret: '' + azureResourceGroup: '' + azureSubscriptionID: '' + azureResourceMgrEndpoint: '' + azureADEndpoint: '' + azureADResourceID: '' + azureCloudEnvID: '' + apiTlsCrt: '' + apiTlsKey: '' + ibmSoftLayerApiKey: '' + ibmSoftLayerApiUsername: '' + vsphereEndpoint: '' + vsphereUsername: '' + vspherePassword: '' + +metering: + reportingKey: "" #[base64-encoded key] + consumerId: "" #project: + awsRegion: '' + awsMarketPlaceIamRole: '' + awsMarketplace: false # AWS cloud metering license mode + awsManagedLicense: false # AWS managed license mode + licenseConfigSecretName: '' # AWS managed license config secret for non-eks clusters + serviceAccount: + create: false + name: "" + mode: '' # controls metric and license reporting (set to `airgap` for private-network installs) + redhatMarketplacePayg: false # Redhat cloud metering license mode + reportCollectionPeriod: 1800 # metric report collection period in seconds + reportPushPeriod: 3600 # metric report push period in seconds + promoID: '' # sets the K10 promotion ID + +clusterName: '' +executorReplicas: 3 +logLevel: info + +externalGateway: + create: false + # Any standard service annotations + annotations: {} + # Host and domain name for the K10 API server + fqdn: + name: "" + #Supported types route53-mapper, external-dns + type: "" + # ARN for the AWS ACM SSL certificate used in the K10 API server (load balancer) + awsSSLCertARN: '' + +auth: + groupAllowList: [] +# - "group1" +# - "group2" + basicAuth: + enabled: false + secretName: "" #htpasswd based existing secret + htpasswd: "" #htpasswd string, which will be used for basic auth + tokenAuth: + enabled: false + oidcAuth: + enabled: false + providerURL: "" #URL to your OIDC provider + redirectURL: "" #URL to the K10 gateway service + scopes: "" #Space separated OIDC scopes required for userinfo. Example: "profile email" + prompt: "" #The prompt type to be requested with the OIDC provider. Default is select_account. + clientID: "" #ClientID given by the OIDC provider for K10 + clientSecret: "" #ClientSecret given by the OIDC provider for K10 + usernameClaim: "" #Claim to be used as the username + usernamePrefix: "" #Prefix that has to be used with the username obtained from the username claim + groupClaim: "" #Name of a custom OpenID Connect claim for specifying user groups + groupPrefix: "" #All groups will be prefixed with this value to prevent conflicts. + logoutURL: "" #URL to your OIDC provider's logout endpoint + #OIDC config based existing secret. + #Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL. + secretName: "" + dex: + enabled: false + providerURL: "" + redirectURL: "" + openshift: + enabled: false + serviceAccount: "" #service account used as the OAuth client + clientSecret: "" #The token from the service account + dashboardURL: "" #The URL for accessing K10's dashboard + openshiftURL: "" #The URL of the Openshift API server + insecureCA: false + useServiceAccountCA: false + secretName: "" # The Kubernetes Secret that contains OIDC settings + usernameClaim: "email" + usernamePrefix: "" + groupnameClaim: "groups" + groupnamePrefix: "" + ldap: + enabled: false + restartPod: false # Enable this value to force a restart of the authentication service pod + dashboardURL: "" #The URL for accessing K10's dashboard + host: "" + insecureNoSSL: false + insecureSkipVerifySSL: false + startTLS: false + bindDN: "" + bindPW: "" + bindPWSecretName: "" + userSearch: + baseDN: "" + filter: "" + username: "" + idAttr: "" + emailAttr: "" + nameAttr: "" + preferredUsernameAttr: "" + groupSearch: + baseDN: "" + filter: "" + userMatchers: [] +# - userAttr: +# groupAttr: + nameAttr: "" + secretName: "" # The Kubernetes Secret that contains OIDC settings + usernameClaim: "email" + usernamePrefix: "" + groupnameClaim: "groups" + groupnamePrefix: "" + k10AdminUsers: [] + k10AdminGroups: [] + +optionalColocatedServices: + vbrintegrationapi: + enabled: false + +cacertconfigmap: + name: "" #Name of the configmap + +apiservices: + deployed: true # If false APIService objects will not be deployed + +injectKanisterSidecar: + enabled: false + namespaceSelector: + matchLabels: {} + # Set objectSelector to filter workloads + objectSelector: + matchLabels: {} + webhookServer: + port: 8080 # should not conflict with config server port (8000) + +kanisterPodCustomLabels : "" + +kanisterPodCustomAnnotations : "" + +genericVolumeSnapshot: + resources: + requests: + memory: "" + cpu: "" + limits: + memory: "" + cpu: "" + +resources: {} + +services: + executor: + hostNetwork: false + dashboardbff: + hostNetwork: false + securityContext: + runAsUser: 1000 + fsGroup: 1000 + aggregatedapis: + hostNetwork: false + +apigateway: + serviceResolver: dns + +limiter: + genericVolumeSnapshots: 10 + genericVolumeCopies: 10 + genericVolumeRestores: 10 + csiSnapshots: 10 + providerSnapshots: 10 + +gateway: + insecureDisableSSLVerify: false + exposeAdminPort: true + +kanister: + backupTimeout: 45 + restoreTimeout: 600 + deleteTimeout: 45 + hookTimeout: 20 + checkRepoTimeout: 20 + statsTimeout: 20 + efsPostRestoreTimeout: 45 + podReadyWaitTimeout: 15 + +awsConfig: + assumeRoleDuration: "" + efsBackupVaultName: "k10vault" + +grafana: + enabled: true + prometheusName: prometheus-server + prometheusPrefixURL: /k10/prometheus + rbac: + namespaced: true + pspEnabled: false + +encryption: + primaryKey: # primaryKey is used for enabling encryption of K10 primary key + awsCmkKeyId: '' # Ensures AWS CMK is used for encrypting K10 primary key + vaultTransitKeyName: '' + vaultTransitPath: '' + +vmWare: + taskTimeoutMin: "" + +vault: + secretName: "" + address: "http://vault:8200" diff --git a/charts/shipa/shipa/1.7.200/Chart.lock b/charts/shipa/shipa/1.7.200/Chart.lock new file mode 100644 index 000000000..2ca2fdcd1 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: mongodb-replicaset + repository: https://charts.helm.sh/stable + version: 3.11.3 +- name: mongodb + repository: https://charts.bitnami.com/bitnami + version: 11.0.5 +digest: sha256:ef0bdb8d615ae2d8929c6533a4c87361bbefd9be924d5ed6464fc18def59d5a4 +generated: "2022-07-01T00:12:18.207279648Z" diff --git a/charts/shipa/shipa/1.7.200/Chart.yaml b/charts/shipa/shipa/1.7.200/Chart.yaml new file mode 100644 index 000000000..ba0fee83f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/Chart.yaml @@ -0,0 +1,33 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Shipa + catalog.cattle.io/namespace: shipa-system + catalog.cattle.io/release-name: shipa +apiVersion: v2 +appVersion: 1.7.2 +dependencies: +- name: mongodb + repository: file://./charts/mongodb + tags: + - defaultDB +- name: mongodb-replicaset + repository: file://./charts/mongodb-replicaset + tags: + - legacyMongoReplicaset +description: A Helm chart for Kubernetes to install the Shipa Control Plane +home: https://www.shipa.io +icon: https://www.shipa.io/wp-content/uploads/2020/11/Shipa-banner-768x307.png +keywords: +- shipa +- deployment +- aac +kubeVersion: '>= 1.16.0-0' +maintainers: +- email: rlachhman@shipa.io + name: ravi +name: shipa +sources: +- https://github.com/shipa-corp +- https://github.com/shipa-corp/helm-chart +type: application +version: 1.7.200 diff --git a/charts/shipa/shipa/1.7.200/LICENSE b/charts/shipa/shipa/1.7.200/LICENSE new file mode 100644 index 000000000..dda518917 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/LICENSE @@ -0,0 +1,25 @@ +Copyright (c) 2020, shipa authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + * Neither the name of the Globo.com nor the names of its contributors +may be used to endorse or promote products derived from this software without +specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/charts/shipa/shipa/1.7.200/Parameters.md b/charts/shipa/shipa/1.7.200/Parameters.md new file mode 100644 index 000000000..0f7051c98 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/Parameters.md @@ -0,0 +1,248 @@ +# Shipa Helm Chart Parameters + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `nameOverride` | If provided, overrides the release name, for example, in the app.kubernetes.io/name label | `""` | +| `fullnameOverride` | If provided, overrides the release name, for example, in the naming of resources (pods, deployments, etc.) | `""` | +| `imagePullSecrets` | If provided, these will be configured as imagePullSecrets for pulling images directly included in this chart (the MongoDB(®) sub-chart has its own imagePullSecrets configuration). The array is a list of Kubernetes secrets, likely of type `kubernetes.io/dockerconfigjson`. Example:
imagePullSecrets:
  - name: image-pull-secret | `[]` | +| `images.shipaRepositoryDirname` | The base directory for Shipa Corp images. For Shipa Corp images this value has repositoryBasename and tag appended to it to determine the location to pull images from. This does not affect non-Shipa Corp images, such as k8s.gcr.io/ingress-nginx/controller, docker.io/postgres, k8s.gcr.io/mongodb-install, docker.io/mongo, and docker.io/busybox | `docker.io/shipasoftware` | +| `rbac.enabled` | If enabled, a Shipa specific ServiceAccount will be used by resources, otherwise `"default"` is used | `true` | + + +### Initial Admin account credentials + +| Name | Description | Value | +| -------------------- | --------------------------------------- | ----- | +| `auth.adminUser` | is the login name for the initial admin | `""` | +| `auth.adminPassword` | is the password for the initial admin | `""` | + + +### Shipa API configuration + +| Name | Description | Value | +| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | +| `shipaApi.port` | Port to expose for HTTP traffic to the Shipa API pod | `8080` | +| `shipaApi.securePort` | Port to expose for HTTPS traffic to the Shipa API pod | `8081` | +| `shipaApi.servicePorts` | Ports to expose for HTTP traffic to the Shipa API Service | `["80"]` | +| `shipaApi.serviceSecurePorts` | Ports to expose for HTTPS traffic to the Shipa API Service | `["443"]` | +| `shipaApi.repositoryBasename` | The repository name to use for pulling the Shipa API image | `api` | +| `shipaApi.tag` | The tag to use for pulling the Shipa API image | `6e4a1bc373b4afffa1e5851813271cf61be6dd9a` | +| `shipaApi.pullPolicy` | Image pull policy to use for pulling the Shipa API image | `Always` | +| `shipaApi.debug` | Enables debug log level for the Shipa API | `false` | +| `shipaApi.resources` | Can be used to put resource limits on the Shipa API pod. Example:
shipaApi:
  resources:
    requests:
      memory: 16Mi
      cpu: 50m
    limits:
      memory: 64Mi
      cpu: 250m | `{}` | +| `shipaApi.cnames` | If there are any DNS names that will be used they need to be specified here for appropriate ingress and cert provisioning. Example:
shipaApi:
  cnames:
    - target.myshipa.lan
    - other-target.myshipa.lan | `[]` | +| `shipaApi.allowRestartIngressControllers` | If set to false, disables the ability for a cluster update to restart the ingress controllers | `true` | +| `shipaApi.isCAEndpointDisabled` | If set to true, the ca/certificates endpoint of the Shipa API will be disabled, which disallows the Shipa CLI from trusting invalid TLS certificates when connecting to this Shipa API | `false` | +| `shipaApi.secureIngressOnly` | If set to true, all HTTP traffic to the Shipa API ingress will be redirected to HTTPS | `false` | +| `shipaApi.useInternalHost` | If true (recommended), the main shipa cluster will communicate with the Shipa API using the internal Kubernetes host name, rather than an external CNAME | `true` | +| `shipaApi.customSecretName` | If provided, this secret will be used as the TLS secret for the API ingress controller. Use this if you have a trusted certificate that you wish to use instead of the default, self-signed certificate | `""` | +| `shipaApi.customIngressAnnotations` | If provided, these annotations will be added to the Shipa API Ingress resources. Example:
shipaApi
  customIngressAnnotations:
    custom-keys/first-key: "bbb"
    custom-keys/second-key: "ddd" | `{}` | + + +### Shipa cluster access configuration + +| Name | Description | Value | +| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | +| `shipaCluster.clusterDomain` | The domain that your cluster uses internally, through coredns, kube-dns, etc. | `cluster.local` | +| `shipaCluster.ingress.type` | ingress controller type. Supported values: (nginx, istio, traefik) | `nginx` | +| `shipaCluster.ingress.image` | NGINX ingress controller image. If the ingress controller type is nginx and no ingress controller ip address is provided, an ingress controller will be deployed using this image | `k8s.gcr.io/ingress-nginx/controller:v1.1.0` | +| `shipaCluster.ingress.serviceType` | ingress controller serviceType. When using shipa managed nginx, we reconcile looking for the right Host of LoadBalancer or ClusterIP based on what is provided here. When using non user managed ingress controller we use this just to store it in DB | `LoadBalancer` | +| `shipaCluster.ingress.ip` | Ingress controller ip address. If provided, we assume user provided ingress controller should be used and create api resources for it | `""` | +| `shipaCluster.ingress.className` | Ingress controller class name. If undefined, in most places we set default: nginx, traefik, istio. If we detect that it's shipa managed nginx, we default to shipa-nginx-ingress | `""` | +| `shipaCluster.ingress.apiAccessOnIngressIp` | If enabled, we will create ingress controller resources to allow api to be accessible on root ip of ingress controller.
NOTE: all ingresses require Host targeting instead of Path targeting for TLS. Also if you use nginxinc/kubernetes-ingress, using Ingress without host is not allowed until this is resolved: https://github.com/nginxinc/kubernetes-ingress/issues/209 | `true` | + + +### Shipa managed Nginx configs + +| Name | Description | Value | +| ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| `shipaCluster.ingress.clusterIp` | Ingress controller ClusterIp address. If provided, it will be used for shipa managed nginx ingress controller | `""` | +| `shipaCluster.ingress.loadBalancerIp` | Ingress controller LoadBalancerIp address. If provided, it will be used for shipa managed nginx ingress controller | `""` | +| `shipaCluster.ingress.nodePort` | If provided, it will be used as node port for shipa managed nginx ingress controller | `""` | +| `shipaCluster.ingress.customNginxServiceAnnotations` | If provided, these annotations will be appended to the Shipa managed Nginx ingress controller Service resource. Example for configuring internet facing NLB in AWS:
| `{}` | +| `shipaCluster.ingress.config` | Configuration overrides for the Shipa managed Nginx ingress controller. Example (these are the defaults if you leave this empty):
shipaCluster:
  ingress:
    config:
      proxy-body-size: "512M"
      proxy-read-timeout: "300"
      proxy-connect-timeout: "300"
      proxy-send-timeout: "300"
      upstream-keepalive-timeout: "300" | `{}` | + + +### PostgreSQL configuration for use by Clair + +| Name | Description | Value | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `postgres.source.host` | Host to connect to for Clair database. Leave blank to default to {{ template "shipa.fullname" . }}-postgres.{{ .Release.Namespace }} | `""` | +| `postgres.source.port` | Port to connect to for Clair database | `5432` | +| `postgres.source.user` | User to connect to for Clair database | `postgres` | +| `postgres.source.password` | Password to connect to for Clair database. Leave blank to generate a random value | `""` | +| `postgres.source.sslmode` | The SSL mode to run PostgreSQL in. Options: "require", "verify-full", "verify-ca", or "disable | `disable` | +| `postgres.create` | Set to false to avoid creating a PostgreSQL instance, for example, if you are using an external PostgreSQL instance | `true` | +| `postgres.image` | If postgres.create is set to true, this is the image that will be used | `docker.io/postgres:13` | +| `postgres.persistence.storageClass` | The storageClassName to use. Undefined or null will use the default provisioner, or "-" will to set storageClassName to "", disabling dynamic provisioning | `""` | +| `postgres.persistence.accessMode` | The PVC access mode to use. Options: ReadWriteOnce, ReadOnlyMany or ReadWriteMany | `ReadWriteOnce` | +| `postgres.persistence.size` | The amount of storage to provision for the Clair database | `10Gi` | + + +### cert-manager configuration + +| Name | Description | Value | +| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | +| `certManager.installUrl` | When Shipa is installed, if cert-manager is not yet installed (existence of cert-manager ClusterIssuer CRD) it will be installed via the resources at the provided URL | `https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml` | + + +### Shipa Dashboard configuration + +| Name | Description | Value | +| ------------------------------ | ---------------------------------------------------------- | ------------------------------------------ | +| `dashboard.enabled` | If set to false, the Shipa Dashboard will not be deployed | `true` | +| `dashboard.repositoryBasename` | The repository name to use for pulling the dashboard image | `dashboard` | +| `dashboard.tag` | The tag to use for pulling the dashboard image | `c18b7d0031047c48d8c3b4666d489a498ca58653` | + + +### Shipa CLI configuration + +| Name | Description | Value | +| ------------------------ | ---------------------------------------------------------- | ------------------------------------------ | +| `cli.repositoryBasename` | The repository name to use for pulling the Shipa CLI image | `cli` | +| `cli.tag` | The tag to use for pulling the Shipa CLI image | `eb516ebb0bb625748cd6baaa5312e8330469ae34` | +| `cli.pullPolicy` | Image pull policy to use for pulling the Shipa CLI image | `Always` | + + +### Metrics configuration + +| Name | Description | Value | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.repositoryBasename` | The repository name to use for pulling the metrics image | `metrics` | +| `metrics.tag` | The tag to use for pulling the metrics image | `v0.0.7` | +| `metrics.pullPolicy` | Image pull policy to use for pulling the metrics image | `Always` | +| `metrics.password` | Password to setup for connecting to the Shipa metrics. If left blank, a random value will be generated and used | `""` | +| `metrics.prometheusArgs` | Arguments to pass to Prometheus on starting the Shipa metrics | `--storage.tsdb.retention.time=1d` | +| `metrics.extraPrometheusConfiguration` | Extra configuration to add to `prometheus.yaml`. Example for configuring remote reads and writes:
metrics:
  extraPrometheusConfiguration: \|
    remote_read:
      - url: http://localhost:9268/read
    remote_write:
      - url: http://localhost:9268/write | `""` | + + +### busybody configuration + +| Name | Description | Value | +| ----------------------------- | --------------------------------------------------------- | ------------------------------------------ | +| `busybody.repositoryBasename` | The repository name to use for pulling the busybody image | `bb` | +| `busybody.tag` | The tag to use for pulling the busybody image | `ead64d61a7dab4dca50bd90e18b908e6f44bb9f9` | + + +### Shipa controller configuration + +| Name | Description | Value | +| ---------------------------------------------- | --------------------------------------------------------------------- | ------------------------------------------ | +| `shipaController.repositoryBasename` | The repository name to use for pulling the Shipa controller image | `shipa-controller` | +| `shipaController.tag` | The tag to use for pulling the Shipa controller image | `5e7f221a1adce3bd40b5c352418d9da8de94ada2` | +| `shipaController.enableEventUpdater` | Shipa creates and shows more shipa events for discovered applications | `true` | +| `shipaController.enableNetworkPolicyViolation` | Enables network policy violations | `true` | + + +### prometheus-metrics-exporter configuration + +| Name | Description | Value | +| ---------------------------------------------- | -------------------------------------------------------------------- | ------------------------------------------ | +| `prometheusMetricsExporter.repositoryBasename` | The repository name to use for pulling the Prometheus exporter image | `prometheus-metrics-exporter` | +| `prometheusMetricsExporter.tag` | The tag to use for pulling the Prometheus exporter image | `b123eb79bdbe56f83812b5ad3cfb8bbb568b2e3d` | + + +### Clair configuration + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------ | -------- | +| `clair.repositoryBasename` | The repository name to use for pulling the Clair image | `clair` | +| `clair.tag` | The tag to use for pulling the Clair image | `v2.1.7` | + + +### Ketch controller configuration + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------ | +| `ketch.repositoryBasename` | The repository name to use for pulling the Ketch controller image | `ketch` | +| `ketch.tag` | The tag to use for pulling the Ketch controller image | `4105c20ee2ca27c2ce4811764901565aa5035393` | +| `ketch.metricsAddress` | Address of where metrics will be sent. Leave empty to disable metrics for Ketch | `127.0.0.1:8080` | + + +### Shipa agent configuration + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------ | ------------------------------------------ | +| `agent.repositoryBasename` | The repository name to use for pulling the Shipa agent image | `shipa-cluster-agent` | +| `agent.tag` | The tag to use for pulling the Shipa agent image | `d130d858d71522bbbffbfaaba6097dceaba4c0d8` | + + +### External MongoDB(®) configuration + +| Name | Description | Value | +| ------------------------------- | -------------------------------------------------------------------- | ------ | +| `externalMongodb.url` | Connection URL for external MongoDB instance. | `""` | +| `externalMongodb.auth.username` | Username for authenticating to an external MongoDB instance | `""` | +| `externalMongodb.auth.password` | Password for authenticating to an external MongoDB instance | `""` | +| `externalMongodb.tls.enable` | Set to false to disable TLS when connecting to external DB instance. | `true` | + + +### Dependent chart tags + +| Name | Description | Value | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | +| `tags.defaultDB` | Set defaultDB (and legacyMongoReplicaset) to `false` when using external DB to not install default DB. It will also prevent creating Persistent Volumes. This cannot be used with tags.legacyMongoReplicaset | `true` | +| `tags.legacyMongoReplicaset` | (Deprecated) Set legacyMongoReplicaset to 'true' in order to use the deprecated https://charts.helm.sh/stable/mongodb-replicaset chart as an internal MongoDB. This cannot be used with tags.defaultDB | `false` | + + +### MongoDB(®) dependent chart parameters + +| Name | Description | Value | +| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| `mongodb.global.imageRegistry` | Global Docker image registry for MongoDB(®) dependent chart | `""` | +| `mongodb.global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `mongodb.image.registry` | MongoDB(®) image registry for MongoDB(®) dependent chart | `docker.io` | +| `mongodb.image.repository` | MongoDB(®) image registry for MongoDB(®) dependent chart | `bitnami/mongodb` | +| `mongodb.image.tag` | MongoDB(®) image tag (immutable tags are recommended) for MongoDB(®) dependent chart | `5.0.6-debian-10-r29` | +| `mongodb.image.pullPolicy` | MongoDB(®) image pull policy for MongoDB(®) dependent chart | `IfNotPresent` | +| `mongodb.image.pullSecrets` | Specify docker-registry secret names as an array for MongoDB(®) dependent chart | `[]` | +| `mongodb.persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) for MongoDB(®) dependent chart | `""` | +| `mongodb.persistence.size` | PVC Storage Request for MongoDB(®) data volume for MongoDB(®) dependent chart | `10Gi` | +| `mongodb.architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) for MongoDB(®) dependent chart | `standalone` | +| `mongodb.useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) for MongoDB(®) dependent chart | `true` | +| `mongodb.replicaSetName` | Name of the replica set (only when `architecture=replicaset`) for MongoDB(®) dependent chart | `rs0` | +| `mongodb.service.port` | MongoDB(®) service port for MongoDB(®) dependent chart | `27017` | +| `mongodb.nodeSelector` | MongoDB(®) Node labels for pod assignment for MongoDB(®) dependent chart | `{}` | +| `mongodb.arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context for MongoDB(®) dependent chart | `true` | +| `mongodb.arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) for MongoDB(®) dependent chart | `999` | +| `mongodb.arbiter.containerSecurityContext.enabled` | Enable Arbiter container(s)' Security Context for MongoDB(®) dependent chart | `true` | +| `mongodb.arbiter.containerSecurityContext.runAsUser` | User ID for the Arbiter container for MongoDB(®) dependent chart | `999` | +| `mongodb.arbiter.nodeSelector` | Arbiter Node labels for pod assignment for MongoDB(®) dependent chart | `{}` | +| `mongodb.auth.enabled` | Enable authentication for MongoDB(®) dependent chart | `false` | +| `mongodb.tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes for MongoDB(®) dependent chart | `false` | +| `mongodb.tls.image.registry` | Init container TLS certs setup image registry for MongoDB(®) dependent chart | `docker.io` | +| `mongodb.tls.image.repository` | Init container TLS certs setup image repository for MongoDB(®) dependent chart | `bitnami/nginx` | +| `mongodb.tls.image.tag` | Init container TLS certs setup image tag (immutable tags are recommended) for MongoDB(®) dependent chart | `1.21.6-debian-10-r30` | +| `mongodb.tls.image.pullPolicy` | Init container TLS certs setup image pull policy for MongoDB(®) dependent chart | `IfNotPresent` | +| `mongodb.tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array for MongoDB(®) dependent chart | `[]` | +| `mongodb.externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) for MongoDB(®) dependent chart | `false` | +| `mongodb.externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API for MongoDB(®) dependent chart | `false` | +| `mongodb.externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry for MongoDB(®) dependent chart | `docker.io` | +| `mongodb.externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository for MongoDB(®) dependent chart | `bitnami/kubectl` | +| `mongodb.externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) for MongoDB(®) dependent chart | `1.23.4-debian-10-r7` | +| `mongodb.externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy for MongoDB(®) dependent chart | `IfNotPresent` | +| `mongodb.externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets for MongoDB(®) dependent chart | `[]` | +| `mongodb.volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` for MongoDB(®) dependent chart | `false` | +| `mongodb.volumePermissions.image.registry` | Init container volume-permissions image registry for MongoDB(®) dependent chart | `docker.io` | +| `mongodb.volumePermissions.image.repository` | Init container volume-permissions image repository for MongoDB(®) dependent chart | `bitnami/bitnami-shell` | +| `mongodb.volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) for MongoDB(®) dependent chart | `10-debian-10-r350` | +| `mongodb.volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy for MongoDB(®) dependent chart | `IfNotPresent` | +| `mongodb.volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array for MongoDB(®) dependent chart | `[]` | +| `mongodb.metrics.enabled` | Enable using a sidecar Prometheus exporter for MongoDB(®) dependent chart | `false` | +| `mongodb.metrics.image.registry` | MongoDB(®) Prometheus exporter image registry for MongoDB(®) dependent chart | `docker.io` | +| `mongodb.metrics.image.repository` | MongoDB(®) Prometheus exporter image repository for MongoDB(®) dependent chart | `bitnami/mongodb-exporter` | +| `mongodb.metrics.image.tag` | MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) for MongoDB(®) dependent chart | `0.30.0-debian-10-r83` | +| `mongodb.metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy for MongoDB(®) dependent chart | `IfNotPresent` | +| `mongodb.metrics.image.pullSecrets` | Specify docker-registry secret names as an array for MongoDB(®) dependent chart | `[]` | +| `mongodb.extraFlags` | MongoDB(®) additional command line flags for MongoDB(®) dependent chart | `--dbpath=/bitnami/mongodb` | +| `mongodb.containerSecurityContext.enabled` | Enable MongoDB(®) container(s)' Security Context for MongoDB(®) dependent chart | `true` | +| `mongodb.containerSecurityContext.runAsUser` | User ID for the MongoDB(®) container for MongoDB(®) dependent chart | `999` | +| `mongodb.containerSecurityContext.runAsNonRoot` | Set MongoDB(®) container's Security Context runAsNonRoot for MongoDB(®) dependent chart | `true` | +| `mongodb.podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context for MongoDB(®) dependent chart | `true` | +| `mongodb.podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) for MongoDB(®) dependent chart | `999` | + + diff --git a/charts/shipa/shipa/1.7.200/README.md b/charts/shipa/shipa/1.7.200/README.md new file mode 100644 index 000000000..973ece10f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/README.md @@ -0,0 +1,136 @@ + +**Note:** The master branch is the main development branch. Please use releases instead of the master branch in order to get stable versions. + +# Documentation + +Documentation for Shipa can be found at + +# Installation Requirements + +1. Kubernetes 1.18 - 1.22. Check out the actual [documentation](https://learn.shipa.io/docs/installation-requirements#kubernetes-clusters) +2. Helm v3 + +# Defaults + +We create LoadBalancer service to expose Shipa to the internet: + +1. 8080 -> shipa api over http +1. 8081 -> shipa api over https + +By default we use dynamic public IP set by a cloud-provider but there is a parameter to use static ip (if you have it): + +```bash +--set shipaCluster.ingress.ip=35.192.15.168 +``` + +# Installation + +Users can install Shipa on any existing Kubernetes cluster, and Shipa leverages Helm charts for the install. + +> ⚠️ NOTE: Installing or upgrading Shipa may require downtime in order to perform database migrations. + +Below are the steps required to have Shipa installed in your existing Kubernetes cluster: + +Create a namespace where the Shipa services should be installed + +```bash +NAMESPACE=shipa-system +kubectl create namespace $NAMESPACE +``` + +Create the values.override.yaml with the Admin user and password that will be used for Shipa + +```bash +cat > values.override.yaml << EOF +auth: + adminUser: + adminPassword: +EOF +``` + +Add Shipa helm repo + +```bash +helm repo add shipa-charts https://shipa-charts.storage.googleapis.com +``` + +Install Shipa + +```bash +helm install shipa shipa-charts/shipa -n $NAMESPACE --create-namespace --timeout=15m -f values.override.yaml +``` + +## Upgrading Shipa Helm chart from 1.6.3 or prior to 1.6.4 or later + +In order to handle migrating the MongoDB database off of the deprecated `stable/mongodb-replicaset` chart, there are extra steps to take in order to upgrade. See the [Upgrading MongoDB notes](./UpgradingMongoDB.md) or look at . + +## Upgrading shipa helm chart + +```bash +helm upgrade shipa . --timeout=15m --namespace=$NAMESPACE -f values.override.yaml +``` + +## Upgrading shipa helm chart if you have Pro license + +We have two general ways how to execute helm upgrade if you have Pro license: + +* Pass a license file to helm upgrade + +```bash +helm upgrade shipa . --timeout=15m --namespace=$NAMESPACE -f values.override.yaml -f license.yaml +``` + +* Merge license key from a license file to values.override.yaml and execute helm upgrade as usual + +```bash +cat license.yaml | grep "license:" >> values.override.yaml +``` + +# CI/CD + +Packaging and signing helm charts is automated using Github Actions + +Charts are uploaded to multiple buckets based on condition: + +1. `shipa-charts-dev`, `push` to `master`, `push` to PR opened against `master` +2. `shipa-charts-cloud`, `tag` containing `cloud` +3. `shipa-charts`, `tag` not containing `cloud` + +Chart name is composed of: +`{last_tag}-{commit_hash}` + +For on-prem releases, if tag is not pre-release, meaning it has semantic versioning without RC suffix (ex. 1.3.0, not 1.3.0-rc1), chart name is only `{last_tag}`, as otherwise it is seen by helm chart as development version + +# Usage + +```bash +# only first time +helm repo add shipa-dev https://shipa-charts-dev.storage.googleapis.com +helm repo add shipa-cloud https://shipa-charts-cloud.storage.googleapis.com +helm repo add shipa-onprem https://shipa-charts.storage.googleapis.com + +# refresh available charts +helm repo update + +# check available versions +helm search repo shipa --versions + +# check available versions with development versions +helm search repo shipa --versions --devel + +# check per repo +helm search repo shipa-dev --versions --devel +helm search repo shipa-cloud --versions --devel +helm search repo shipa-onprem --versions --devel + +# helm install +helm install shipa shipa-dev/shipa --version 1.x.x -n shipa-system --create-namespace --timeout=15m -f values.override.yaml +``` + +# Shipa client + +If you are looking to operate Shipa from your local machine, we have binaries of shipa client: + +# Collaboration/Contributing + +We welcome all feedback or pull requests. If you have any questions feel free to reach us at info@shipa.io diff --git a/charts/shipa/shipa/1.7.200/UpgradingMongoDB.md b/charts/shipa/shipa/1.7.200/UpgradingMongoDB.md new file mode 100644 index 000000000..4a3c890ff --- /dev/null +++ b/charts/shipa/shipa/1.7.200/UpgradingMongoDB.md @@ -0,0 +1,71 @@ +# Upgrade Notes for Upgrading MongoDB Chart + +Notes on upgrading Shipa can also be found at . + +By default, Shipa installs a MongoDB instance within the cluster for demonstration purposes. Ideally, an externally managed MongoDB should be used, but for those who are just trying out Shipa, this is a quick way to get up and running. Older versions of the Shipa Helm Chart installed MongoDB using the stable/mongodb-replicaset dependent chart, however this chart has been deprecated and now the officially recommended chart to use is the one maintained by Bitnami. By default, Shipa will now install MongoDB based on the Bitnami chart, but in an upgrade scenario there may be configuration required in order to proceed. + +## Fresh install + +For a fresh install, using the default values provided in this chart, a MongoDB instance will be created using the Bitnami mongodb chart. + +## Upgrading when previously running MongoDB from stable/mongodb-replicaset chart + +If Shipa was initially installed using Shipa chart version 1.6.3 or prior, there are a few options. + +### Auto-upgrading MongoDB + +The Shipa chart can attempt to automatically upgrade the MongoDB chart if the number of replicas for the MongoDB statefulset is 1 and the name of the persistent volume claim is provided to Shipa. + +### Manual upgrade + +To manually upgrade + +```bash +export MONGO_NAMESPACE="$(kubectl get po -A -l app=mongodb-replicaset -o jsonpath='{.items[0].metadata.namespace}')" +export MONGO_POD="$(kubectl get po -A -l app=mongodb-replicaset -o jsonpath='{.items[0].metadata.name}')" +export MONGO_PVC="$(kubectl get pvc -n ${MONGO_NAMESPACE} -l app=mongodb-replicaset -o jsonpath='{.items[0].metadata.name}')" +export SHIPA_DEPLOYMENT="$(kubectl get deployments.apps -n ${MONGO_NAMESPACE} -l app.kubernetes.io/instance=shipa -o name | grep -e '.*-api$')" +export SHIPA_RELEASE="$(kubectl get deployments.apps -n ${MONGO_NAMESPACE} -l app.kubernetes.io/instance=shipa -o jsonpath='{.items[0].metadata.annotations.meta\.helm\.sh\/release-name}')" + +if [[ -z "${MONGO_NAMESPACE}" || -z "${MONGO_POD}" || -z "${MONGO_PVC}" || -z "${SHIPA_DEPLOYMENT}" || -z "${SHIPA_RELEASE}" ]]; then + echo "[ERROR] Could not pull required cluster information." + exit 1 +fi + +# Stop Shipa API +kubectl scale ${SHIPA_DEPLOYMENT} --replicas=0 -n ${SHIPA_SYSTEM_NAMESPACE} +sleep 15 + +# Export data +kubectl exec -it -n ${MONGO_NAMESPACE} ${MONGO_POD} -c mongodb-replicaset -- mongodump -d shipa --gzip --archive=/tmp/mongobackup.gzip +kubectl cp -n ${MONGO_NAMESPACE} ${MONGO_POD}:/tmp/mongobackup.gzip /tmp/mongobackup.gzip -c mongodb-replicaset +if [[ ! -s /tmp/mongobackup.gzip ]]; then + echo "[ERROR] Backup is missing or empty. Expected locally at /tmp/mongobackup.gzip" + exit 1 +fi +if ! gunzip --test /tmp/mongobackup.gzip; then + echo "[ERROR] Backup appears to be corrupt." + exit 1 +fi + +# Delete mongo components +kubectl delete svc -n ${MONGO_NAMESPACE} -l app=mongodb-replicaset +kubectl delete statefulsets.apps -n ${MONGO_NAMESPACE} -l app=mongodb-replicaset +kubectl delete configmaps -n ${MONGO_NAMESPACE} -l app=mongodb-replicaset +kubectl delete persistentvolumeclaims -n ${MONGO_NAMESPACE} -l app=mongodb-replicaset +sleep 15 + +# Helm upgrade (provide all your override values here) +helm upgrade ${SHIPA_RELEASE} -n ${MONGO_NAMESPACE} --timeout=15m ... + +# Wait for MongoDB to be ready +kubectl wait --for=condition=ready --timeout=5m po -l app.kubernetes.io/name=mongodb -n ${MONGO_NAMESPACE} + +# Import data +export MONGO_POD="$( kubectl get po -n ${MONGO_NAMESPACE} -l app.kubernetes.io/name=mongodb -o jsonpath='{.items[0].metadata.name}')" +kubectl cp -n ${MONGO_NAMESPACE} /tmp/mongobackup.gzip ${MONGO_POD}:/tmp/mongobackup.gzip -c mongodb +kubectl exec -it -n ${SHIPA_SYSTEM_NAMESPACE} ${MONGO_POD} -c mongodb -- mongorestore -d shipa --gzip --archive=/tmp/mongobackup.gzip + +# Restart the Shipa API +kubectl scale ${SHIPA_DEPLOYMENT} --replicas=1 -n ${MONGO_NAMESPACE} +``` diff --git a/charts/shipa/shipa/1.7.200/app-readme.md b/charts/shipa/shipa/1.7.200/app-readme.md new file mode 100644 index 000000000..700df754a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/app-readme.md @@ -0,0 +1,39 @@ +# Shipa + +[Shipa](http://www.shipa.io/) is an Application-as-Code [AaC] provider that is designed for having a cleaner developer experience and allowing for guardrails to be easily created. The "platform engineering dilemma" is how do you allow for innovation yet have control. Shipa is application focused so allowing developers who are not experienced in Kubernetes run through several critical tasks such as deploying, managing, and iterating on their applications without detailed Kubernetes knowledge. From the operator or admin standpoint, easily enforcing rules/convention without building multiple abstraction layers. + +## Install Shipa - Helm Chart + +The [Installation Requirements](https://learn.shipa.io/docs/installation-requirements) specify up to date cluster and ingress requirements. Installing the chart is pretty straight forward. + +Intially will need to set an intial Admin User and Admin Password/Secret to first access Shipa. + +``` +helm repo add shipa-charts https://shipa-charts.storage.googleapis.com + +helm repo update + +helm upgrade --install shipa shipa-charts/shipa \ + +--set auth.adminUser=admin@acme.com --set auth.adminPassword=admin1234 \ + +--namespace shipa-system --create-namespace --timeout=1000s --wait +``` + +## Install Shipa - ClusterIP +Shipa by default will install Traefik as the loadbalencer. +Though if this creates a conflict or there is a cluster limitation, you can also leverage ClusterIP for routing which is the +second set of optional prompts in the Rancher UI. +[Installing Shipa with ClusterIP on K3](https://shipa.io/2021/10/k3d-and-shipa-deploymnet/) + +``` +helm install shipa shipa-charts/shipa -n shipa-system --create-namespace \ +--timeout=15m \ +--set=metrics.image=gcr.io/shipa-1000/metrics:30m \ +--set=auth.adminUser=admin@acme.com \ +--set=auth.adminPassword=admin1234 \ +--set=shipaCluster.serviceType=ClusterIP \ +--set=shipaCluster.ip=10.43.10.20 \ +--set=service.nginx.serviceType=ClusterIP \ +--set=service.nginx.clusterIP=10.43.10.10 +``` \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/.helmignore b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/.helmignore new file mode 100644 index 000000000..28b828e89 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +install diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/Chart.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/Chart.yaml new file mode 100644 index 000000000..9620d643f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: "3.6" +description: NoSQL document-oriented database that stores JSON-like documents with + dynamic schemas, simplifying the integration of data in content-driven applications. +home: https://github.com/mongodb/mongo +icon: https://webassets.mongodb.com/_com_assets/cms/mongodb-logo-rgb-j6w271g1xn.jpg +maintainers: +- email: unguiculus@gmail.com + name: unguiculus +- email: ssheehy@firescope.com + name: steven-sheehy +name: mongodb-replicaset +sources: +- https://github.com/mongodb/mongo +- https://github.com/percona/mongodb_exporter +version: 3.11.3 diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/OWNERS b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/OWNERS new file mode 100644 index 000000000..1e6a85097 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/OWNERS @@ -0,0 +1,6 @@ +approvers: + - unguiculus + - steven-sheehy +reviewers: + - unguiculus + - steven-sheehy diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/README.md b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/README.md new file mode 100644 index 000000000..c9729c059 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/README.md @@ -0,0 +1,434 @@ +# MongoDB Helm Chart + +## Prerequisites Details + +* Kubernetes 1.9+ +* Kubernetes beta APIs enabled only if `podDisruptionBudget` is enabled +* PV support on the underlying infrastructure + +## StatefulSet Details + +* https://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/ + +## StatefulSet Caveats + +* https://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/#limitations + +## Chart Details + +This chart implements a dynamically scalable [MongoDB replica set](https://docs.mongodb.com/manual/tutorial/deploy-replica-set/) +using Kubernetes StatefulSets and Init Containers. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +``` console +helm repo add stable https://kubernetes-charts.storage.googleapis.com/ +helm install --name my-release stable/mongodb-replicaset +``` + +## Configuration + +The following table lists the configurable parameters of the mongodb chart and their default values. + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------- | --------------------------------------------------- | +| `replicas` | Number of replicas in the replica set | `3` | +| `replicaSetName` | The name of the replica set | `rs0` | +| `skipInitialization` | If `true` skip replica set initialization during bootstrapping | `false` +| `podDisruptionBudget` | Pod disruption budget | `{}` | +| `port` | MongoDB port | `27017` | +| `imagePullSecrets` | Image pull secrets | `[]` | +| `installImage.repository` | Image name for the install container | `unguiculus/mongodb-install` | +| `installImage.tag` | Image tag for the install container | `0.7` | +| `installImage.pullPolicy` | Image pull policy for the init container that establishes the replica set | `IfNotPresent` | +| `copyConfigImage.repository` | Image name for the copy config init container | `busybox` | +| `copyConfigImage.tag` | Image tag for the copy config init container | `1.29.3` | +| `copyConfigImage.pullPolicy` | Image pull policy for the copy config init container | `IfNotPresent` | +| `image.repository` | MongoDB image name | `mongo` | +| `image.tag` | MongoDB image tag | `3.6` | +| `image.pullPolicy` | MongoDB image pull policy | `IfNotPresent` | +| `podAnnotations` | Annotations to be added to MongoDB pods | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `999` | +| `securityContext.runAsUser` | User ID for the container | `999` | +| `securityContext.runAsNonRoot` | | `true` | +| `resources` | Pod resource requests and limits | `{}` | +| `persistentVolume.enabled` | If `true`, persistent volume claims are created | `true` | +| `persistentVolume.storageClass` | Persistent volume storage class | `` | +| `persistentVolume.accessModes` | Persistent volume access modes | `[ReadWriteOnce]` | +| `persistentVolume.size` | Persistent volume size | `10Gi` | +| `persistentVolume.annotations` | Persistent volume annotations | `{}` | +| `terminationGracePeriodSeconds` | Duration in seconds the pod needs to terminate gracefully | `30` | +| `tls.enabled` | Enable MongoDB TLS support including authentication | `false` | +| `tls.mode` | Set the SSL operation mode (disabled, allowSSL, preferSSL, requireSSL) | `requireSSL` | +| `tls.cacert` | The CA certificate used for the members | Our self signed CA certificate | +| `tls.cakey` | The CA key used for the members | Our key for the self signed CA certificate | +| `init.resources` | Pod resource requests and limits (for init containers) | `{}` | +| `init.timeout` | The amount of time in seconds to wait for bootstrap to finish | `900` | +| `metrics.enabled` | Enable Prometheus compatible metrics for pods and replicasets | `false` | +| `metrics.image.repository` | Image name for metrics exporter | `bitnami/mongodb-exporter` | +| `metrics.image.tag` | Image tag for metrics exporter | `0.9.0-debian-9-r2` | +| `metrics.image.pullPolicy` | Image pull policy for metrics exporter | `IfNotPresent` | +| `metrics.port` | Port for metrics exporter | `9216` | +| `metrics.path` | URL Path to expose metics | `/metrics` | +| `metrics.resources` | Metrics pod resource requests and limits | `{}` | +| `metrics.securityContext.enabled` | Enable security context | `true` | +| `metrics.securityContext.fsGroup` | Group ID for the metrics container | `1001` | +| `metrics.securityContext.runAsUser` | User ID for the metrics container | `1001` | +| `metrics.socketTimeout` | Time to wait for a non-responding socket | `3s` | +| `metrics.syncTimeout` | Time an operation with this session will wait before returning an error | `1m` | +| `metrics.prometheusServiceDiscovery`| Adds annotations for Prometheus ServiceDiscovery | `true` | +| `auth.enabled` | If `true`, keyfile access control is enabled | `false` | +| `auth.key` | Key for internal authentication | `` | +| `auth.existingKeySecret` | If set, an existing secret with this name for the key is used | `` | +| `auth.adminUser` | MongoDB admin user | `` | +| `auth.adminPassword` | MongoDB admin password | `` | +| `auth.metricsUser` | MongoDB clusterMonitor user | `` | +| `auth.metricsPassword` | MongoDB clusterMonitor password | `` | +| `auth.existingMetricsSecret` | If set, and existing secret with this name is used for the metrics user | `` | +| `auth.existingAdminSecret` | If set, and existing secret with this name is used for the admin user | `` | +| `serviceAnnotations` | Annotations to be added to the service | `{}` | +| `configmap` | Content of the MongoDB config file | `` | +| `initMongodStandalone` | If set, initContainer executes script in standalone mode | `` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node/pod affinities | `{}` | +| `tolerations` | List of node taints to tolerate | `[]` | +| `priorityClassName` | Pod priority class name | `` | +| `livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | +| `livenessProbe.initialDelaySeconds` | Liveness probe initial delay seconds | `30` | +| `livenessProbe.periodSeconds` | Liveness probe period seconds | `10` | +| `livenessProbe.successThreshold` | Liveness probe success threshold | `1` | +| `livenessProbe.timeoutSeconds` | Liveness probe timeout seconds | `5` | +| `readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | +| `readinessProbe.initialDelaySeconds`| Readiness probe initial delay seconds | `5` | +| `readinessProbe.periodSeconds` | Readiness probe period seconds | `10` | +| `readinessProbe.successThreshold` | Readiness probe success threshold | `1` | +| `readinessProbe.timeoutSeconds` | Readiness probe timeout seconds | `1` | +| `extraVars` | Set environment variables for the main container | `{}` | +| `extraLabels` | Additional labels to add to resources | `{}` | + +*MongoDB config file* + +All options that depended on the chart configuration are supplied as command-line arguments to `mongod`. By default, the chart creates an empty config file. Entries may be added via the `configmap` configuration value. + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +``` console +helm install --name my-release -f values.yaml stable/mongodb-replicaset +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +Once you have all 3 nodes in running, you can run the "test.sh" script in this directory, which will insert a key into the primary and check the secondaries for output. This script requires that the `$RELEASE_NAME` environment variable be set, in order to access the pods. + +## Authentication + +By default, this chart creates a MongoDB replica set without authentication. Authentication can be +enabled using the parameter `auth.enabled`. Once enabled, keyfile access control is set up and an +admin user with root privileges is created. User credentials and keyfile may be specified directly. +Alternatively, existing secrets may be provided. The secret for the admin user must contain the +keys `user` and `password`, that for the key file must contain `key.txt`. The user is created with +full `root` permissions but is restricted to the `admin` database for security purposes. It can be +used to create additional users with more specific permissions. + +To connect to the mongo shell with authentication enabled, use a command similar to the following (substituting values as appropriate): + +```shell +kubectl exec -it mongodb-replicaset-0 -- mongo mydb -u admin -p password --authenticationDatabase admin +``` + +## TLS support + +To enable full TLS encryption set `tls.enabled` to `true`. It is recommended to create your own CA by executing: + +```console +openssl genrsa -out ca.key 2048 +openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com" +``` + +After that paste the base64 encoded (`cat ca.key | base64 -w0`) cert and key into the fields `tls.cacert` and +`tls.cakey`. Adapt the configmap for the replicaset as follows: + +```yml +configmap: + storage: + dbPath: /data/db + net: + port: 27017 + ssl: + mode: requireSSL + CAFile: /data/configdb/tls.crt + PEMKeyFile: /work-dir/mongo.pem + # Set to false to require mutual TLS encryption + allowConnectionsWithoutCertificates: true + replication: + replSetName: rs0 + security: + authorization: enabled + # # Uncomment to enable mutual TLS encryption + # clusterAuthMode: x509 + keyFile: /keydir/key.txt +``` + +To access the cluster you need one of the certificates generated during cluster setup in `/work-dir/mongo.pem` of the +certain container or you generate your own one via: + +```console +$ cat >openssl.cnf < mongo.pem +$ rm mongo.key mongo.crt +``` + +Please ensure that you exchange the `$HOSTNAME` with your actual hostname and the `$HOSTNAME1`, `$HOSTNAME2`, etc. with +alternative hostnames you want to allow access to the MongoDB replicaset. You should now be able to authenticate to the +mongodb with your `mongo.pem` certificate: + +```console +mongo --ssl --sslCAFile=ca.crt --sslPEMKeyFile=mongo.pem --eval "db.adminCommand('ping')" +``` + +## Promethus metrics + +Enabling the metrics as follows will allow for each replicaset pod to export Prometheus compatible metrics +on server status, individual replicaset information, replication oplogs, and storage engine. + +```yaml +metrics: + enabled: true + image: + repository: ssalaues/mongodb-exporter + tag: 0.6.1 + pullPolicy: IfNotPresent + port: 9216 + path: "/metrics" + socketTimeout: 3s + syncTimeout: 1m + prometheusServiceDiscovery: true + resources: {} +``` + +More information on [MongoDB Exporter](https://github.com/percona/mongodb_exporter) metrics available. + +## Deep dive + +Because the pod names are dependent on the name chosen for it, the following examples use the +environment variable `RELEASENAME`. For example, if the helm release name is `messy-hydra`, one would need to set the following before proceeding. The example scripts below assume 3 pods only. + +```console +export RELEASE_NAME=messy-hydra +``` + +### Cluster Health + +```console +for i in 0 1 2; do kubectl exec $RELEASE_NAME-mongodb-replicaset-$i -- sh -c 'mongo --eval="printjson(db.serverStatus())"'; done +``` + +### Failover + +One can check the roles being played by each node by using the following: + +```console +$ for i in 0 1 2; do kubectl exec $RELEASE_NAME-mongodb-replicaset-$i -- sh -c 'mongo --eval="printjson(rs.isMaster())"'; done + +MongoDB shell version: 3.6.3 +connecting to: mongodb://127.0.0.1:27017 +MongoDB server version: 3.6.3 +{ + "hosts" : [ + "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + "messy-hydra-mongodb-1.messy-hydra-mongodb.default.svc.cluster.local:27017", + "messy-hydra-mongodb-2.messy-hydra-mongodb.default.svc.cluster.local:27017" + ], + "setName" : "rs0", + "setVersion" : 3, + "ismaster" : true, + "secondary" : false, + "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + "me" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + "electionId" : ObjectId("7fffffff0000000000000001"), + "maxBsonObjectSize" : 16777216, + "maxMessageSizeBytes" : 48000000, + "maxWriteBatchSize" : 1000, + "localTime" : ISODate("2016-09-13T01:10:12.680Z"), + "maxWireVersion" : 4, + "minWireVersion" : 0, + "ok" : 1 +} +``` + +This lets us see which member is primary. + +Let us now test persistence and failover. First, we insert a key (in the below example, we assume pod 0 is the master): + +```console +$ kubectl exec $RELEASE_NAME-mongodb-replicaset-0 -- mongo --eval="printjson(db.test.insert({key1: 'value1'}))" + +MongoDB shell version: 3.6.3 +connecting to: mongodb://127.0.0.1:27017 +{ "nInserted" : 1 } +``` + +Watch existing members: + +```console +$ kubectl run --attach bbox --image=mongo:3.6 --restart=Never --env="RELEASE_NAME=$RELEASE_NAME" -- sh -c 'while true; do for i in 0 1 2; do echo $RELEASE_NAME-mongodb-replicaset-$i $(mongo --host=$RELEASE_NAME-mongodb-replicaset-$i.$RELEASE_NAME-mongodb-replicaset --eval="printjson(rs.isMaster())" | grep primary); sleep 1; done; done'; + +Waiting for pod default/bbox2 to be running, status is Pending, pod ready: false +If you don't see a command prompt, try pressing enter. +messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-1 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + +``` + +Kill the primary and watch as a new master getting elected. + +```console +$ kubectl delete pod $RELEASE_NAME-mongodb-replicaset-0 + +pod "messy-hydra-mongodb-0" deleted +``` + +Delete all pods and let the statefulset controller bring it up. + +```console +$ kubectl delete po -l "app=mongodb-replicaset,release=$RELEASE_NAME" +$ kubectl get po --watch-only +NAME READY STATUS RESTARTS AGE +messy-hydra-mongodb-0 0/1 Pending 0 0s +messy-hydra-mongodb-0 0/1 Pending 0 0s +messy-hydra-mongodb-0 0/1 Pending 0 7s +messy-hydra-mongodb-0 0/1 Init:0/2 0 7s +messy-hydra-mongodb-0 0/1 Init:1/2 0 27s +messy-hydra-mongodb-0 0/1 Init:1/2 0 28s +messy-hydra-mongodb-0 0/1 PodInitializing 0 31s +messy-hydra-mongodb-0 0/1 Running 0 32s +messy-hydra-mongodb-0 1/1 Running 0 37s +messy-hydra-mongodb-1 0/1 Pending 0 0s +messy-hydra-mongodb-1 0/1 Pending 0 0s +messy-hydra-mongodb-1 0/1 Init:0/2 0 0s +messy-hydra-mongodb-1 0/1 Init:1/2 0 20s +messy-hydra-mongodb-1 0/1 Init:1/2 0 21s +messy-hydra-mongodb-1 0/1 PodInitializing 0 24s +messy-hydra-mongodb-1 0/1 Running 0 25s +messy-hydra-mongodb-1 1/1 Running 0 30s +messy-hydra-mongodb-2 0/1 Pending 0 0s +messy-hydra-mongodb-2 0/1 Pending 0 0s +messy-hydra-mongodb-2 0/1 Init:0/2 0 0s +messy-hydra-mongodb-2 0/1 Init:1/2 0 21s +messy-hydra-mongodb-2 0/1 Init:1/2 0 22s +messy-hydra-mongodb-2 0/1 PodInitializing 0 25s +messy-hydra-mongodb-2 0/1 Running 0 26s +messy-hydra-mongodb-2 1/1 Running 0 30s + + +... +messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-1 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +``` + +Check the previously inserted key: + +```console +$ kubectl exec $RELEASE_NAME-mongodb-replicaset-1 -- mongo --eval="rs.slaveOk(); db.test.find({key1:{\$exists:true}}).forEach(printjson)" + +MongoDB shell version: 3.6.3 +connecting to: mongodb://127.0.0.1:27017 +{ "_id" : ObjectId("57b180b1a7311d08f2bfb617"), "key1" : "value1" } +``` + +### Scaling + +Scaling should be managed by `helm upgrade`, which is the recommended way. + +### Indexes and Maintenance + +You can run Mongo in standalone mode and execute Javascript code on each replica at initContainer time using `initMongodStandalone`. +This allows you to create indexes on replicasets following [best practices](https://docs.mongodb.com/manual/tutorial/build-indexes-on-replica-sets/). + +#### Example: Creating Indexes + +```js +initMongodStandalone: |+ + db = db.getSiblingDB("mydb") + db.my_users.createIndex({email: 1}) +``` + +Tail the logs to debug running indexes or to follow their progress + +```sh +kubectl exec -it $RELEASE-mongodb-replicaset-0 -c bootstrap -- tail -f /work-dir/log.txt +``` + +### Migrate existing ReplicaSets into Kubernetes +If you have an existing ReplicaSet that currently is deployed outside of Kubernetes and want to move it into a cluster you can do so by using the `skipInitialization` flag. + +First set the `skipInitialization` variable to `true` in values.yaml and install the Helm chart. That way you end up with uninitialized MongoDB pods that can be added to the existing ReplicaSet. + +Now take care of realizing the DNS correct resolution of all ReplicaSet members. In Kubernetes you can for example use an `ExternalName`. + +``` +apiVersion: v1 +kind: Service +metadata: + name: mongodb01 + namespace: mongo +spec: + type: ExternalName + externalName: mongodb01.mydomain.com +``` + +If you also put each StatefulSet member behind a loadbalancer the ReplicaSet members outside of the cluster will also be able to reach the pods inside the cluster. + +``` +apiVersion: v1 +kind: Service +metadata: + name: mongodb-0 + namespace: mongo +spec: + selector: + statefulset.kubernetes.io/pod-name: mongodb-0 + ports: + - port: 27017 + targetPort: 27017 + type: LoadBalancer +``` + +Now all that is left to do is to put the LoadBalancer IP into the `/etc/hosts` file (or realize the DNS resolution through another way) +``` +1.2.3.4 mongodb-0 +5.6.7.8 mongodb-1 +``` + +With a setup like this each replicaset member can resolve the DNS entry of each other and you can just add the new pods to your existing MongoDB cluster as if they where just normal nodes. + +Of course you need to make sure to get your security settings right. Enforced TLS is a good idea in a setup like this. Also make sure that you activate auth and get the firewall settings right. + +Once you fully migrated remove the old nodes from the replicaset. diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/default-values.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/default-values.yaml new file mode 100644 index 000000000..a8bad27cd --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/default-values.yaml @@ -0,0 +1 @@ +# No config change. Just use defaults. diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/metrics-values.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/metrics-values.yaml new file mode 100644 index 000000000..df64aca1e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/metrics-values.yaml @@ -0,0 +1,10 @@ +auth: + enabled: true + adminUser: username + adminPassword: password + metricsUser: metrics + metricsPassword: password + key: keycontent + +metrics: + enabled: true diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/tls-values.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/tls-values.yaml new file mode 100644 index 000000000..043d7ac0c --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/ci/tls-values.yaml @@ -0,0 +1,10 @@ +tls: + # Enable or disable MongoDB TLS support + enabled: true + # Please generate your own TLS CA by generating it via: + # $ openssl genrsa -out ca.key 2048 + # $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com" + # After that you can base64 encode it and paste it here: + # $ cat ca.key | base64 -w0 + cacert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxakNDQVpJQ0NRQ1I1aXNNQlRmQzdUQU5CZ2txaGtpRzl3MEJBUXNGQURBWE1SVXdFd1lEVlFRRERBeHQKZVdSdmJXRnBiaTVqYjIwd0hoY05NVGt4TVRFeU1EZ3hOakUwV2hjTk5EY3dNek13TURneE5qRTBXakFYTVJVdwpFd1lEVlFRRERBeHRlV1J2YldGcGJpNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNwM0UrdVpWanhaY3BYNUFCbEtRa2crZjFmSnJzR1JJNVQrMzcyMkIvYnRyTVo4M3FyRTg2RFdEYXEKN0k1YTdlOGFVTGt2ZVpsaW02aWxsUW5CTHJPVUtVZ3R1OWZINlZydlBuMTl3UDFibEMvU0NWZHoxemNSUWlJWQpOMVVWN2VGaWUzdjhiNXVRM2RFcVBPV2FMM0w2N0Q1T0lDb043Z21QL2QwVVBaWjNHdDJLNTZsNXBzY1h4OGYwCkd3ZWdSRGpiVnZmc2dUSW50dEJ6SGh6c0JENUxON054aDd5RWVacW5admtuTDg5S2JZUEFPUk82N3NKUlBhWHMKUDhuVDhqalFJaGlRSUZDNTVXN3JrZ1hid1Znajdwb0kyby9XSDM4WXZ6TG1OVnMyOThYUDZmUXhCQ0NwMmFjRgpkOTVQRjZmbFVJeW9RNGRuOUF5UlpRa0owdlpMQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS21XCjY2SlB4V0E4MVlYTEZtclFrdmM2NE9ycFJXTHJtNHFqaFREREtvVzY1V291MzNyOEVVQktzQ2FQOHNWWXhobFQKaWhGcDhIemNqTXpWRjFqU3ZiT0c5UnhrSG16ZEIvL3FwMDdTVFp0S2R1cThad2RVdnh1Z1FXSFNzOHA4YVNHUAowNDlkSDBqUnpEZklyVGp4Z3ZNOUJlWmorTkdqT1FyUGRvQVBKeTl2THowZmYya1gzVjJadTFDWnNnbDNWUXFsCjRsNzB3azFuVk5tTXY4Nnl5cUZXaWFRTWhuSXFjKzBwYUJaRjJFSGNpSExuZWcweVVTZVN4REsrUkk4SE9mT3oKNVFpUHpqSGs1b3czd252NDhQWVJMODdLTWJtRzF0eThyRHMxUlVGWkZueGxHd0t4UmRmckt3aHJJbVRBT2N4Vwo5bVhCU3ZzY3RjM2tIZTRIVFdRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" + cakey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWR4UHJtVlk4V1hLVitRQVpTa0pJUG45WHlhN0JrU09VL3QrOXRnZjI3YXpHZk42CnF4UE9nMWcycXV5T1d1M3ZHbEM1TDNtWllwdW9wWlVKd1M2emxDbElMYnZYeCtsYTd6NTlmY0Q5VzVRdjBnbFgKYzljM0VVSWlHRGRWRmUzaFludDcvRytia04zUktqemxtaTl5K3V3K1RpQXFEZTRKai8zZEZEMldkeHJkaXVlcAplYWJIRjhmSDlCc0hvRVE0MjFiMzdJRXlKN2JRY3g0YzdBUStTemV6Y1llOGhIbWFwMmI1SnkvUFNtMkR3RGtUCnV1N0NVVDJsN0QvSjAvSTQwQ0lZa0NCUXVlVnU2NUlGMjhGWUkrNmFDTnFQMWg5L0dMOHk1alZiTnZmRnorbjAKTVFRZ3FkbW5CWGZlVHhlbjVWQ01xRU9IWi9RTWtXVUpDZEwyU3dJREFRQUJBb0lCQVFDVWM3eWNBVzFMaEpmawpXcHRSemh4eFdxcnJSeEU3ZUIwZ0h2UW16bHFCanRwVyt1bWhyT3pXOC9qTFIzVmUyUVlZYktaOGJIejJwbTR0ClVPVTJsaGRTalFYTkdwZUsyMUtqTjIwN3c3aHFHa2YwL0Q4WE9lZWh5TGU5akZacmxQeGZNdWI0aDU1aGJNdUsKYTdDTElaOE8xL3ZZRWRwUFZGTzlLYlRYSk1CbEZJUERUaFJvR2RCTEFkREZNbzcrUnZYSFRUcXdyWmxDbWRDbgp5eld3WkhIQUZhdEdGWU9ybXcxdlZZY3h0OXk5c0FVZDBrVTQza05jVHVHR0MwMGh1QlZMcW9JZU9mMG12TDB0Ckg0S0d6LzBicGp4NFpoWlNKazd3ZkFsQ0xGL1N5YzVJOEJXWWNCb05Jc0RSbDdDUmpDVUoxYVNBNVNYNzZ2SVoKSlhnRWEyV3hBb0dCQU50M0pDRGtycjNXRmJ3cW1SZ2ZhUVV0UE1FVnZlVnJvQmRqZTBZVFFNbENlNTV2QU1uNQpadEFKQTVKTmxKN2VZRkVEa0JrVURJSDFDM3hlZHVWbEREWXpESzRpR0V1Wk8wVDNERFN3aks2cExsZ3JBN0QyCmZnS29ubVdGck5JdTI4UW1MNHhmcjUrWW9SNUo0L05QdFdWOWwwZk1NOHEwSTd5SVRNODlsZWlqQW9HQkFNWWoKTHk3VER1MWVJVWkrQXJFNTJFMEkwTVJPNWNLS2hxdGxJMnpCZkZlWm5LYWdwbnhCMTMxbi9wcGg0Wm1IYnMzZQpxOXBSb0RJT0h4cm5NOWFCa1JBTHJHNjBMeXF3eU5NNW1JemkvQytJK2RVOG55ZXIvZVNNRTNtdlFzbmpVcEhtClRtTjRrM0l4RWtqRnhCazVndFNlNlA5U0UyOFd6eVZoOGlkZHRjNDVBb0dBYzcwWFBvbWJaZDM3UkdxcXBrQWEKWUhLRThjY0hpSEFEMDVIUk54bDhOeWRxamhrNEwwdnAzcGlDVzZ1eVR6NHpTVVk1dmlBR29KcWNYaEJyWDNxMAp2L2lZSFZVNXZ0U21ueTR5TDY5VDRlQ3k0aWg5SDl3K2hDUnN0Rm1VMUp1RnBxSUV2V0RRKzdmQWNIckRUbE9nCjlFOFJjdm5MN29DbHdBMlpoRW1VUDBVQ2dZQWFhdUtGbWJwcHg1MGtkOEVnSkJoRTNTSUlxb1JUMWVoeXZiOWwKWnI3UFp6bk50YW04ODRKcHhBM2NRNlN5dGEzK1lPd0U1ZEU0RzAzbVptRXcvb0Y2NURPUFp4TEszRnRLWG1tSwpqMUVVZld6aUUzMGM2ditsRTFBZGIxSzJYRXJNRFNyeWRFY2tlSXA1alhUQjhEc1RZa1NxbGlUbE1PTlpscCtVCnhCZlRjUUtCZ0RoZHo4VjU1TzdNc0dyRVlQeGhoK0U0bklLb3BRc0RlNi9QdWRRVlJMRlNwVGpLNWlKcTF2RnIKajFyNDFCNFp0cjBYNGd6MzhrSUpwZGNvNUFxU25zVENreHhnYXh3RTNzVmlqNGZZRWlteDc3TS84VkZVbDZwLwphNmdBbFh2WHFaYmFvTGU3ekM2RXVZWjFtUzJGMVd4UE9KRzZpakFiMVNIQjVPOGFWdFR3Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/init/on-start.sh b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/init/on-start.sh new file mode 100644 index 000000000..12ac89364 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/init/on-start.sh @@ -0,0 +1,226 @@ +#!/usr/bin/env bash + +# Copyright 2018 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e pipefail + +port=27017 +replica_set="$REPLICA_SET" +script_name=${0##*/} +SECONDS=0 +timeout="${TIMEOUT:-900}" +tls_mode="${TLS_MODE}" + +if [[ "$AUTH" == "true" ]]; then + admin_user="$ADMIN_USER" + admin_password="$ADMIN_PASSWORD" + admin_creds=(-u "$admin_user" -p "$admin_password") + if [[ "$METRICS" == "true" ]]; then + metrics_user="$METRICS_USER" + metrics_password="$METRICS_PASSWORD" + fi + auth_args=("--auth" "--keyFile=/data/configdb/key.txt") +fi + +log() { + local msg="$1" + local timestamp + timestamp=$(date --iso-8601=ns) + echo "[$timestamp] [$script_name] $msg" 2>&1 | tee -a /work-dir/log.txt 1>&2 +} + +retry_until() { + local host="${1}" + local command="${2}" + local expected="${3}" + local creds=("${admin_creds[@]}") + + # Don't need credentials for admin user creation and pings that run on localhost + if [[ "${host}" =~ ^localhost ]]; then + creds=() + fi + + until [[ $(mongo admin --host "${host}" "${creds[@]}" "${ssl_args[@]}" --quiet --eval "${command}" | tail -n1) == "${expected}" ]]; do + sleep 1 + + if (! ps "${pid}" &>/dev/null); then + log "mongod shutdown unexpectedly" + exit 1 + fi + if [[ "${SECONDS}" -ge "${timeout}" ]]; then + log "Timed out after ${timeout}s attempting to bootstrap mongod" + exit 1 + fi + + log "Retrying ${command} on ${host}" + done +} + +shutdown_mongo() { + local host="${1:-localhost}" + local args='force: true' + log "Shutting down MongoDB ($args)..." + if (! mongo admin --host "${host}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.shutdownServer({$args})"); then + log "db.shutdownServer() failed, sending the terminate signal" + kill -TERM "${pid}" + fi +} + +init_mongod_standalone() { + if [[ ! -f /init/initMongodStandalone.js ]]; then + log "Skipping init mongod standalone script" + return 0 + elif [[ -z "$(ls -1A /data/db)" ]]; then + log "mongod standalone script currently not supported on initial install" + return 0 + fi + + local port="27018" + log "Starting a MongoDB instance as standalone..." + mongod --config /data/configdb/mongod.conf --dbpath=/data/db "${auth_args[@]}" "${ssl_server_args[@]}" --port "${port}" --bind_ip=0.0.0.0 2>&1 | tee -a /work-dir/log.txt 1>&2 & + export pid=$! + trap shutdown_mongo EXIT + log "Waiting for MongoDB to be ready..." + retry_until "localhost:${port}" "db.adminCommand('ping').ok" "1" + log "Running init js script on standalone mongod" + mongo admin --port "${port}" "${admin_creds[@]}" "${ssl_args[@]}" /init/initMongodStandalone.js + shutdown_mongo "localhost:${port}" +} + +my_hostname=$(hostname) +log "Bootstrapping MongoDB replica set member: $my_hostname" + +log "Reading standard input..." +while read -ra line; do + if [[ "${line}" == *"${my_hostname}"* ]]; then + service_name="$line" + fi + peers=("${peers[@]}" "$line") +done + +# Generate the ca cert +ca_crt=/data/configdb/tls.crt +if [ -f "$ca_crt" ]; then + log "Generating certificate" + ca_key=/data/configdb/tls.key + pem=/work-dir/mongo.pem + ssl_args=(--ssl --sslCAFile "$ca_crt" --sslPEMKeyFile "$pem") + ssl_server_args=(--sslMode "$tls_mode" --sslCAFile "$ca_crt" --sslPEMKeyFile "$pem") + +# Move into /work-dir +pushd /work-dir + +cat >openssl.cnf < $pem + rm mongo.key mongo.crt +fi + +init_mongod_standalone + +if [[ "${SKIP_INIT}" == "true" ]]; then + log "Skipping initialization" + exit 0 +fi + +log "Peers: ${peers[*]}" +log "Starting a MongoDB replica" +mongod --config /data/configdb/mongod.conf --dbpath=/data/db --replSet="$replica_set" --port="${port}" "${auth_args[@]}" "${ssl_server_args[@]}" --bind_ip=0.0.0.0 2>&1 | tee -a /work-dir/log.txt 1>&2 & +pid=$! +trap shutdown_mongo EXIT + +log "Waiting for MongoDB to be ready..." +retry_until "localhost" "db.adminCommand('ping').ok" "1" +log "Initialized." + +# try to find a master +for peer in "${peers[@]}"; do + log "Checking if ${peer} is primary" + # Check rs.status() first since it could be in primary catch up mode which db.isMaster() doesn't show + if [[ $(mongo admin --host "${peer}" "${admin_creds[@]}" "${ssl_args[@]}" --quiet --eval "rs.status().myState") == "1" ]]; then + retry_until "${peer}" "db.isMaster().ismaster" "true" + log "Found primary: ${peer}" + primary="${peer}" + break + fi +done + +if [[ "${primary}" = "${service_name}" ]]; then + log "This replica is already PRIMARY" +elif [[ -n "${primary}" ]]; then + if [[ $(mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --quiet --eval "rs.conf().members.findIndex(m => m.host == '${service_name}:${port}')") == "-1" ]]; then + log "Adding myself (${service_name}) to replica set..." + if (mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "rs.add('${service_name}')" | grep 'Quorum check failed'); then + log 'Quorum check failed, unable to join replicaset. Exiting prematurely.' + exit 1 + fi + fi + + sleep 3 + log 'Waiting for replica to reach SECONDARY state...' + retry_until "${service_name}" "rs.status().myState" "2" + log '✓ Replica reached SECONDARY state.' + +elif (mongo "${ssl_args[@]}" --eval "rs.status()" | grep "no replset config has been received"); then + log "Initiating a new replica set with myself ($service_name)..." + mongo "${ssl_args[@]}" --eval "rs.initiate({'_id': '$replica_set', 'members': [{'_id': 0, 'host': '$service_name'}]})" + + sleep 3 + log 'Waiting for replica to reach PRIMARY state...' + retry_until "localhost" "db.isMaster().ismaster" "true" + primary="${service_name}" + log '✓ Replica reached PRIMARY state.' + + if [[ "${AUTH}" == "true" ]]; then + log "Creating admin user..." + mongo admin "${ssl_args[@]}" --eval "db.createUser({user: '${admin_user}', pwd: '${admin_password}', roles: [{role: 'root', db: 'admin'}]})" + fi +fi + +# User creation +if [[ -n "${primary}" && "$AUTH" == "true" && "$METRICS" == "true" ]]; then + metric_user_count=$(mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.system.users.find({user: '${metrics_user}'}).count()" --quiet) + if [[ "${metric_user_count}" == "0" ]]; then + log "Creating clusterMonitor user..." + mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.createUser({user: '${metrics_user}', pwd: '${metrics_password}', roles: [{role: 'clusterMonitor', db: 'admin'}, {role: 'read', db: 'local'}]})" + fi +fi + +log "MongoDB bootstrap complete" +exit 0 + diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/NOTES.txt b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/NOTES.txt new file mode 100644 index 000000000..2d942592e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/NOTES.txt @@ -0,0 +1,14 @@ +1. After the statefulset is created completely, one can check which instance is primary by running: + + $ for ((i = 0; i < {{ .Values.replicas }}; ++i)); do kubectl exec --namespace {{ .Release.Namespace }} {{ template "mongodb-replicaset.fullname" . }}-$i -- sh -c 'mongo --eval="printjson(rs.isMaster())"'; done + +2. One can insert a key into the primary instance of the mongodb replica set by running the following: + MASTER_POD_NAME must be replaced with the name of the master found from the previous step. + + $ kubectl exec --namespace {{ .Release.Namespace }} MASTER_POD_NAME -- mongo --eval="printjson(db.test.insert({key1: 'value1'}))" + +3. One can fetch the keys stored in the primary or any of the slave nodes in the following manner. + POD_NAME must be replaced by the name of the pod being queried. + + $ kubectl exec --namespace {{ .Release.Namespace }} POD_NAME -- mongo --eval="rs.slaveOk(); db.test.find().forEach(printjson)" + diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/_helpers.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/_helpers.tpl new file mode 100644 index 000000000..223ec6604 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/_helpers.tpl @@ -0,0 +1,78 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb-replicaset.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb-replicaset.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mongodb-replicaset.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name for the admin secret. +*/}} +{{- define "mongodb-replicaset.adminSecret" -}} + {{- if .Values.auth.existingAdminSecret -}} + {{- .Values.auth.existingAdminSecret -}} + {{- else -}} + {{- template "mongodb-replicaset.fullname" . -}}-admin + {{- end -}} +{{- end -}} + +{{- define "mongodb-replicaset.metricsSecret" -}} + {{- if .Values.auth.existingMetricsSecret -}} + {{- .Values.auth.existingMetricsSecret -}} + {{- else -}} + {{- template "mongodb-replicaset.fullname" . -}}-metrics + {{- end -}} +{{- end -}} + + +{{/* +Create the name for the key secret. +*/}} +{{- define "mongodb-replicaset.keySecret" -}} + {{- if .Values.auth.existingKeySecret -}} + {{- .Values.auth.existingKeySecret -}} + {{- else -}} + {{- template "mongodb-replicaset.fullname" . -}}-keyfile + {{- end -}} +{{- end -}} + +{{- define "mongodb-replicaset.connection-string" -}} + {{- $string := "" -}} + {{- if .Values.auth.enabled }} + {{- $string = printf "mongodb://$METRICS_USER:$METRICS_PASSWORD@localhost:%s" (.Values.port|toString) -}} + {{- else -}} + {{- $string = printf "mongodb://localhost:%s" (.Values.port|toString) -}} + {{- end -}} + + {{- if .Values.tls.enabled }} + {{- printf "%s?ssl=true&tlsCertificateKeyFile=/work-dir/mongo.pem&tlsCAFile=/ca/tls.crt" $string -}} + {{- else -}} + {{- printf $string -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml new file mode 100644 index 000000000..311f2e0e4 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.auth.enabled) (not .Values.auth.existingAdminSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.adminSecret" . }} +type: Opaque +data: + user: {{ .Values.auth.adminUser | b64enc }} + password: {{ .Values.auth.adminPassword | b64enc }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml new file mode 100644 index 000000000..03762529c --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml @@ -0,0 +1,18 @@ +{{- if .Values.tls.enabled -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-ca +data: + tls.key: {{ .Values.tls.cakey }} + tls.crt: {{ .Values.tls.cacert }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml new file mode 100644 index 000000000..8f5ba0db5 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-init +data: + on-start.sh: | +{{ .Files.Get "init/on-start.sh" | indent 4 }} +{{- if .Values.initMongodStandalone }} + initMongodStandalone.js: | +{{ .Values.initMongodStandalone | indent 4 }} +{{- end }} + diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml new file mode 100644 index 000000000..5e0513ebb --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml @@ -0,0 +1,17 @@ +{{- if and (.Values.auth.enabled) (not .Values.auth.existingKeySecret) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.keySecret" . }} +type: Opaque +data: + key.txt: {{ .Values.auth.key | b64enc }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml new file mode 100644 index 000000000..c1484481e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.auth.enabled) (not .Values.auth.existingMetricsSecret) (.Values.metrics.enabled) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.metricsSecret" . }} +type: Opaque +data: + user: {{ .Values.auth.metricsUser | b64enc }} + password: {{ .Values.auth.metricsPassword | b64enc }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml new file mode 100644 index 000000000..eec20b991 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-mongodb +data: + mongod.conf: | +{{ toYaml .Values.configmap | indent 4 }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml new file mode 100644 index 000000000..6768aa3b0 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-service-client.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-service-client.yaml new file mode 100644 index 000000000..3982aae4c --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-service-client.yaml @@ -0,0 +1,32 @@ +# A headless service for client applications to use +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- if .Values.serviceAnnotations }} +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-client +spec: + type: ClusterIP + clusterIP: None + ports: + - name: mongodb + port: {{ .Values.port }} +{{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.port }} + targetPort: metrics +{{- end }} + selector: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} + diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-service.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-service.yaml new file mode 100644 index 000000000..99748a668 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-service.yaml @@ -0,0 +1,25 @@ +# A headless service to create DNS records for discovery purposes. Use the -client service to connect applications +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: mongodb + port: {{ .Values.port }} + publishNotReadyAddresses: true + selector: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml new file mode 100644 index 000000000..60c043aa6 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml @@ -0,0 +1,354 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} + serviceName: {{ template "mongodb-replicaset.fullname" . }} + replicas: {{ .Values.replicas }} + template: + metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/mongodb-mongodb-configmap.yaml") . | sha256sum }} + {{- if and (.Values.metrics.prometheusServiceDiscovery) (.Values.metrics.enabled) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/path: {{ .Values.metrics.path | quote }} + {{- end }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end}} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + initContainers: + - name: copy-config + image: "{{ .Values.copyConfigImage.repository }}:{{ .Values.copyConfigImage.tag }}" + imagePullPolicy: {{ .Values.copyConfigImage.pullPolicy | quote }} + command: + - "sh" + args: + - "-c" + - | + set -e + set -x + + cp /configdb-readonly/mongod.conf /data/configdb/mongod.conf + + {{- if .Values.tls.enabled }} + cp /ca-readonly/tls.key /data/configdb/tls.key + cp /ca-readonly/tls.crt /data/configdb/tls.crt + {{- end }} + + {{- if .Values.auth.enabled }} + cp /keydir-readonly/key.txt /data/configdb/key.txt + chmod 600 /data/configdb/key.txt + {{- end }} + volumeMounts: + - name: workdir + mountPath: /work-dir + - name: config + mountPath: /configdb-readonly + - name: configdir + mountPath: /data/configdb + {{- if .Values.tls.enabled }} + - name: ca + mountPath: /ca-readonly + {{- end }} + {{- if .Values.auth.enabled }} + - name: keydir + mountPath: /keydir-readonly + {{- end }} + resources: +{{ toYaml .Values.init.resources | indent 12 }} + - name: install + image: "{{ .Values.installImage.repository }}:{{ .Values.installImage.tag }}" + args: + - --work-dir=/work-dir + imagePullPolicy: "{{ .Values.installImage.pullPolicy }}" + volumeMounts: + - name: workdir + mountPath: /work-dir + resources: +{{ toYaml .Values.init.resources | indent 12 }} + - name: bootstrap + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: + - /work-dir/peer-finder + args: + - -on-start=/init/on-start.sh + - "-service={{ template "mongodb-replicaset.fullname" . }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: REPLICA_SET + value: {{ .Values.replicaSetName }} + - name: TIMEOUT + value: "{{ .Values.init.timeout }}" + - name: SKIP_INIT + value: "{{ .Values.skipInitialization }}" + - name: TLS_MODE + value: {{ .Values.tls.mode }} + {{- if .Values.auth.enabled }} + - name: AUTH + value: "true" + - name: ADMIN_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: user + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: password + {{- if .Values.metrics.enabled }} + - name: METRICS + value: "true" + - name: METRICS_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: user + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: password + {{- end }} + {{- end }} + volumeMounts: + - name: workdir + mountPath: /work-dir + - name: init + mountPath: /init + - name: configdir + mountPath: /data/configdb + - name: datadir + mountPath: /data/db + resources: +{{ toYaml .Values.init.resources | indent 12 }} + containers: + - name: {{ template "mongodb-replicaset.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.extraVars }} + env: +{{ toYaml .Values.extraVars | indent 12 }} + {{- end }} + ports: + - name: mongodb + containerPort: 27017 + resources: +{{ toYaml .Values.resources | indent 12 }} + command: + - mongod + args: + - --config=/data/configdb/mongod.conf + - --dbpath=/data/db + - --replSet={{ .Values.replicaSetName }} + - --port=27017 + - --bind_ip=0.0.0.0 + {{- if .Values.auth.enabled }} + - --auth + - --keyFile=/data/configdb/key.txt + {{- end }} + {{- if .Values.tls.enabled }} + - --sslMode={{ .Values.tls.mode }} + - --sslCAFile=/data/configdb/tls.crt + - --sslPEMKeyFile=/work-dir/mongo.pem + {{- end }} + livenessProbe: + exec: + command: + - mongo + {{- if .Values.tls.enabled }} + - --ssl + - --sslCAFile=/data/configdb/tls.crt + - --sslPEMKeyFile=/work-dir/mongo.pem + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + readinessProbe: + exec: + command: + - mongo + {{- if .Values.tls.enabled }} + - --ssl + - --sslCAFile=/data/configdb/tls.crt + - --sslPEMKeyFile=/work-dir/mongo.pem + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + volumeMounts: + - name: datadir + mountPath: /data/db + - name: configdir + mountPath: /data/configdb + - name: workdir + mountPath: /work-dir +{{ if .Values.metrics.enabled }} + - name: metrics + image: "{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }}" + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + command: + - sh + - -c + - >- + /bin/mongodb_exporter + --mongodb.uri {{ template "mongodb-replicaset.connection-string" . }} + --mongodb.socket-timeout={{ .Values.metrics.socketTimeout }} + --mongodb.sync-timeout={{ .Values.metrics.syncTimeout }} + --web.telemetry-path={{ .Values.metrics.path }} + --web.listen-address=:{{ .Values.metrics.port }} + volumeMounts: + {{- if and (.Values.tls.enabled) }} + - name: ca + mountPath: /ca + readOnly: true + {{- end }} + - name: workdir + mountPath: /work-dir + readOnly: true + env: + {{- if .Values.auth.enabled }} + - name: METRICS_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: user + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: password + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.port }} + resources: +{{ toYaml .Values.metrics.resources | indent 12 }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.metrics.securityContext.runAsUser }} + {{- end }} + livenessProbe: + exec: + command: + - sh + - -c + - >- + /bin/mongodb_exporter + --mongodb.uri {{ template "mongodb-replicaset.connection-string" . }} + --test + initialDelaySeconds: 30 + periodSeconds: 10 +{{ end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "mongodb-replicaset.fullname" . }}-mongodb + - name: init + configMap: + defaultMode: 0755 + name: {{ template "mongodb-replicaset.fullname" . }}-init + {{- if .Values.tls.enabled }} + - name: ca + secret: + defaultMode: 0400 + secretName: {{ template "mongodb-replicaset.fullname" . }}-ca + {{- end }} + {{- if .Values.auth.enabled }} + - name: keydir + secret: + defaultMode: 0400 + secretName: {{ template "mongodb-replicaset.keySecret" . }} + {{- end }} + - name: workdir + emptyDir: {} + - name: configdir + emptyDir: {} +{{- if .Values.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: datadir + annotations: + {{- range $key, $value := .Values.persistentVolume.annotations }} + {{ $key }}: "{{ $value }}" + {{- end }} + spec: + accessModes: + {{- range .Values.persistentVolume.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistentVolume.size | quote }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: datadir + emptyDir: {} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml new file mode 100644 index 000000000..45854201a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "mongodb-replicaset.fullname" . }}-tests +data: + mongodb-up-test.sh: | +{{ .Files.Get "tests/mongodb-up-test.sh" | indent 4 }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml new file mode 100644 index 000000000..3e213a680 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "mongodb-replicaset.fullname" . }}-test + annotations: + "helm.sh/hook": test-success +spec: + initContainers: + - name: test-framework + image: dduportal/bats:0.4.0 + command: + - bash + - -c + - | + set -ex + # copy bats to tools dir + cp -R /usr/local/libexec/ /tools/bats/ + volumeMounts: + - name: tools + mountPath: /tools + containers: + - name: mongo + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: + - /tools/bats/bats + - -t + - /tests/mongodb-up-test.sh + env: + - name: FULL_NAME + value: {{ template "mongodb-replicaset.fullname" . }} + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: REPLICAS + value: "{{ .Values.replicas }}" + {{- if .Values.auth.enabled }} + - name: AUTH + value: "true" + - name: ADMIN_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: user + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: password + {{- end }} + volumeMounts: + - name: tools + mountPath: /tools + - name: tests + mountPath: /tests + {{- if .Values.tls.enabled }} + - name: tls + mountPath: /tls + {{- end }} + volumes: + - name: tools + emptyDir: {} + - name: tests + configMap: + name: {{ template "mongodb-replicaset.fullname" . }}-tests + {{- if .Values.tls.enabled }} + - name: tls + secret: + secretName: {{ template "mongodb-replicaset.fullname" . }}-ca + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end }} + restartPolicy: Never diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/test.sh b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/test.sh new file mode 100644 index 000000000..0b7fd767b --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/test.sh @@ -0,0 +1,48 @@ +#! /bin/bash + +# Copyright 2016 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +NS="${RELEASE_NAMESPACE:-default}" +POD_NAME="${RELEASE_NAME:-mongo}-mongodb-replicaset" + +MONGOCACRT=/ca/tls.crt +MONGOPEM=/work-dir/mongo.pem +if [ -f $MONGOPEM ]; then + MONGOARGS="--ssl --sslCAFile $MONGOCACRT --sslPEMKeyFile $MONGOPEM" +fi + +for i in $(seq 0 2); do + pod="${POD_NAME}-$i" + kubectl exec --namespace $NS $pod -- sh -c 'mongo '"$MONGOARGS"' --eval="printjson(rs.isMaster())"' | grep '"ismaster" : true' + + if [ $? -eq 0 ]; then + echo "Found master: $pod" + MASTER=$pod + break + fi +done + +kubectl exec --namespace $NS $MASTER -- mongo "$MONGOARGS" --eval='printjson(db.test.insert({"status": "success"}))' + +# TODO: find maximum duration to wait for slaves to be up-to-date with master. +sleep 2 + +for i in $(seq 0 2); do + pod="${POD_NAME}-$i" + if [[ $pod != $MASTER ]]; then + echo "Reading from slave: $pod" + kubectl exec --namespace $NS $pod -- mongo "$MONGOARGS" --eval='rs.slaveOk(); db.test.find().forEach(printjson)' + fi +done diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/tests/mongodb-up-test.sh b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/tests/mongodb-up-test.sh new file mode 100644 index 000000000..9998719f4 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/tests/mongodb-up-test.sh @@ -0,0 +1,120 @@ +#!/usr/bin/env bash + +set -ex + +CACRT_FILE=/work-dir/tls.crt +CAKEY_FILE=/work-dir/tls.key +MONGOPEM=/work-dir/mongo.pem + +MONGOARGS="--quiet" + +if [ -e "/tls/tls.crt" ]; then + # log "Generating certificate" + mkdir -p /work-dir + cp /tls/tls.crt /work-dir/tls.crt + cp /tls/tls.key /work-dir/tls.key + + # Move into /work-dir + pushd /work-dir + +cat >openssl.cnf < $MONGOPEM + MONGOARGS="$MONGOARGS --ssl --sslCAFile $CACRT_FILE --sslPEMKeyFile $MONGOPEM" +fi + +if [[ "${AUTH}" == "true" ]]; then + MONGOARGS="$MONGOARGS --username $ADMIN_USER --password $ADMIN_PASSWORD --authenticationDatabase admin" +fi + +pod_name() { + local full_name="${FULL_NAME?Environment variable FULL_NAME not set}" + local namespace="${NAMESPACE?Environment variable NAMESPACE not set}" + local index="$1" + echo "$full_name-$index.$full_name.$namespace.svc.cluster.local" +} + +replicas() { + echo "${REPLICAS?Environment variable REPLICAS not set}" +} + +master_pod() { + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.isMaster().ismaster") + if [[ "$response" == "true" ]]; then + pod_name "$i" + break + fi + done +} + +setup() { + local ready=0 + until [[ "$ready" -eq $(replicas) ]]; do + echo "Waiting for application to become ready" >&2 + sleep 1 + + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.status().ok" || true) + if [[ "$response" -eq 1 ]]; then + ready=$((ready + 1)) + fi + done + done +} + +@test "Testing mongodb client is executable" { + mongo -h + [ "$?" -eq 0 ] +} + +@test "Connect mongodb client to mongodb pods" { + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.status().ok") + if [[ ! "$response" -eq 1 ]]; then + exit 1 + fi + done +} + +@test "Write key to primary" { + response=$(mongo $MONGOARGS --host=$(master_pod) "--eval=db.test.insert({\"abc\": \"def\"}).nInserted") + if [[ ! "$response" -eq 1 ]]; then + exit 1 + fi +} + +@test "Read key from slaves" { + # wait for slaves to catch up + sleep 10 + + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS --host=$(pod_name "$i") "--eval=rs.slaveOk(); db.test.find({\"abc\":\"def\"})") + if [[ ! "$response" =~ .*def.* ]]; then + exit 1 + fi + done + + # Clean up a document after test + mongo $MONGOARGS --host=$(master_pod) "--eval=db.test.deleteMany({\"abc\": \"def\"})" +} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/values.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/values.yaml new file mode 100644 index 000000000..7e750af0e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb-replicaset/values.yaml @@ -0,0 +1,167 @@ +# Override the name of the chart, which in turn changes the name of the containers, services etc. +nameOverride: "" +fullnameOverride: "" + +replicas: 3 +port: 27017 + +## Setting this will skip the replicaset and user creation process during bootstrapping +skipInitialization: false + +replicaSetName: rs0 + +podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 2 + +auth: + enabled: false + existingKeySecret: "" + existingAdminSecret: "" + existingMetricsSecret: "" + # adminUser: username + # adminPassword: password + # metricsUser: metrics + # metricsPassword: password + # key: keycontent + +## Optionally specify an array of imagePullSecrets. +## Secrets must be manually created in the namespace. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +## +imagePullSecrets: [] +# - myRegistrKeySecretName + +# Specs for the Docker image for the init container that establishes the replica set +installImage: + repository: unguiculus/mongodb-install + tag: 0.7 + pullPolicy: IfNotPresent + +# Specs for the Docker image for the copyConfig init container +copyConfigImage: + repository: busybox + tag: 1.29.3 + pullPolicy: IfNotPresent + +# Specs for the MongoDB image +image: + repository: mongo + tag: 3.6 + pullPolicy: IfNotPresent + +# Additional environment variables to be set in the container +extraVars: {} +# - name: TCMALLOC_AGGRESSIVE_DECOMMIT +# value: "true" + +# Prometheus Metrics Exporter +metrics: + enabled: false + image: + repository: bitnami/mongodb-exporter + tag: 0.10.0-debian-9-r71 + pullPolicy: IfNotPresent + port: 9216 + path: "/metrics" + socketTimeout: 3s + syncTimeout: 1m + prometheusServiceDiscovery: true + resources: {} + securityContext: + enabled: true + runAsUser: 1001 + +# Annotations to be added to MongoDB pods +podAnnotations: {} + +securityContext: + enabled: true + runAsUser: 999 + fsGroup: 999 + runAsNonRoot: true + +init: + resources: {} + timeout: 900 + +resources: {} +# limits: +# cpu: 500m +# memory: 512Mi +# requests: +# cpu: 100m +# memory: 256Mi + +## Node selector +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +nodeSelector: {} + +affinity: {} + +tolerations: [] + +extraLabels: {} + +priorityClassName: "" + +persistentVolume: + enabled: true + ## mongodb-replicaset data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + accessModes: + - ReadWriteOnce + size: 10Gi + annotations: {} + +# Annotations to be added to the service +serviceAnnotations: {} + +terminationGracePeriodSeconds: 30 + +tls: + # Enable or disable MongoDB TLS support + enabled: false + # Set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL) + mode: requireSSL + # Please generate your own TLS CA by generating it via: + # $ openssl genrsa -out ca.key 2048 + # $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com" + # After that you can base64 encode it and paste it here: + # $ cat ca.key | base64 -w0 + # cacert: + # cakey: + +# Entries for the MongoDB config file +configmap: {} + +# Javascript code to execute on each replica at initContainer time +# This is the recommended way to create indexes on replicasets. +# Below is an example that creates indexes in foreground on each replica in standalone mode. +# ref: https://docs.mongodb.com/manual/tutorial/build-indexes-on-replica-sets/ +# initMongodStandalone: |+ +# db = db.getSiblingDB("mydb") +# db.my_users.createIndex({email: 1}) +initMongodStandalone: "" + +# Readiness probe +readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + +# Liveness probe +livenessProbe: + initialDelaySeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/.helmignore b/charts/shipa/shipa/1.7.200/charts/mongodb/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/Chart.lock b/charts/shipa/shipa/1.7.200/charts/mongodb/Chart.lock new file mode 100644 index 000000000..0d6f7a892 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.11.1 +digest: sha256:a000bcd4d4cdd813c67d633b5523b4a4cd478fb95f1cae665d9b0ba5c45b40e2 +generated: "2022-02-27T04:47:19.688036252Z" diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/Chart.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/Chart.yaml new file mode 100644 index 000000000..e2c900829 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 4.4.12 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it + stores data in JSON-like documents. Automated scalability and high-performance. + Ideal for developing cloud native applications. +home: https://github.com/bitnami/charts/tree/master/bitnami/mongodb +icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png +keywords: +- mongodb +- database +- nosql +- cluster +- replicaset +- replication +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: mongodb +sources: +- https://github.com/bitnami/bitnami-docker-mongodb +- https://mongodb.org +version: 11.0.5 diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/README.md b/charts/shipa/shipa/1.7.200/charts/mongodb/README.md new file mode 100644 index 000000000..159aec54b --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/README.md @@ -0,0 +1,684 @@ + + +# MongoDB(R) packaged by Bitnami + +MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. + +[Overview of MongoDB®](http://www.mongodb.org) + +Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami. + +## TL;DR + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/mongodb +``` + +## Introduction + +This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/bitnami-docker-mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with Fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/mongodb +``` + +The command deploys MongoDB(®) on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Architecture + +This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: + +```console +architecture="standalone" +architecture="replicaset" +``` + +Refer to the [chart documentation for more information on each of these architectures](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/get-started/understand-architecture/). + +## Parameters + +### Global parameters + +| Name | Description | Value | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override mongodb.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override mongodb.fullname template | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `commonLabels` | Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `commonAnnotations` | Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + + +### MongoDB(®) parameters + +| Name | Description | Value | +| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `image.registry` | MongoDB(®) image registry | `docker.io` | +| `image.repository` | MongoDB(®) image registry | `bitnami/mongodb` | +| `image.tag` | MongoDB(®) image tag (immutable tags are recommended) | `4.4.11-debian-10-r12` | +| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | +| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.usernames` | List of custom users to be created during the initialization | `[]` | +| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | +| `auth.databases` | List of custom databases to be created during the initialization | `[]` | +| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | +| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | +| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, ` mongodb-replica-set-key`) | `""` | +| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | +| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | +| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`, `client-pem`) | `""` | +| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | +| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | +| `tls.image.registry` | Init container TLS certs setup image registry | `docker.io` | +| `tls.image.repository` | Init container TLS certs setup image repository | `bitnami/nginx` | +| `tls.image.tag` | Init container TLS certs setup image tag (immutable tags are recommended) | `1.21.5-debian-10-r12` | +| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | +| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | +| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | +| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | +| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | +| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | +| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | +| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | +| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | +| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | +| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | + + +### replicaSetConfigurationSettings settings applied during runtime (not via configuration file) + +| Name | Description | Value | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------------- | ------- | +| `replicaSetConfigurationSettings.enabled` | Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings | `false` | +| `replicaSetConfigurationSettings.configuration` | run-time rs.conf settings | `{}` | +| `existingConfigmap` | Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | Existing ConfigMap with custom initdb scripts | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraFlags` | MongoDB(®) additional command line flags | `[]` | +| `extraEnvVars` | Extra environment variables to add to MongoDB(®) pods | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | + + +### MongoDB(®) statefulset parameters + +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------ | --------------- | +| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `replicaCount` | Number of MongoDB(®) nodes (only when `architecture=replicaset`) | `2` | +| `strategyType` | StrategyType for MongoDB(®) statefulset | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | +| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | +| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | +| `podLabels` | MongoDB(®) pod labels | `{}` | +| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | +| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | +| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | +| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | +| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | +| `containerSecurityContext.enabled` | Enable MongoDB(®) container(s)' Security Context | `true` | +| `containerSecurityContext.runAsUser` | User ID for the MongoDB(®) container | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set MongoDB(®) container's Security Context runAsNonRoot | `true` | +| `resources.limits` | The resources limits for MongoDB(®) containers | `{}` | +| `resources.requests` | The requested resources for MongoDB(®) containers | `{}` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | +| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `false` | +| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction | `""` | + + +### Traffic exposure parameters + +| Name | Description | Value | +| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `service.nameOverride` | MongoDB(®) service name | `""` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | MongoDB(®) service port | `27017` | +| `service.portName` | MongoDB(®) service port name | `mongodb` | +| `service.nodePort` | Port to bind to for NodePort and LoadBalancer service types | `""` | +| `service.clusterIP` | MongoDB(®) service cluster IP | `""` | +| `service.externalIPs` | Specify the externalIP value ClusterIP service type. | `[]` | +| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service | `""` | +| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `service.annotations` | Provide any additional annotations that may be required | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `docker.io` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `bitnami/kubectl` | +| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) | `1.23.1-debian-10-r23` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resources.limits` | Init container auto-discovery resource limits | `{}` | +| `externalAccess.autoDiscovery.resources.requests` | Init container auto-discovery resource requests | `{}` | +| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.service.port` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | +| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | +| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | +| `externalAccess.hidden.service.port` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | + + +### Persistence parameters + +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------- | ------------------- | +| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | +| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | +| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | +| `persistence.annotations` | PVC annotations | `{}` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | + + +### RBAC parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB(®) pods | `true` | +| `serviceAccount.name` | Name of the created serviceAccount | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `rbac.create` | Whether to create & use RBAC resources or not | `false` | +| `rbac.role.rules` | Custom rules to create following the role specification | `[]` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` | +| `podSecurityPolicy.privileged` | Allow privileged | `false` | +| `podSecurityPolicy.spec` | Specify the full spec to use for Pod Security Policy | `{}` | + + +### Volume Permissions parameters + +| Name | Description | Value | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `10-debian-10-r304` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | + + +### Arbiter parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------- | +| `arbiter.enabled` | Enable deploying the arbiter | `true` | +| `arbiter.configuration` | Arbiter configuration file to be used | `""` | +| `arbiter.hostAliases` | Add deployment host aliases | `[]` | +| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | +| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | +| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | +| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | +| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | +| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | +| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | +| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | +| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | +| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | +| `arbiter.podLabels` | Arbiter pod labels | `{}` | +| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | +| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | +| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | +| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | +| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | +| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | +| `arbiter.containerSecurityContext.enabled` | Enable Arbiter container(s)' Security Context | `true` | +| `arbiter.containerSecurityContext.runAsUser` | User ID for the Arbiter container | `1001` | +| `arbiter.resources.limits` | The resources limits for Arbiter containers | `{}` | +| `arbiter.resources.requests` | The requested resources for Arbiter containers | `{}` | +| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | +| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | +| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | +| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | +| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | +| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | +| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `false` | +| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `1` | +| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable | `""` | +| `arbiter.service.nameOverride` | The arbiter service name | `""` | + + +### Hidden Node parameters + +| Name | Description | Value | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------- | +| `hidden.enabled` | Enable deploying the hidden nodes | `false` | +| `hidden.configuration` | Hidden node configuration file to be used | `""` | +| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | +| `hidden.command` | Override default container command (useful when using custom images) | `[]` | +| `hidden.args` | Override default container args (useful when using custom images) | `[]` | +| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | +| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | +| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | +| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | +| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | +| `hidden.strategyType` | StrategyType for hidden node statefulset | `RollingUpdate` | +| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | +| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | +| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | +| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | +| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | +| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | +| `hidden.podLabels` | Hidden node pod labels | `{}` | +| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | +| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | +| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | +| `hidden.resources.limits` | The resources limits for hidden node containers | `{}` | +| `hidden.resources.requests` | The requested resources for hidden node containers | `{}` | +| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | +| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | +| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | +| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | +| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | +| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | +| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `false` | +| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `1` | +| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable | `""` | +| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | +| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | +| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | +| `hidden.persistence.annotations` | PVC annotations | `{}` | +| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | +| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | +| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | + + +### Metrics parameters + +| Name | Description | Value | +| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `docker.io` | +| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `bitnami/mongodb-exporter` | +| `metrics.image.tag` | MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) | `0.30.0-debian-10-r53` | +| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.username` | String with username for the metrics exporter | `""` | +| `metrics.password` | String with password for the metrics exporter | `""` | +| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | +| `metrics.extraUri` | Additional URI options of the metrics service | `""` | +| `metrics.resources.limits` | The resources limits for Prometheus exporter containers | `{}` | +| `metrics.resources.requests` | The requested resources for Prometheus exporter containers | `{}` | +| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | +| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | +| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | +| `metrics.service.port` | Port of the Prometheus metrics service | `9216` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabellings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.additionalLabels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `{}` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set auth.rootPassword=secretpassword,auth.username=my-user,auth.password=my-password,auth.database=my-database \ + bitnami/mongodb +``` + +The above command sets the MongoDB(®) `root` account password to `secretpassword`. Additionally, it creates a standard database user named `my-user`, with the password `my-password`, who has access to a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/mongodb +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customize a new MongoDB instance + +The [Bitnami MongoDB(®) image](https://github.com/bitnami/bitnami-docker-mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: + +* Specify them using the `initdbScripts` parameter as dict. +* Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed script extensions are `.sh` and `.js`. + +### Replicaset: Access MongoDB(®) nodes from outside the cluster + +In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: + +- Using LoadBalancer services +- Using NodePort services. + +Refer to the [chart documentation for more details and configuration examples](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/configuration/configure-external-access-replicaset/). + +### Add extra environment variables + +To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. Similarly, extra init containers can be added using the `initContainers` parameter. + +Refer to the chart documentation for more information on, and examples of, configuring and using [sidecars and init containers](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/configuration/configure-sidecar-init-containers/). + +## Persistence + +The [Bitnami MongoDB(®)](https://github.com/bitnami/bitnami-docker-mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +## Use custom Prometheus rules + +Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. + +Refer to the [chart documentation for an example of a custom rule](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/administration/use-prometheus-rules/). + +## Enable SSL/TLS + +This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. + +Refer to the [chart documentation for more information on enabling TLS](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/administration/enable-tls/). + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: + +```bash +$ helm upgrade my-release bitnami/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) +``` + +> Note: you need to substitute the placeholders [PASSWORD] and [REPLICASETKEY] with the values obtained in the installation notes. + +### To 11.0.0 + +In this version, the mongodb-exporter bundled as part of this Helm chart was updated to a new version which, even it is not a major change, can contain breaking changes (from `0.11.X` to `0.30.X`). +Please visit the release notes from the upstream project at https://github.com/percona/mongodb_exporter/releases + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/administration/upgrade-helm3/). + +### To 9.0.0 + +MongoDB(®) container images were updated to `4.4.x` and it can affect compatibility with older versions of MongoDB(®). Refer to the following guides to upgrade your applications: + +- [Standalone](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-standalone/) +- [Replica Set](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-replica-set/) + +### To 8.0.0 + +- Architecture used to configure MongoDB(®) as a replicaset was completely refactored. Now, both primary and secondary nodes are part of the same statefulset. +- Chart labels were adapted to follow the Helm charts best practices. +- This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Several parameters were renamed or disappeared in favor of new ones on this major version. These are the most important ones: + - `replicas` is renamed to `replicaCount`. + - Authentication parameters are reorganized under the `auth.*` parameter: + - `usePassword` is renamed to `auth.enabled`. + - `mongodbRootPassword`, `mongodbUsername`, `mongodbPassword`, `mongodbDatabase`, and `replicaSet.key` are now `auth.rootPassword`, `auth.username`, `auth.password`, `auth.database`, and `auth.replicaSetKey` respectively. + - `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`. + - Parameters prefixed with `mongodb` are renamed removing the prefix. E.g. `mongodbEnableIPv6` is renamed to `enableIPv6`. + - Parameters affecting Arbiter nodes are reorganized under the `arbiter.*` parameter. + +Consequences: + +- Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MongoDB(®) chart, and migrate your data by creating a backup of the database, and restoring it on the new release. + +### To 7.0.0 + +From this version, the way of setting the ingress rules has changed. Instead of using `ingress.paths` and `ingress.hosts` as separate objects, you should now define the rules as objects inside the `ingress.hosts` value, for example: + +```yaml +ingress: + hosts: + - name: mongodb.local + path: / +``` + +### To 6.0.0 + +From this version, `mongodbEnableIPv6` is set to `false` by default in order to work properly in most k8s clusters, if you want to use IPv6 support, you need to set this variable to `true` by adding `--set mongodbEnableIPv6=true` to your `helm` command. +You can find more information in the [`bitnami/mongodb` image README](https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md). + +### To 5.0.0 + +When enabling replicaset configuration, backwards compatibility is not guaranteed unless you modify the labels used on the chart's statefulsets. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is `my-release`: + +```console +$ kubectl delete statefulset my-release-mongodb-arbiter my-release-mongodb-primary my-release-mongodb-secondary --cascade=false +``` + +### Add extra deployment options + +To add extra deployments (useful for advanced features like sidecars), use the `extraDeploy` property. + +In the example below, you can find how to use a example here for a [MongoDB replica set pod labeler sidecar](https://github.com/combor/k8s-mongo-labeler-sidecar) to identify the primary pod and dynamically label it as the primary node: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: Service + metadata: + name: mongodb-primary + namespace: default + labels: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mongodb + spec: + type: NodePort + externalTrafficPolicy: Cluster + ports: + - name: mongodb-primary + port: 30001 + nodePort: 30001 + protocol: TCP + targetPort: mongodb + selector: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/name: mongodb + primary: "true" +``` + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/.helmignore b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/Chart.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/Chart.yaml new file mode 100644 index 000000000..87226649a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.11.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.11.1 diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/README.md b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/README.md new file mode 100644 index 000000000..da84c426d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/README.md @@ -0,0 +1,345 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 0.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|-------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis™ are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_affinities.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..189ea403d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_capabilities.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..b94212bbe --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_capabilities.tpl @@ -0,0 +1,128 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_errors.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_images.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_images.tpl new file mode 100644 index 000000000..42ffbc722 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_ingress.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..8caf73a61 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_labels.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_names.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_names.tpl new file mode 100644 index 000000000..cf0323171 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_names.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_secrets.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..a1afc1195 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_secrets.tpl @@ -0,0 +1,131 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_storage.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_tplvalues.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_utils.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..ea083a249 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_warnings.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_cassandra.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..ded1ae3bc --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_mariadb.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..b6906ff77 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_mongodb.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..a071ea4d3 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_postgresql.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..164ec0d01 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_redis.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..5d72959b9 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis™ required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_validations.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/values.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/values.yaml new file mode 100644 index 000000000..f2df68e5e --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/ci/values-replicaset-with-rbac.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/ci/values-replicaset-with-rbac.yaml new file mode 100644 index 000000000..a8b62e27c --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/ci/values-replicaset-with-rbac.yaml @@ -0,0 +1,8 @@ +architecture: replicaset +replicaCount: 3 +pdb: + create: true +rbac: + create: true +serviceAccount: + create: true diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/NOTES.txt b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/NOTES.txt new file mode 100644 index 000000000..d3b3b91bc --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/NOTES.txt @@ -0,0 +1,204 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + +{{- else }} + +{{- $replicaCount := int .Values.replicaCount }} +{{- $portNumber := int .Values.service.port }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := include "mongodb.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $mongoList := list }} +{{- range $e, $i := until $replicaCount }} +{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} +{{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer") }} + +#################################################################################### +### ERROR: You enabled external access to MongoDB® nodes without specifying ### +### the array of load balancer IPs for MongoDB® nodes. ### +#################################################################################### + +This deployment will be incomplete until you configure the array of load balancer +IPs for MongoDB® nodes. To complete your deployment follow the steps below: + +1. Wait for the load balancer IPs (it may take a few minutes for them to be available): + + kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb" -w + +2. Obtain the load balancer IPs and upgrade your chart: + + {{- range $e, $i := until $replicaCount }} + LOAD_BALANCER_IP_{{ add $i 1 }}="$(kubectl get svc --namespace {{ $releaseNamespace }} {{ $fullname }}-{{ $i }}-external -o jsonpath='{.status.loadBalancer.ingress[0].ip}')" + {{- end }} + +3. Upgrade you chart: + + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} bitnami/{{ .Chart.Name }} \ + --set mongodb.replicaCount={{ $replicaCount }} \ + --set mongodb.externalAccess.enabled=true \ + {{- range $i, $e := until $replicaCount }} + --set mongodb.externalAccess.service.loadBalancerIPs[{{ $i }}]=$LOAD_BALANCER_IP_{{ add $i 1 }} \ + {{- end }} + --set mongodb.externalAccess.service.type=LoadBalancer + +{{- else }} + +{{- if and (or (and (eq .Values.architecture "standalone") (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort"))) (and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled)) (not .Values.auth.enabled) }} +------------------------------------------------------------------------------- + WARNING + + By not enabling "mongodb.auth.enabled" you have most likely exposed the + MongoDB® service externally without any authentication mechanism. + + For security reasons, we strongly suggest that you enable authentiation + setting the "mongodb.auth.enabled" parameter to "true". + +------------------------------------------------------------------------------- +{{- end }} + +** Please be patient while the chart is being deployed ** + +MongoDB® can be accessed on the following DNS name(s) and ports from within your cluster: + +{{- if eq .Values.architecture "replicaset" }} +{{ join "\n" $mongoList | nindent 4 }} +{{- else }} + + {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{- if .Values.auth.enabled }} + +To get the root password run: + + export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.secretName" . }} -o jsonpath="{.data.mongodb-root-password}" | base64 --decode) + +{{- end }} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList := splitList "," $customUsers }} +{{- range $index, $user := $customUsersList }} + +To get the password for "{{ $user }}" run: + + export MONGODB_PASSWORD=$(kubectl get secret --namespace {{ include "mongodb.namespace" $ }} {{ include "mongodb.secretName" $ }} -o jsonpath="{.data.mongodb-passwords}" | base64 --decode | awk -F',' '{print ${{ add 1 $index }}}') + +{{- end }} +{{- end }} + +To connect to your database, create a MongoDB® client container: + + kubectl run --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.fullname" . }}-client --rm --tty -i --restart='Never' --env="MONGODB_ROOT_PASSWORD=$MONGODB_ROOT_PASSWORD" --image {{ template "mongodb.image" . }} --command -- bash + +Then, run the following command: + + {{- if eq .Values.architecture "replicaset" }} + mongo admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u root -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- else }} + mongo admin --host "{{ template "mongodb.fullname" . }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u root -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled }} + +To connect to your database nodes from outside, you need to add both primary and secondary nodes hostnames/IPs to your Mongo client. To obtain them, follow the instructions below: + +{{- if eq "NodePort" .Values.externalAccess.service.type }} +{{- if .Values.externalAccess.service.domain }} + + MongoDB® nodes domain: Use your provided hostname to reach MongoDB® nodes, {{ .Values.externalAccess.service.domain }} + +{{- else }} + + MongoDB® nodes domain: you can reach MongoDB® nodes on any of the K8s nodes external IPs. + + kubectl get nodes -o wide + +{{- end }} + + MongoDB® nodes port: You will have a different node port for each MongoDB® node. You can get the list of configured node ports using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + +{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -w' + + MongoDB® nodes domain: You will have a different external IP for each MongoDB® node. You can get the list of external IPs using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + + MongoDB® nodes port: {{ .Values.externalAccess.service.port }} + +{{- end }} + +{{- else if eq .Values.architecture "standalone" }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "mongodb.fullname" . }}) + mongo --host $NODE_IP --port $NODE_PORT {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ template "mongodb.namespace" . }} -w {{ template "mongodb.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + mongo --host $SERVICE_IP --port {{ $portNumber }} {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ template "mongodb.namespace" . }} svc/{{ template "mongodb.fullname" . }} {{ $portNumber }}:{{ $portNumber }} & + mongo --host 127.0.0.1 {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- end }} +{{- end }} +{{- end }} + +{{- if .Values.metrics.enabled }} + +To access the MongoDB® Prometheus metrics, get the MongoDB® Prometheus URL by running: + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "mongodb.fullname" . }}-metrics {{ .Values.metrics.service.port }}:{{ .Values.metrics.service.port }} & + echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.metrics.service.port }}/metrics" + +Then, open the obtained URL in a browser. + +{{- end }} +{{- end }} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "common.warnings.rollingTag" .Values.externalAccess.autoDiscovery.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "mongodb.validateValues" . }} +{{- $secretName := include "mongodb.fullname" . -}} +{{- $passwordValidationErrors := include "common.validations.values.mongodb.passwords" (dict "secret" $secretName "context" $) -}} +{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/_helpers.tpl b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/_helpers.tpl new file mode 100644 index 000000000..496d4e8fe --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/_helpers.tpl @@ -0,0 +1,444 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb.name" -}} +{{- include "common.names.name" . -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb.fullname" -}} +{{- include "common.names.fullname" . -}} +{{- end -}} + +{{/* +Create a default mongo service name which can be overridden. +*/}} +{{- define "mongodb.service.nameOverride" -}} + {{- if .Values.service -}} + {{- if .Values.service.nameOverride }} + {{- .Values.service.nameOverride -}} + {{- else -}} + {{ include "mongodb.fullname" . }}-headless + {{- end -}} + {{- else -}} + {{ include "mongodb.fullname" . }}-headless + {{- end }} +{{- end }} + +{{/* +Create a default mongo arbiter service name which can be overridden. +*/}} +{{- define "mongodb.arbiter.service.nameOverride" -}} + {{- if .Values.arbiter.service -}} + {{- if .Values.arbiter.service.nameOverride }} + {{- .Values.arbiter.service.nameOverride -}} + {{- else -}} + {{ include "mongodb.fullname" . }}-arbiter-headless + {{- end -}} + {{- else -}} + {{ include "mongodb.fullname" . }}-arbiter-headless + {{- end }} +{{- end }} + +{{/* +Return the proper MongoDB® image name +*/}} +{{- define "mongodb.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "mongodb.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "mongodb.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container auto-discovery image) +*/}} +{{- define "mongodb.externalAccess.autoDiscovery.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.externalAccess.autoDiscovery.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the TLS Certs image) +*/}} +{{- define "mongodb.tls.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.tls.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "mongodb.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "mongodb.namespace" -}} + {{- if .Values.global -}} + {{- if .Values.global.namespaceOverride }} + {{- .Values.global.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end }} +{{- end -}} +{{- define "mongodb.serviceMonitor.namespace" -}} + {{- if .Values.metrics.serviceMonitor.namespace -}} + {{- .Values.metrics.serviceMonitor.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} +{{- define "mongodb.prometheusRule.namespace" -}} + {{- if .Values.metrics.prometheusRule.namespace -}} + {{- .Values.metrics.prometheusRule.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} + +{{/* +Returns the proper service account name depending if an explicit service account name is set +in the values file. If the name is not set it will default to either mongodb.fullname if serviceAccount.create +is true or default otherwise. +*/}} +{{- define "mongodb.serviceAccountName" -}} + {{- if .Values.serviceAccount.create -}} + {{ default (include "mongodb.fullname" .) .Values.serviceAccount.name }} + {{- else -}} + {{ default "default" .Values.serviceAccount.name }} + {{- end -}} +{{- end -}} + +{{/* +Return the list of custom users to create during the initialization (string format) +*/}} +{{- define "mongodb.customUsers" -}} + {{- $customUsers := list -}} + {{- if .Values.auth.username -}} + {{- $customUsers = append $customUsers .Values.auth.username }} + {{- end }} + {{- range .Values.auth.usernames }} + {{- $customUsers = append $customUsers . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customUsers)) -}} +{{- end -}} + +{{/* +Return the list of passwords for the custom users (string format) +*/}} +{{- define "mongodb.customPasswords" -}} + {{- $customPasswords := list -}} + {{- if .Values.auth.password -}} + {{- $customPasswords = append $customPasswords .Values.auth.password }} + {{- end }} + {{- range .Values.auth.passwords }} + {{- $customPasswords = append $customPasswords . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customPasswords)) -}} +{{- end -}} + +{{/* +Return the list of custom databases to create during the initialization (string format) +*/}} +{{- define "mongodb.customDatabases" -}} + {{- $customDatabases := list -}} + {{- if .Values.auth.database -}} + {{- $customDatabases = append $customDatabases .Values.auth.database }} + {{- end }} + {{- range .Values.auth.databases }} + {{- $customDatabases = append $customDatabases . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customDatabases)) -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration +*/}} +{{- define "mongodb.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® +*/}} +{{- define "mongodb.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with MongoDB® credentials +*/}} +{{- define "mongodb.secretName" -}} + {{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MongoDB® +*/}} +{{- define "mongodb.createSecret" -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "mongodb.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" .Values.initdbScriptsConfigMap -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Arbiter should be deployed +*/}} +{{- define "mongodb.arbiter.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Arbiter +*/}} +{{- define "mongodb.arbiter.configmapName" -}} +{{- if .Values.arbiter.existingConfigmap -}} + {{- printf "%s" (tpl .Values.arbiter.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-arbiter" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Arbiter +*/}} +{{- define "mongodb.arbiter.createConfigmap" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled .Values.arbiter.configuration (not .Values.arbiter.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Hidden should be deployed +*/}} +{{- define "mongodb.hidden.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.hidden.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Hidden +*/}} +{{- define "mongodb.hidden.configmapName" -}} +{{- if .Values.hidden.existingConfigmap -}} + {{- printf "%s" (tpl .Values.hidden.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-hidden" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Hidden +*/}} +{{- define "mongodb.hidden.createConfigmap" -}} +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.enabled .Values.hidden.configuration (not .Values.hidden.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "mongodb.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBs" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBsLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.loadBalancerIPsListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.nodePortListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate RBAC is created when using PSP */}} +{{- define "mongodb.validateValues.pspAndRBAC" -}} +{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}} +mongodb: podSecurityPolicy.create, rbac.create + Both podSecurityPolicy.create and rbac.create must be true, if you want + to create podSecurityPolicy +{{- end -}} +{{- end -}} + +{{/* Validate values of MongoDB® - must provide a valid architecture */}} +{{- define "mongodb.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}} +mongodb: architecture + Invalid architecture selected. Valid values are "standalone" and + "replicaset". Please set a valid architecture (--set mongodb.architecture="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases are necessary +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBs" -}} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if or (and (empty $customUsers) (not (empty $customDatabases))) (and (not (empty $customUsers)) (empty $customDatabases)) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases must be provided to create + custom users and databases during 1st initialization. + Please set both of them (--set auth.usernames[0]="xxxx",auth.databases[0]="yyyy") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases arrays should have the same length +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBsLength" -}} +{{- if ne (len .Values.auth.usernames) (len .Values.auth.databases) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases arrays should have the same length +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - service type for external access +*/}} +{{- define "mongodb.validateValues.externalAccessServiceType" -}} +{{- if and (eq .Values.architecture "replicaset") (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) (not (eq .Values.externalAccess.service.type "ClusterIP")) -}} +mongodb: externalAccess.service.type + Available service type for external access are NodePort, LoadBalancer or ClusterIP. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than LoadBalancer IPs list +*/}} +{{- define "mongodb.validateValues.loadBalancerIPsListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled ) (eq .Values.externalAccess.service.type "LoadBalancer") (not (eq $replicaCount $loadBalancerListLength )) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs + Number of replicas and loadBalancerIPs array length must be the same. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than NodePort list +*/}} +{{- define "mongodb.validateValues.nodePortListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") (not (eq $replicaCount $nodePortListLength )) -}} +mongodb: .Values.externalAccess.service.nodePorts + Number of replicas and nodePorts array length must be the same. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - RBAC should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.rbac.create ) }} +mongodb: rbac.create + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires specific RBAC resources. You can create them + by specifying "--set rbac.create=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.enabled must be enabled or it defaults +*/}} +{{- define "mongodb.mongodb_exporter.uri" -}} + {{- $uriTlsArgs := ternary "tls=true&tlsCertificateKeyFile=/certs/mongodb.pem&tlsCAFile=/certs/mongodb-ca-cert" "" .Values.tls.enabled -}} + {{- if .Values.metrics.username }} + {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:27017/admin?%s" $uriAuth $uriTlsArgs -}} + {{- else -}} + {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:27017/admin?%s" $uriAuth $uriTlsArgs -}} + {{- end -}} +{{- end -}} + + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "mongodb.createTlsSecret" -}} +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing MongoDB® TLS certificates +*/}} +{{- define "mongodb.tlsSecretName" -}} +{{- $secretName := .Values.tls.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-ca" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/configmap.yaml new file mode 100644 index 000000000..60a171f1d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "mongodb.arbiter.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }}-arbiter + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/headless-svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/headless-svc.yaml new file mode 100644 index 000000000..6228f1065 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/headless-svc.yaml @@ -0,0 +1,30 @@ +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.arbiter.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-mongodb + port: {{ .Values.service.port }} + targetPort: mongodb + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/pdb.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/pdb.yaml new file mode 100644 index 000000000..27932cea5 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/pdb.yaml @@ -0,0 +1,25 @@ +{{- if and (include "mongodb.arbiter.enabled" .) .Values.arbiter.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }}-arbiter + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.arbiter.pdb.minAvailable }} + minAvailable: {{ .Values.arbiter.pdb.minAvailable }} + {{- end }} + {{- if .Values.arbiter.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.arbiter.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/statefulset.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/statefulset.yaml new file mode 100644 index 000000000..462754b2f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/arbiter/statefulset.yaml @@ -0,0 +1,291 @@ +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }}-arbiter + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.arbiter.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.arbiter.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.arbiter.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.arbiter.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + serviceName: {{ include "mongodb.arbiter.service.nameOverride" . }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: arbiter + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: arbiter + {{- if .Values.arbiter.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if or (include "mongodb.arbiter.createConfigmap" .) .Values.arbiter.podAnnotations }} + annotations: + {{- if (include "mongodb.arbiter.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/arbiter/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.arbiter.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.arbiter.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAffinityPreset "component" "arbiter" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAntiAffinityPreset "component" "arbiter" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.arbiter.nodeAffinityPreset.type "key" .Values.arbiter.nodeAffinityPreset.key "values" .Values.arbiter.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.arbiter.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.priorityClassName }} + priorityClassName: {{ .Values.arbiter.priorityClassName }} + {{- end }} + {{- if .Values.arbiter.runtimeClassName }} + runtimeClassName: {{ .Values.arbiter.runtimeClassName }} + {{- end }} + {{- if .Values.arbiter.podSecurityContext.enabled }} + securityContext: {{- omit .Values.arbiter.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + initContainers: + {{- if .Values.arbiter.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: generate-client + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: certs-volume + mountPath: /certs/CAs + - name: certs + mountPath: /certs + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + my_hostname=$(hostname) + svc=$(echo -n "$my_hostname" | sed s/-[0-9]*$//)-headless + + cp /certs/CAs/* /certs/ + + cat >/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + EOF + {{- end }} + containers: + - name: mongodb-arbiter + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.arbiter.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.arbiter.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.arbiter.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.arbiter.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.arbiter.service.nameOverride" . }}" + - name: MONGODB_REPLICA_SET_MODE + value: "arbiter" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: "{{ include "mongodb.fullname" . }}-0.{{ include "mongodb.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- if .Values.auth.enabled }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.arbiter.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.arbiter.extraEnvVarsCM .Values.arbiter.extraEnvVarsSecret }} + envFrom: + {{- if .Values.arbiter.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.arbiter.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.arbiter.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.arbiter.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: 27017 + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.arbiter.livenessProbe.enabled }} + livenessProbe: + tcpSocket: + port: mongodb + initialDelaySeconds: {{ .Values.arbiter.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.arbiter.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.arbiter.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.arbiter.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.arbiter.livenessProbe.failureThreshold }} + {{- else if .Values.arbiter.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.readinessProbe.enabled }} + readinessProbe: + tcpSocket: + port: mongodb + initialDelaySeconds: {{ .Values.arbiter.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.arbiter.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.arbiter.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.arbiter.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.arbiter.readinessProbe.failureThreshold }} + {{- else if .Values.arbiter.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.arbiter.resources }} + resources: {{- toYaml .Values.arbiter.resources | nindent 12 }} + {{- end }} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumeMounts .Values.tls.enabled }} + volumeMounts: + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.arbiter.extraVolumeMounts }} + {{- toYaml .Values.arbiter.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.arbiter.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} + volumes: + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.arbiter.configmapName" . }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + emptyDir: {} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- end }} + {{- if .Values.arbiter.extraVolumes }} + {{- toYaml .Values.arbiter.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/configmap.yaml new file mode 100644 index 000000000..529d393bc --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "mongodb.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/extra-list.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/configmap.yaml new file mode 100644 index 000000000..4c222d414 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/configmap.yaml @@ -0,0 +1,15 @@ +{{- if (include "mongodb.hidden.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }}-hidden + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/external-access-svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/external-access-svc.yaml new file mode 100644 index 000000000..87781ea76 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/external-access-svc.yaml @@ -0,0 +1,49 @@ +{{- if and (include "mongodb.hidden.enabled" .) .Values.externalAccess.hidden.enabled }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.hidden.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-hidden-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }}-hidden-{{ $i }}-external + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if $root.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + pod: {{ $targetPod }} + {{- if $root.Values.externalAccess.hidden.service.annotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.hidden.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.hidden.service.type }} + {{- if eq $root.Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.hidden.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.hidden.service.loadBalancerIPs $i }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.service.portName }} + port: {{ $root.Values.externalAccess.hidden.service.port }} + {{- if not (empty $root.Values.externalAccess.hidden.service.nodePorts) }} + nodePort: {{ index $root.Values.externalAccess.hidden.service.nodePorts $i }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} + app.kubernetes.io/component: hidden + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/headless-svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/headless-svc.yaml new file mode 100644 index 000000000..59c4d07e1 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/headless-svc.yaml @@ -0,0 +1,25 @@ +{{- if (include "mongodb.hidden.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.fullname" . }}-hidden-headless + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.service.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + targetPort: mongodb + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/pdb.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/pdb.yaml new file mode 100644 index 000000000..de77008c1 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/pdb.yaml @@ -0,0 +1,22 @@ +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }}-hidden + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.hidden.pdb.minAvailable }} + minAvailable: {{ .Values.hidden.pdb.minAvailable }} + {{- end }} + {{- if .Values.hidden.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.hidden.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/statefulset.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/statefulset.yaml new file mode 100644 index 000000000..324d2076d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/hidden/statefulset.yaml @@ -0,0 +1,557 @@ +{{- if (include "mongodb.hidden.enabled" .) }} +{{- $replicaCount := int .Values.hidden.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.hidden.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.hidden.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.hidden.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }}-hidden + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.hidden.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.hidden.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.fullname" . }}-hidden-headless + podManagementPolicy: {{ .Values.hidden.podManagementPolicy }} + replicas: {{ .Values.hidden.replicaCount }} + updateStrategy: + type: {{ .Values.hidden.strategyType }} + {{- if (eq "OnDelete" .Values.hidden.strategyType) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: hidden + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: hidden + {{- if .Values.hidden.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if or (include "mongodb.hidden.createConfigmap" .) .Values.hidden.podAnnotations }} + annotations: + {{- if (include "mongodb.hidden.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/hidden/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.hidden.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.hidden.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAffinityPreset "component" "" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAntiAffinityPreset "component" "" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.hidden.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.priorityClassName }} + priorityClassName: {{ .Values.hidden.priorityClassName }} + {{- end }} + {{- if .Values.hidden.runtimeClassName }} + runtimeClassName: {{ .Values.hidden.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if or .Values.hidden.initContainers (and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled) (and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.hidden.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + args: + - | + mkdir -p {{ .Values.hidden.persistence.mountPath }}{{- if .Values.hidden.persistence.subPath }}/{{ .Values.hidden.persistence.subPath }}{{- end }} + {{- if and .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "{{ .Values.hidden.persistence.mountPath }}{{- if .Values.hidden.persistence.subPath }}/{{ .Values.hidden.persistence.subPath }}{{- end }}" + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: certs-volume + mountPath: /certs/CAs + - name: certs + mountPath: /certs + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + my_hostname=$(hostname) + svc=$(echo -n "$my_hostname" | sed s/-[0-9]*$//)-headless + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + EOF + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.hidden.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup-hidden.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.hidden.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.service.nameOverride" . }}" + - name: K8S_HIDDEN_NODE_SERVICE_NAME + value: "{{ include "mongodb.fullname" . }}-hidden-headless" + - name: MONGODB_REPLICA_SET_MODE + value: "hidden" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: "{{ include "mongodb.fullname" . }}-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_HIDDEN_NODE_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.hidden.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.hidden.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.hidden.extraEnvVarsCM .Values.hidden.extraEnvVarsSecret }} + envFrom: + {{- if .Values.hidden.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.hidden.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.hidden.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.hidden.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: 27017 + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.hidden.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - mongo + {{- if .Values.tls.enabled }} + - --tls + - --tlsCertificateKeyFile=/certs/mongodb.pem + - --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.hidden.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.hidden.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.hidden.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.hidden.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.hidden.livenessProbe.failureThreshold }} + {{- else if .Values.hidden.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - mongo + {{- if .Values.tls.enabled }} + - --tls + - --tlsCertificateKeyFile=/certs/mongodb.pem + - --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.hidden.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.hidden.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.hidden.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.hidden.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.hidden.readinessProbe.failureThreshold }} + {{- else if .Values.hidden.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.hidden.resources }} + resources: {{- toYaml .Values.hidden.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + subPath: {{ .Values.hidden.persistence.subPath }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup-hidden.sh + subPath: setup-hidden.sh + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.hidden.extraVolumeMounts }} + {{- toYaml .Values.hidden.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + ports: + - name: metrics + containerPort: 9216 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.metrics.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.hidden.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.hidden.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ include "mongodb.fullname" . }}-scripts + defaultMode: 0755 + {{- if .Values.hidden.extraVolumes }} + {{- toYaml .Values.hidden.extraVolumes | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- end }} + {{- if not .Values.hidden.persistence.enabled }} + - name: datadir + {{- if .Values.hidden.persistence.medium }} + emptyDir: + medium: {{ .Values.hidden.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.hidden.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.hidden.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.hidden.persistence.size | quote }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.hidden.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/initialization-configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/initialization-configmap.yaml new file mode 100644 index 000000000..91d0cd844 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/initialization-configmap.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }}-init-scripts + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/metrics-svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/metrics-svc.yaml new file mode 100644 index 000000000..e27eadbb0 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/metrics-svc.yaml @@ -0,0 +1,24 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.fullname" . }}-metrics + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + ports: + - port: {{ .Values.metrics.service.port }} + targetPort: metrics + protocol: TCP + name: http-metrics + selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/prometheusrule.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/prometheusrule.yaml new file mode 100644 index 000000000..b4809af7d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/prometheusrule.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.prometheusRule.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} +spec: + groups: + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.rules "context" $) | nindent 2 }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/psp.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/psp.yaml new file mode 100644 index 000000000..3af67d52a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/psp.yaml @@ -0,0 +1,49 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/external-access-svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/external-access-svc.yaml new file mode 100644 index 000000000..b000b734b --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/external-access-svc.yaml @@ -0,0 +1,47 @@ +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not (eq .Values.externalAccess.service.type "ClusterIP")) }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }}-{{ $i }}-external + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if $root.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + pod: {{ $targetPod }} + {{- if $root.Values.externalAccess.service.annotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.service.type }} + {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} + {{- end }} + {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.service.portName }} + port: {{ $root.Values.externalAccess.service.port }} + {{- if not (empty $root.Values.externalAccess.service.nodePorts) }} + nodePort: {{ index $root.Values.externalAccess.service.nodePorts $i }} + {{- end }} + targetPort: mongodb + selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/headless-svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/headless-svc.yaml new file mode 100644 index 000000000..0021352ec --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + targetPort: mongodb + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/pdb.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/pdb.yaml new file mode 100644 index 000000000..94bd2aceb --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/pdb.yaml @@ -0,0 +1,25 @@ +{{- if and (eq .Values.architecture "replicaset") .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/scripts-configmap.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/scripts-configmap.yaml new file mode 100644 index 000000000..6b9d82a10 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/scripts-configmap.yaml @@ -0,0 +1,259 @@ +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }}-scripts + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- if and .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + auto-discovery.sh: |- + #!/bin/bash + + SVC_NAME="${MY_POD_NAME}-external" + + # Auxiliary functions + retry_while() { + local -r cmd="${1:?cmd is missing}" + local -r retries="${2:-12}" + local -r sleep_time="${3:-5}" + local return_value=1 + + read -r -a command <<< "$cmd" + for ((i = 1 ; i <= retries ; i+=1 )); do + "${command[@]}" && return_value=0 && break + sleep "$sleep_time" + done + return $return_value + } + k8s_svc_lb_ip() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + + if [[ -n ${service_ip} ]]; then + echo "${service_ip}" + else + echo "${service_hostname}" + fi + } + k8s_svc_lb_ip_ready() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] + } + # Wait until LoadBalancer IP is ready + retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 + # Obtain LoadBalancer external IP + k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" + {{- end }} + setup.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + + {{- if .Values.externalAccess.enabled }} + {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- if .Values.externalAccess.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + + if [[ "$MY_POD_NAME" = "{{ $fullname }}-0" ]]; then + echo "Pod name matches initial primary pod name, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + else + echo "Pod name doesn't match initial primary pod name, configuring node as a secondary" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + fi + + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + setup-hidden.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + + {{- if .Values.externalAccess.hidden.enabled }} + {{- if eq .Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.hidden.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.hidden.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.hidden.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- if .Values.externalAccess.hidden.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.hidden.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + echo "Configuring node as a hidden node" + export MONGODB_REPLICA_SET_MODE="hidden" + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + {{- if .Values.replicaSetConfigurationSettings.enabled }} + replicaSetConfigurationSettings.sh: |- + #!/bin/bash + # This script to be called when pod starts. + # This script sets rs settings which can not be applied via conf file + + function logger () + #$1 is the line to be logged + { + echo "replicaSetConfigurationSettings.sh -- ${1}" >&1 + } + + SLEEP_PERIOD=10 + + {{- if and .Values.auth.enabled .Values.auth.rootPassword }} + usernameAndPassword="-u root -p ${MONGODB_ROOT_PASSWORD}" + {{- else }} + usernameAndPassword="" + {{- end }} + + # load Values.replicaSetConfigurationSettings.configuration into associtive array which makes iterating and string manipulation easy + declare -A desiredRsConf + {{ range $setting, $value := .Values.replicaSetConfigurationSettings.configuration -}} + {{ printf "desiredRsConf[%s]='%v'" $setting $value }} + {{ end }} + + rsConfWriteAttempts=0 + rs_conf_configured_ok=unknown + + while [[ "${rs_conf_configured_ok}" != "true" ]]; do + + # give the rs setup a chance to succeed before attempting to read or configure + sleep ${SLEEP_PERIOD} + + counter=0 + while ! mongo ${usernameAndPassword} --eval 'rs.conf()'; do + counter=$((${counter} +1)) + logger "not yet able to read rs.conf settings from the currently running rs (after ${counter} attempts)" + sleep ${SLEEP_PERIOD} + done + counter=$((${counter} +1)) + logger "rs.conf settings have been read from the currently running rs (after ${counter} attempts)" + + # read rs.conf again and store it. settings format is '"" : ,' + currentRsConf=$(mongo ${usernameAndPassword} --eval 'rs.conf()') + + desiredEqualsactual=unknown + settingsToConfigure="" + for key in ${!desiredRsConf[@]}; do + value=${desiredRsConf[$key]} + if ! $(echo "\"${currentRsConf}"\" | grep -q -e "\"${key}\" : ${value},"); then + logger "rs conf setting: ${key} value will be set to: ${value}" + settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + desiredEqualsactual=false + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi + done + + if [[ "${desiredEqualsactual}" != "false" ]]; then + logger "replicaSetConfigurationSettings match the settings of the currently running rs" + desiredEqualsactual=true + rs_conf_configured_ok=true + logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" + exit + fi + + # apply the settings only if this member is currently the mongo replicaset PRIMARY + # it might take a little time before any pod is PRIMARY + isMaster=unknown + if ! mongo ${usernameAndPassword} --eval 'rs.isMaster()' | grep -q "ismaster\" : true"; then + isMaster=false + logger "This node is not yet PRIMARY - replicaSetConfigurationSettings will only be set on the member that is currently PRIMARY" + else + isMaster=true + logger "This node is PRIMARY" + fi + + if [[ "${isMaster}" == "true" ]]; then + logger "This node is currently PRIMARY - will apply rs.conf settings" + + # avoiding tricky string substitution with single quotes by making the eval string a set of vars + rsconf="cfg = rs.conf();" + rsreconf="rs.reconfig(cfg);" + rsCommand="${rsconf} ${settingsToConfigure} ${rsreconf}" + + mongo ${usernameAndPassword} --eval "${rsCommand}" + if [ $? -ne 0 ]; then + logger "Failed to apply mongodb cfg.settings configuration" + else + logger "mongodb replicaset cfg.settings configuration applied" + logger "Will check rs conf" + # don't exit just yet - the settings will be checked in the next loop + fi + rsConfWriteAttempts=$((${rsConfWriteAttempts} + 1 )) + fi + done + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/statefulset.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/statefulset.yaml new file mode 100644 index 000000000..6fb98e59a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/statefulset.yaml @@ -0,0 +1,604 @@ +{{- if eq .Values.architecture "replicaset" }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.labels "context" $) | nindent 4 }} + {{- end }} + {{- if or .Values.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + serviceName: {{ include "mongodb.service.nameOverride" . }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicaCount }} + updateStrategy: + type: {{ .Values.strategyType }} + {{- if (eq "OnDelete" .Values.strategyType) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + args: + - | + mkdir -p {{ .Values.persistence.mountPath }}{{- if .Values.persistence.subPath }}/{{ .Values.persistence.subPath }}{{- end }} + {{- if and .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "{{ .Values.persistence.mountPath }}{{- if .Values.persistence.subPath }}/{{ .Values.persistence.subPath }}{{- end }}" + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: certs-volume + mountPath: /certs/CAs + - name: certs + mountPath: /certs + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + my_hostname=$(hostname) + svc={{ include "mongodb.service.nameOverride" . }} + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + EOF + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.service.nameOverride" . }}" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: "{{ include "mongodb.fullname" . }}-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: 27017 + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - mongo + - --disableImplicitSessions + {{- if .Values.tls.enabled }} + - --tls + - --tlsCertificateKeyFile=/certs/mongodb.pem + - --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - bash + - -ec + - | + {{- if .Values.tls.enabled }} + TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert' + {{- end }} + # Run the proper check depending on the version + [[ $(mongo --version | grep "MongoDB shell") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + if [[ "$VERSION_MAJOR" -ge 4 ]] && [[ "$VERSION_MINOR" -ge 4 ]] && [[ "$VERSION_PATCH" -ge 2 ]]; then + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep -q 'true' + else + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep -q 'true' + fi + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - bash + - -ec + - | + {{- if .Values.tls.enabled }} + TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert' + {{- end }} + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep -q 'true' + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup.sh + subPath: setup.sh + {{ if .Values.replicaSetConfigurationSettings.enabled }} + - name: scripts + mountPath: /scripts/replicaSetConfigurationSettings.sh + subPath: replicaSetConfigurationSettings.sh + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.metrics.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ include "mongodb.fullname" . }}-scripts + defaultMode: 0755 + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: datadir + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/svc.yaml new file mode 100644 index 000000000..7b357e9b2 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/replicaset/svc.yaml @@ -0,0 +1,35 @@ +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "ClusterIP") }} + +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }}-{{ $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if $root.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if $root.Values.service.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" $root.Values.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - name: {{ $root.Values.service.portName }} + port: {{ $root.Values.service.port }} + targetPort: mongodb + selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/role.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/role.yaml new file mode 100644 index 000000000..950654b06 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/role.yaml @@ -0,0 +1,30 @@ +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.rbac.role.rules }} +{{- toYaml .Values.rbac.role.rules | nindent 2 }} +{{- end -}} +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "mongodb.fullname" . }}] +{{- end -}} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/rolebinding.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/rolebinding.yaml new file mode 100644 index 000000000..714058ff8 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + kind: Role + name: {{ include "mongodb.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/secrets-ca.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/secrets-ca.yaml new file mode 100644 index 000000000..bf0815828 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/secrets-ca.yaml @@ -0,0 +1,37 @@ +{{- if (include "mongodb.createTlsSecret" .) }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $cn := printf "%s.%s.svc.%s" $fullname .Release.Namespace $clusterDomain }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "mongodb.tlsSecretName" . }} + namespace: {{ template "mongodb.namespace" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if or .Values.tls.caCert .Values.tls.caKey (not .Values.tls.autoGenerated) }} + {{- $ca := buildCustomCert (required "A valid .Values.tls.caCert is required!" .Values.tls.caCert) (required "A valid .Values.tls.caKey is required!" .Values.tls.caKey) }} + {{- $cert := genSignedCert $cn nil nil 3650 $ca }} + {{- $pem := printf "%s%s" $cert.Cert $cert.Key }} + mongodb-ca-cert: {{ b64enc $ca.Cert }} + mongodb-ca-key: {{ b64enc $ca.Key }} + client-pem: {{ b64enc $pem }} + {{- else }} + {{- $ca:= genCA "myMongo-ca" 3650 }} + {{- $cert := genSignedCert $cn nil nil 3650 $ca }} + {{- $pem := printf "%s%s" $cert.Cert $cert.Key }} + mongodb-ca-cert: {{ b64enc $ca.Cert }} + mongodb-ca-key: {{ b64enc $ca.Key }} + client-pem: {{ b64enc $pem }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/secrets.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/secrets.yaml new file mode 100644 index 000000000..b2c160271 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/secrets.yaml @@ -0,0 +1,51 @@ +{{- if (include "mongodb.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if .Values.auth.rootPassword }} + mongodb-root-password: {{ .Values.auth.rootPassword | toString | b64enc | quote }} + {{- else }} + mongodb-root-password: {{ randAlphaNum 10 | b64enc | quote }} + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- $customPasswords := include "mongodb.customPasswords" . -}} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if not (empty $customPasswords) }} + mongodb-passwords: {{ $customPasswords | toString | b64enc | quote }} + {{- else }} + {{- $customUsersList := splitList "," $customUsers }} + {{- $customPasswordsList := list }} + {{- range $customUsersList }} + {{- $customPasswordsList = append $customPasswordsList (randAlphaNum 10) }} + {{- end }} + mongodb-passwords: {{ (join "," $customPasswordsList) | b64enc | quote }} + {{- end }} + {{- end }} + {{- if .Values.metrics.username }} + {{- if .Values.metrics.password }} + mongodb-metrics-password: {{ .Values.metrics.password | toString | b64enc | quote }} + {{- else }} + mongodb-metrics-password: {{ randAlphaNum 10 | b64enc | quote }} + {{- end }} + {{- end }} + {{- if eq .Values.architecture "replicaset" }} + {{- if .Values.auth.replicaSetKey }} + mongodb-replica-set-key: {{ .Values.auth.replicaSetKey | toString | b64enc | quote }} + {{- else }} + mongodb-replica-set-key: {{ randAlphaNum 10 | b64enc | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/serviceaccount.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/serviceaccount.yaml new file mode 100644 index 000000000..e5b3f724d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.serviceAccount.annotations }} + {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +secrets: + - name: {{ template "mongodb.fullname" . }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/servicemonitor.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/servicemonitor.yaml new file mode 100644 index 000000000..e506b3031 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/servicemonitor.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.serviceMonitor.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - "{{ include "mongodb.namespace" . }}" + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: metrics +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/dep-sts.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/dep-sts.yaml new file mode 100644 index 000000000..6deb7cbb8 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/dep-sts.yaml @@ -0,0 +1,517 @@ +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: {{ if .Values.useStatefulSet }}{{ include "common.capabilities.statefulset.apiVersion" . }}{{- else }}{{ include "common.capabilities.deployment.apiVersion" . }}{{- end }} +kind: {{ if .Values.useStatefulSet }}StatefulSet{{- else }}Deployment{{- end }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + replicas: 1 + {{- if .Values.useStatefulSet }} + serviceName: {{ include "mongodb.fullname" . }} + updateStrategy: + {{- else }} + strategy: + {{- end }} + {{- if .Values.useStatefulSet }} + type: {{ .Values.strategyType }} + {{- else }} + type: Recreate + {{- end -}} + {{- if or (and (not .Values.useStatefulSet) (eq "Recreate" .Values.strategyType)) (and .Values.useStatefulSet (eq "OnDelete" .Values.strategyType)) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + args: + - | + mkdir -p {{ .Values.persistence.mountPath }}{{- if .Values.persistence.subPath }}/{{ .Values.persistence.subPath }}{{- end }} + {{- if and .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled }} + chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "{{ .Values.persistence.mountPath }}{{- if .Values.persistence.subPath }}/{{ .Values.persistence.subPath }}{{- end }}" + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: certs-volume + mountPath: /certs/CAs + - name: certs + mountPath: /certs + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + my_hostname=$(hostname) + svc=$(echo -n "$my_hostname" | sed s/-[0-9]*$//)-headless + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + EOF + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: 27017 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - mongo + - --disableImplicitSessions + {{- if .Values.tls.enabled }} + - --tls + - --tlsCertificateKeyFile=/certs/mongodb.pem + - --tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - bash + - -ec + - | + {{- if .Values.tls.enabled }} + TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert' + {{- end }} + # Run the proper check depending on the version + [[ $(mongo --version | grep "MongoDB shell") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + if [[ "$VERSION_MAJOR" -ge 4 ]] && [[ "$VERSION_MINOR" -ge 4 ]] && [[ "$VERSION_PATCH" -ge 2 ]]; then + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep -q 'true' + else + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep -q 'true' + fi + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - bash + - -ec + - | + {{- if .Values.tls.enabled }} + TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert' + {{- end }} + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep -q 'true' + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -ec + args: + - | + /bin/mongodb_exporter --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.metrics.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: datadir + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.persistence.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} + {{- else if not .Values.useStatefulSet }} + - name: datadir + persistentVolumeClaim: + claimName: {{ template "mongodb.fullname" . }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/pvc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/pvc.yaml new file mode 100644 index 000000000..eb102240a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/pvc.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (not (eq .Values.architecture "replicaset")) (not .Values.useStatefulSet) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.persistence.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/svc.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/svc.yaml new file mode 100644 index 000000000..d32826d22 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/templates/standalone/svc.yaml @@ -0,0 +1,46 @@ +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + targetPort: mongodb + {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/values.schema.json b/charts/shipa/shipa/1.7.200/charts/mongodb/values.schema.json new file mode 100644 index 000000000..be8e54b45 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/values.schema.json @@ -0,0 +1,173 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "MongoDB® architecture", + "form": true, + "description": "Allowed values: `standalone` or `replicaset`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Authentication", + "form": true + }, + "rootUser": { + "type": "string", + "title": "MongoDB® admin user", + "form": true, + "description": "Name of the admin user. Default is root" + }, + "rootPassword": { + "type": "string", + "title": "MongoDB® admin password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "database": { + "type": "string", + "title": "MongoDB® custom database", + "description": "Name of the custom database to be created during the 1st initialization of MongoDB®", + "form": true + }, + "username": { + "type": "string", + "title": "MongoDB® custom user", + "description": "Name of the custom user to be created during the 1st initialization of MongoDB®. This user only has permissions on the MongoDB® custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for MongoDB® custom user", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "replicaSetKey": { + "type": "string", + "title": "Key used for replica set authentication", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of MongoDB® replicas", + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "configuration": { + "type": "string", + "title": "MongoDB® Custom Configuration", + "form": true, + "render": "textArea" + }, + "arbiter": { + "type": "object", + "title": "Arbiter configuration", + "form": true, + "properties": { + "configuration": { + "type": "string", + "title": "Arbiter Custom Configuration", + "form": true, + "render": "textArea", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "persistence": { + "type": "object", + "title": "Persistence configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "hidden": { + "value": false, + "path": "persistence/enabled" + }, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/charts/shipa/shipa/1.7.200/charts/mongodb/values.yaml b/charts/shipa/shipa/1.7.200/charts/mongodb/values.yaml new file mode 100644 index 000000000..466a62588 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/charts/mongodb/values.yaml @@ -0,0 +1,1702 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + namespaceOverride: "" + +## @section Common parameters +## + +## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override mongodb.fullname template +## +fullnameOverride: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## extraDeploy: +## This needs to be uncommented and added to 'extraDeploy' in order to use the replicaset 'mongo-labeler' sidecar +## for dynamically discovering the mongodb primary pod +## suggestion is to use a hard-coded and predictable TCP port for the primary mongodb pod (here is 30001, choose your own) +## - apiVersion: v1 +## kind: Service +## metadata: +## name: mongodb-primary +## namespace: the-mongodb-namespace +## labels: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/managed-by: Helm +## app.kubernetes.io/name: mongodb +## spec: +## type: NodePort +## externalTrafficPolicy: Cluster +## ports: +## - name: mongodb +## port: 30001 +## nodePort: 30001 +## protocol: TCP +## targetPort: mongodb +## selector: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/name: mongodb +## primary: "true" +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section MongoDB(®) parameters +## + +## Bitnami MongoDB(®) image +## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ +## @param image.registry MongoDB(®) image registry +## @param image.repository MongoDB(®) image registry +## @param image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.pullPolicy MongoDB(®) image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/mongodb + tag: 4.4.12-debian-10-r35 + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false + +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) +## +architecture: standalone +## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) +## +useStatefulSet: false +## MongoDB(®) Authentication parameters +## +auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## + rootUser: root + ## @param auth.rootPassword MongoDB(®) root password + ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#setting-the-root-password-on-first-run + ## + rootPassword: "" + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#creating-users-and-databases-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## + usernames: [] + passwords: [] + databases: [] + ## @param auth.username DEPRECATED: use `auth.usernames` instead + ## @param auth.password DEPRECATED: use `auth.passwords` instead + ## @param auth.database DEPRECATED: use `auth.databases` instead + username: "" + password: "" + database: "" + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## + replicaSetKey: "" + ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, ` mongodb-replica-set-key`) + ## NOTE: When it's set the previous parameters are ignored. + ## + existingSecret: "" +tls: + ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes + ## + enabled: false + ## @param tls.autoGenerated Generate a custom CA and self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`, `client-pem`) + ## NOTE: When it's set it will disable certificate creation + ## + existingSecret: "" + ## Add Custom CA certificate + ## @param tls.caCert Custom CA certificated (base64 encoded) + ## @param tls.caKey CA certificate private key (base64 encoded) + ## + caCert: "" + caKey: "" + ## Bitnami Nginx image + ## @param tls.image.registry Init container TLS certs setup image registry + ## @param tls.image.repository Init container TLS certs setup image repository + ## @param tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) + ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy + ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients + ## + image: + registry: docker.io + repository: bitnami/nginx + tag: 1.21.6-debian-10-r30 + pullPolicy: IfNotPresent + ## e.g: + ## extraDnsNames + ## "DNS.6": "$my_host" + ## "DNS.7": "$test" + ## + extraDnsNames: [] + ## @param tls.mode Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) + ## + mode: requireTLS +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## +replicaSetName: rs0 +## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## Ignored when externalAccess.enabled=true +## +replicaSetHostnames: true +## @param enableIPv6 Switch to enable/disable IPv6 on MongoDB(®) +## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#enabling/disabling-ipv6 +## +enableIPv6: false +## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) +## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#enabling/disabling-directoryperdb +## +directoryPerDB: false +## MongoDB(®) System Log configuration +## ref: https://github.com/bitnami/bitnami-docker-mongodb#configuring-system-log-verbosity-level +## @param systemLogVerbosity MongoDB(®) system log verbosity level +## @param disableSystemLog Switch to enable/disable MongoDB(®) system log +## +systemLogVerbosity: 0 +disableSystemLog: false +## @param disableJavascript Switch to enable/disable MongoDB(®) server-side JavaScript execution +## ref: https://docs.mongodb.com/manual/core/server-side-javascript/ +## +disableJavascript: false +## @param enableJournal Switch to enable/disable MongoDB(®) Journaling +## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled +## +enableJournal: true +## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes +## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ +## Example: +## configuration: |- +## # where and how to store data. +## storage: +## dbPath: /bitnami/mongodb/data/db +## journal: +## enabled: true +## directoryPerDB: false +## # where to write logging data +## systemLog: +## destination: file +## quiet: false +## logAppend: true +## logRotate: reopen +## path: /opt/bitnami/mongodb/logs/mongodb.log +## verbosity: 0 +## # network interfaces +## net: +## port: 27017 +## unixDomainSocket: +## enabled: true +## pathPrefix: /opt/bitnami/mongodb/tmp +## ipv6: false +## bindIpAll: true +## # replica set options +## #replication: +## #replSetName: replicaset +## #enableMajorityReadConcern: true +## # process management options +## processManagement: +## fork: false +## pidFilePath: /opt/bitnami/mongodb/tmp/mongodb.pid +## # set parameter options +## setParameter: +## enableLocalhostAuthBypass: true +## # security options +## security: +## authorization: disabled +## #keyFile: /opt/bitnami/mongodb/conf/keyfile +## +configuration: "" +## @section replicaSetConfigurationSettings settings applied during runtime (not via configuration file) +## If enabled, these are applied by a script which is called within setup.sh +## for documentation see https://docs.mongodb.com/manual/reference/replica-configuration/#replica-set-configuration-fields +## @param replicaSetConfigurationSettings.enabled Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings +## @param replicaSetConfigurationSettings.configuration run-time rs.conf settings +## +replicaSetConfigurationSettings: + enabled: false + configuration: {} +## chainingAllowed : false +## heartbeatTimeoutSecs : 10 +## heartbeatIntervalMillis : 2000 +## electionTimeoutMillis : 10000 +## catchUpTimeoutMillis : 30000 +## @param existingConfigmap Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes +## NOTE: When it's set the arbiter.configuration parameter is ignored +## +existingConfigmap: "" +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap Existing ConfigMap with custom initdb scripts +## +initdbScriptsConfigMap: "" +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraFlags MongoDB(®) additional command line flags +## Example: +## extraFlags: +## - "--wiredTigerCacheSizeGB=2" +## +extraFlags: [] +## @param extraEnvVars Extra environment variables to add to MongoDB(®) pods +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" + +## @section MongoDB(®) statefulset parameters +## + +## @param annotations Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template +## +annotations: {} +## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template +## +labels: {} +## @param replicaCount Number of MongoDB(®) nodes (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## +replicaCount: 2 +## @param strategyType StrategyType for MongoDB(®) statefulset +## It can be set to RollingUpdate or Recreate by default. +## +strategyType: RollingUpdate +## @param podManagementPolicy Pod management policy for MongoDB(®) +## Should be initialized one by one when building the replicaset for the first time +## +podManagementPolicy: OrderedReady +## @param podAffinityPreset MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key MongoDB(®) Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values MongoDB(®) Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity MongoDB(®) Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector MongoDB(®) Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations MongoDB(®) Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints MongoDB(®) Spread Constraints for Pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## +topologySpreadConstraints: [] +## @param podLabels MongoDB(®) pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations MongoDB(®) Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Name of the existing priority class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param runtimeClassName Name of the runtime class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" +## MongoDB(®) pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context +## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) +## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' +## +podSecurityContext: + enabled: true + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## MongoDB(®) containers' Security Context (main and metrics container). +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enable MongoDB(®) container(s)' Security Context +## @param containerSecurityContext.runAsUser User ID for the MongoDB(®) container +## @param containerSecurityContext.runAsNonRoot Set MongoDB(®) container's Security Context runAsNonRoot +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true +## MongoDB(®) containers' resource requests and limits. +## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits The resources limits for MongoDB(®) containers +## @param resources.requests The requested resources for MongoDB(®) containers +## +resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} +## MongoDB(®) pods' liveness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## MongoDB(®) pods' readiness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Slow starting containers can be protected through startup probes +## Startup probes are available in Kubernetes version 1.16 and above +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 +## @param customLivenessProbe Override default liveness probe for MongoDB(®) containers +## Ignored when livenessProbe.enabled=true +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe for MongoDB(®) containers +## Ignored when readinessProbe.enabled=true +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe for MongoDB(®) containers +## Ignored when startupProbe.enabled=true +## +customStartupProbe: {} +## @param initContainers Add additional init containers for the hidden node pod(s) +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers for the MongoDB(®) pod(s) +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## This is an optional 'mongo-labeler' sidecar container that tracks replica-set for the primary mongodb pod +## and labels it dynamically with ' primary: "true" ' in order for an extra-deployed service to always expose +## and attach to the primary pod, this needs to be uncommented along with the suggested 'extraDeploy' example +## and the suggested rbac example for the pod to be allowed adding labels to mongo replica pods +## search 'mongo-labeler' through this file to find the sections that needs to be uncommented to make it work +## +## - name: mongo-labeler +## image: korenlev/k8s-mongo-labeler-sidecar +## imagePullPolicy: Always +## env: +## - name: LABEL_SELECTOR +## value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" +## - name: NAMESPACE +## value: "the-mongodb-namespace" +## - name: DEBUG +## value: "true" +## +sidecars: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) +## Examples: +## extraVolumeMounts: +## - name: extras +## mountPath: /usr/share/extras +## readOnly: true +## +extraVolumeMounts: [] +## @param extraVolumes Optionally specify extra list of additional volumes to the MongoDB(®) statefulset +## extraVolumes: +## - name: extras +## emptyDir: {} +## +extraVolumes: [] +## MongoDB(®) Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) + ## + create: false + ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction + ## + maxUnavailable: "" + +## @section Traffic exposure parameters +## + +## Service parameters +## +service: + ## @param service.nameOverride MongoDB(®) service name + ## + nameOverride: "" + ## @param service.type Kubernetes Service type + ## + type: ClusterIP + ## @param service.port MongoDB(®) service port + ## + port: 27017 + ## @param service.portName MongoDB(®) service port name + ## + portName: mongodb + ## @param service.nodePort Port to bind to for NodePort and LoadBalancer service types + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePort: "" + ## @param service.clusterIP MongoDB(®) service cluster IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.externalIPs Specify the externalIP value ClusterIP service type. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP loadBalancerIP for MongoDB(®) Service + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + loadBalancerSourceRanges: [] + ## @param service.annotations Provide any additional annotations that may be required + ## + annotations: {} +## External Access to MongoDB(®) nodes configuration +## +externalAccess: + ## @param externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) + ## + enabled: false + ## External IPs auto-discovery configuration + ## An init container is used to auto-detect LB IPs or node ports by querying the K8s API + ## Note: RBAC might be required + ## + autoDiscovery: + ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API + ## + enabled: false + ## Bitnami Kubectl image + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param externalAccess.autoDiscovery.image.registry Init container auto-discovery image registry + ## @param externalAccess.autoDiscovery.image.repository Init container auto-discovery image repository + ## @param externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) + ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy + ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.23.4-debian-10-r7 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.autoDiscovery.resources.limits Init container auto-discovery resource limits + ## @param externalAccess.autoDiscovery.resources.requests Init container auto-discovery resource requests + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.service.type Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.service.port MongoDB(®) port used for external access when service type is LoadBalancer + ## + port: 27017 + ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.service.annotations Service annotations for external access + ## + annotations: {} + ## External Access to MongoDB(®) Hidden nodes configuration + ## + hidden: + ## @param externalAccess.hidden.enabled Enable Kubernetes external cluster access to MongoDB(®) hidden nodes + ## + enabled: false + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.hidden.service.type Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer + ## + type: LoadBalancer + ## @param externalAccess.hidden.service.port MongoDB(®) port used for external access when service type is LoadBalancer + ## + port: 27017 + ## @param externalAccess.hidden.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.hidden.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.hidden.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.hidden.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.hidden.service.annotations Service annotations for external access + ## + annotations: {} + +## @section Persistence parameters +## + +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC + ## + enabled: true + ## @param persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires persistence.enabled: false + ## + medium: "" + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## Ignored when mongodb.architecture=replicaset + ## + existingClaim: "" + ## @param persistence.storageClass PVC Storage Class for MongoDB(®) data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for MongoDB(®) data volume + ## + size: 8Gi + ## @param persistence.annotations PVC annotations + ## + annotations: {} + ## @param persistence.mountPath Path to mount the volume at + ## MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param persistence.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate + ## + dataSource: {} + +## @section RBAC parameters +## + +## ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for MongoDB(®) pods + ## + create: true + ## @param serviceAccount.name Name of the created serviceAccount + ## If not set and create is true, a name is generated using the mongodb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations + ## + annotations: {} +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## binding MongoDB(®) ServiceAccount to a role + ## that allows MongoDB(®) pods querying the K8s API + ## this needs to be set to 'true' to enable the mongo-labeler sidecar primary mongodb discovery + ## + create: false + role: + ## @param rbac.role.rules Custom rules to create following the role specification + ## The example below needs to be uncommented to use the 'mongo-labeler' sidecar for dynamic discovery of the primary mongodb pod: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## - watch + ## - update + ## + rules: [] +## PodSecurityPolicy configuration +## Be sure to also set rbac.create to true, otherwise Role and RoleBinding won't be created. +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.allowPrivilegeEscalation Enable privilege escalation + ## Either use predefined policy with some adjustments or use `podSecurityPolicy.spec` + ## + allowPrivilegeEscalation: false + ## @param podSecurityPolicy.privileged Allow privileged + ## + privileged: false + ## @param podSecurityPolicy.spec Specify the full spec to use for Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## Defining a spec ignores the above values. + ## + spec: {} + ## Example: + ## allowPrivilegeEscalation: false + ## fsGroup: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## hostIPC: false + ## hostNetwork: false + ## hostPID: false + ## privileged: false + ## readOnlyRootFilesystem: false + ## requiredDropCapabilities: + ## - ALL + ## runAsUser: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## seLinux: + ## rule: 'RunAsAny' + ## supplementalGroups: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## volumes: + ## - 'configMap' + ## - 'secret' + ## - 'emptyDir' + ## - 'persistentVolumeClaim' + ## + +## @section Volume Permissions parameters +## + +## Init Container parameters +## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component +## values from the securityContext section of the component +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r350 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## Init container Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container + ## + securityContext: + runAsUser: 0 + +## @section Arbiter parameters +## + +arbiter: + ## @param arbiter.enabled Enable deploying the arbiter + ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ + ## + enabled: true + ## @param arbiter.configuration Arbiter configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param arbiter.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param arbiter.existingConfigmap Name of existing ConfigMap with Arbiter configuration + ## NOTE: When it's set the arbiter.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param arbiter.command Override default container command (useful when using custom images) + ## @param arbiter.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param arbiter.extraFlags Arbiter additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param arbiter.extraEnvVars Extra environment variables to add to Arbiter pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param arbiter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param arbiter.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param arbiter.annotations Additional labels to be added to the Arbiter statefulset + ## + annotations: {} + ## @param arbiter.labels Annotations to be added to the Arbiter statefulset + ## + labels: {} + ## @param arbiter.podAffinityPreset Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param arbiter.podAntiAffinityPreset Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param arbiter.nodeAffinityPreset.type Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param arbiter.nodeAffinityPreset.key Arbiter Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param arbiter.nodeAffinityPreset.values Arbiter Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param arbiter.affinity Arbiter Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: arbiter.podAffinityPreset, arbiter.podAntiAffinityPreset, and arbiter.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param arbiter.tolerations Arbiter Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param arbiter.podLabels Arbiter pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param arbiter.podAnnotations Arbiter Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param arbiter.priorityClassName Name of the existing priority class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param arbiter.runtimeClassName Name of the runtime class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Arbiter pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context + ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) + ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Arbiter containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param arbiter.containerSecurityContext.enabled Enable Arbiter container(s)' Security Context + ## @param arbiter.containerSecurityContext.runAsUser User ID for the Arbiter container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## MongoDB(®) Arbiter containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param arbiter.resources.limits The resources limits for Arbiter containers + ## @param arbiter.resources.requests The requested resources for Arbiter containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## MongoDB(®) Arbiter pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.livenessProbe.enabled Enable livenessProbe + ## @param arbiter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param arbiter.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param arbiter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param arbiter.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param arbiter.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.readinessProbe.enabled Enable readinessProbe + ## @param arbiter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param arbiter.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param arbiter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param arbiter.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param arbiter.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param arbiter.customLivenessProbe Override default liveness probe for Arbiter containers + ## Ignored when arbiter.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param arbiter.customReadinessProbe Override default readiness probe for Arbiter containers + ## Ignored when arbiter.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param arbiter.initContainers Add additional init containers for the Arbiter pod(s) + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param arbiter.sidecars Add additional sidecar containers for the Arbiter pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param arbiter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Arbiter container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param arbiter.extraVolumes Optionally specify extra list of additional volumes to the Arbiter statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Arbiter Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) + ## + create: false + ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled + ## + minAvailable: 1 + ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable + ## + maxUnavailable: "" + ## MongoDB(®) Arbiter service parameters + ## + service: + ## @param arbiter.service.nameOverride The arbiter service name + ## + nameOverride: "" + +## @section Hidden Node parameters +## + +hidden: + ## @param hidden.enabled Enable deploying the hidden nodes + ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ + ## + enabled: false + ## @param hidden.configuration Hidden node configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param hidden.existingConfigmap Name of existing ConfigMap with Hidden node configuration + ## NOTE: When it's set the hidden.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param hidden.command Override default container command (useful when using custom images) + ## @param hidden.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param hidden.extraFlags Hidden node additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param hidden.extraEnvVars Extra environment variables to add to Hidden node pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param hidden.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param hidden.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param hidden.annotations Additional labels to be added to thehidden node statefulset + ## + annotations: {} + ## @param hidden.labels Annotations to be added to the hidden node statefulset + ## + labels: {} + ## @param hidden.replicaCount Number of hidden nodes (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## + replicaCount: 1 + ## @param hidden.strategyType StrategyType for hidden node statefulset + ## It can be set to RollingUpdate or Recreate by default. + ## + strategyType: RollingUpdate + ## @param hidden.podManagementPolicy Pod management policy for hidden node + ## + podManagementPolicy: OrderedReady + ## @param hidden.podAffinityPreset Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param hidden.podAntiAffinityPreset Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## @param hidden.nodeAffinityPreset.type Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param hidden.nodeAffinityPreset.key Hidden Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param hidden.nodeAffinityPreset.values Hidden Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param hidden.affinity Hidden node Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param hidden.nodeSelector Hidden node Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param hidden.tolerations Hidden node Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param hidden.podLabels Hidden node pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param hidden.podAnnotations Hidden node Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param hidden.priorityClassName Name of the existing priority class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param hidden.runtimeClassName Name of the runtime class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Hidden containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param hidden.resources.limits The resources limits for hidden node containers + ## @param hidden.resources.requests The requested resources for hidden node containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## MongoDB(®) Hidden pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.livenessProbe.enabled Enable livenessProbe + ## @param hidden.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param hidden.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param hidden.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param hidden.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param hidden.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Hidden pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.readinessProbe.enabled Enable readinessProbe + ## @param hidden.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param hidden.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param hidden.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param hidden.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param hidden.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param hidden.customLivenessProbe Override default liveness probe for hidden node containers + ## Ignored when livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param hidden.customReadinessProbe Override default readiness probe for hidden node containers + ## Ignored when readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param hidden.initContainers Add init containers to the MongoDB(®) Hidden pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param hidden.sidecars Add additional sidecar containers for the hidden node pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param hidden.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the hidden node container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param hidden.extraVolumes Optionally specify extra list of additional volumes to the hidden node statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Hidden Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) + ## + create: false + ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled + ## + minAvailable: 1 + ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable + ## + maxUnavailable: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC + ## + enabled: true + ## @param hidden.persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires hidden.persistence.enabled: false + ## + medium: "" + ## @param hidden.persistence.storageClass PVC Storage Class for hidden node data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param hidden.persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param hidden.persistence.size PVC Storage Request for hidden node data volume + ## + size: 8Gi + ## @param hidden.persistence.annotations PVC annotations + ## + annotations: {} + ## @param hidden.persistence.mountPath The path the volume will be mounted at, useful when using different MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param hidden.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param hidden.persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param hidden.persistence.volumeClaimTemplates.dataSource Set volumeClaimTemplate dataSource + ## + dataSource: {} + +## @section Metrics parameters +## + +metrics: + ## @param metrics.enabled Enable using a sidecar Prometheus exporter + ## + enabled: false + ## Bitnami MongoDB(®) Promtheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ + ## @param metrics.image.registry MongoDB(®) Prometheus exporter image registry + ## @param metrics.image.repository MongoDB(®) Prometheus exporter image repository + ## @param metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mongodb-exporter + tag: 0.30.0-debian-10-r83 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + + ## @param metrics.username String with username for the metrics exporter + ## If undefined the root user will be used for the metrics exporter + username: "" + ## @param metrics.password String with password for the metrics exporter + ## If undefined but metrics.username is defined, a random password will be generated + password: "" + ## @param metrics.extraFlags String with extra flags to the metrics exporter + ## ref: https://github.com/percona/mongodb_exporter/blob/master/mongodb_exporter.go + ## + extraFlags: "" + ## @param metrics.extraUri Additional URI options of the metrics service + ## ref: https://docs.mongodb.com/manual/reference/connection-string + ## + extraUri: "" + ## Metrics exporter container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for Prometheus exporter containers + ## @param metrics.resources.requests The requested resources for Prometheus exporter containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## @param metrics.containerPort Port of the Prometheus metrics container + ## + containerPort: 9216 + ## Prometheus Exporter service configuration + ## + service: + ## @param metrics.service.annotations [object] Annotations for Prometheus Exporter pods. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.port }}" + prometheus.io/path: "/metrics" + ## @param metrics.service.type Type of the Prometheus metrics service + ## + type: ClusterIP + ## @param metrics.service.port Port of the Prometheus metrics service + ## + port: 9216 + ## Metrics exporter liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 5 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + ## Metrics exporter readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabellings RelabelConfigs to apply to samples before scraping. + ## + relabellings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.additionalLabels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + additionalLabels: {} + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator + ## + enabled: false + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.namespace Namespace where prometheusRules resource should be created + ## + namespace: "" + ## @param metrics.prometheusRule.rules Rules to be created, check values for an example + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#rulegroup + ## https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + ## + ## This is an example of a rule, you should add the below code block under the "rules" param, removing the brackets + ## - name: example + ## rules: + ## - alert: HighRequestLatency + ## expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + ## for: 10m + ## labels: + ## severity: page + ## annotations: + ## summary: High request latency + ## + rules: {} diff --git a/charts/shipa/shipa/1.7.200/limits.yaml b/charts/shipa/shipa/1.7.200/limits.yaml new file mode 100644 index 000000000..28b736eaa --- /dev/null +++ b/charts/shipa/shipa/1.7.200/limits.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: limits +spec: + limits: + - defaultRequest: + cpu: 40m + type: Container diff --git a/charts/shipa/shipa/1.7.200/questions.yaml b/charts/shipa/shipa/1.7.200/questions.yaml new file mode 100644 index 000000000..d9c562bf7 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/questions.yaml @@ -0,0 +1,51 @@ +questions: +- variable: auth.adminUser + default: "" + required: true + type: string + label: Initial Admin User Name e.g acme@yourorg.com + group: "Initial Settings - Required" +- variable: auth.adminPassword + default: "" + type: password + required: true + label: Initial Admin Password/Secret + group: "Initial Settings - Required" +- variable: shipaCluster.ingress.type + default: "" + type: enum + required: false + label: Ingress Controller Type (Nginx is default / Shipa Managed. Others are reliant on your installation) [shipaCluster.ingress.type] + group: "Shipa Cluster - Optional" + options: + - "nginx" + - "istio" + - "traefik" +- variable: shipaCluster.ingress.serviceType + default: "" + type: enum + required: false + label: Cluster Service Type e.g ClusterIP [shipaCluster.ingress.serviceType] + group: "Shipa Cluster - Optional" + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" +- variable: shipaCluster.ingress.clusterIp + default: "" + type: string + required: false + label: Cluster IP if using Shipa Managed Nginx ClusterIP Service Type [shipaCluster.ingress.clusterIp] + group: "Shipa Cluster - Optional" +- variable: shipaCluster.ingress.loadBalancerIp + default: "" + type: string + required: false + label: LoadBalancer IP if using Shipa Managed Nginx LoadBalancer Service Type [shipaCluster.ingress.loadBalancerIp] + group: "Shipa Cluster - Optional" +- variable: shipaCluster.ingress.nodePort + default: "" + type: string + required: false + label: NodePort if using Shipa Managed Nginx NodePort Service Type [shipaCluster.ingress.nodePort] + group: "Shipa Cluster - Optional" \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/scripts/bootstrap.sh b/charts/shipa/shipa/1.7.200/scripts/bootstrap.sh new file mode 100644 index 000000000..74b216220 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/bootstrap.sh @@ -0,0 +1,166 @@ +#!/bin/sh + +set -euxo pipefail + +is_shipa_initialized() { + + # By default we create secret with empty certificates + # and save them to the secret as a result of the first run of boostrap.sh + + CA=$(kubectl get secret/shipa-certificates -o json | jq ".data[\"ca.pem\"]") + LENGTH=${#CA} + + if [ "$LENGTH" -gt "100" ]; then + return 0 + fi + return 1 +} + +echo "Waiting for nginx ingress to be ready" + +if [[ $WAIT_FOR_NGINX == "true" ]]; then + # This helper gets an IP address or DNS name of NGINX_SERVICE and prints it to /tmp/nginx-ip + /bin/bootstrap-helper --service-name=$NGINX_SERVICE --namespace=$POD_NAMESPACE --timeout=600 --filename=/tmp/nginx-ip + MAIN_INGRESS_IP=$(cat /tmp/nginx-ip) + HOST_ADDRESS=$(cat /tmp/nginx-ip) +else + MAIN_INGRESS_IP=$INGRESS_IP + HOST_ADDRESS=$INGRESS_IP +fi + + + +# If target CNAMEs are set by user in values.yaml, then use the first CNAME from the list as HOST_ADDRESS +# since Shipa host can be only one in the shipa.conf +if [ ! -z "$SHIPA_MAIN_TARGET" -a "$SHIPA_MAIN_TARGET" != " " ]; then + HOST_ADDRESS=$SHIPA_MAIN_TARGET +fi + + +echo "Prepare shipa.conf" +cp -v /etc/shipa-default/shipa.conf /etc/shipa/shipa.conf +sed -i "s/SHIPA_PUBLIC_IP/$HOST_ADDRESS/g" /etc/shipa/shipa.conf +sed -ie "s/SHIPA_ORGANIZATION_ID/$SHIPA_ORGANIZATION_ID/g" /etc/shipa/shipa.conf + +echo "shipa.conf: " +cat /etc/shipa/shipa.conf + +CERTIFICATES_DIRECTORY=/tmp/certs +mkdir $CERTIFICATES_DIRECTORY + +if is_shipa_initialized; then + +# migration for before API was assessable over any ingress controller +if [[ $INGRESS_TYPE == "nginx" ]]; then + echo "Refreshing API secrets" + # before we used TCP streaming on ports 8080 and 8081 and Shipa API was doing certificate checks + # today we let nginx do certificate checks + # because 80 and 443 are reserverd for Ingress and can't use TCP streaming, we need to create secret for nginx + # we want to create dedicated secret for nginx based on shipa-certificates secret + if [[ $WAIT_FOR_NGINX == "true" ]]; then + kubectl get secrets -n "$POD_NAMESPACE" shipa-certificates -o json | jq ".data[\"api-server.crt\"]" | xargs echo | base64 -d > $CERTIFICATES_DIRECTORY/api-server.pem + kubectl get secrets -n "$POD_NAMESPACE" shipa-certificates -o json | jq ".data[\"api-server.key\"]" | xargs echo | base64 -d > $CERTIFICATES_DIRECTORY/api-server-key.pem + + API_SERVER_CERT=$(cat $CERTIFICATES_DIRECTORY/api-server.pem | base64) + API_SERVER_KEY=$(cat $CERTIFICATES_DIRECTORY/api-server-key.pem | base64) + + kubectl -n $POD_NAMESPACE create secret tls $RELEASE_NAME-api-ingress-secret --key=$CERTIFICATES_DIRECTORY/api-server-key.pem --cert=$CERTIFICATES_DIRECTORY/api-server.pem --dry-run -o yaml | kubectl apply -f - + fi +fi + + echo "Skip bootstrapping because shipa is already initialized" + exit 0 +fi + +echo "Cert For: $MAIN_INGRESS_IP" +echo "Cert For: $SHIPA_API_CNAMES" + +# certificate generation for default domain +sed "s/SHIPA_PUBLIC_IP/$MAIN_INGRESS_IP/g" /scripts/csr-shipa-ca.json > $CERTIFICATES_DIRECTORY/csr-shipa-ca.json +sed "s/SHIPA_PUBLIC_IP/$MAIN_INGRESS_IP/g" /scripts/csr-docker-cluster.json > $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +sed "s/SHIPA_PUBLIC_IP/$MAIN_INGRESS_IP/g" /scripts/csr-api-config.json > $CERTIFICATES_DIRECTORY/csr-api-config.json +sed "s/SHIPA_PUBLIC_IP/$MAIN_INGRESS_IP/g" /scripts/csr-api-server.json > $CERTIFICATES_DIRECTORY/csr-api-server.json + +# certificate generation for CNAMES +sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-api-server.json + +# certificate generation for Internal DNS so that internal services could connect to it. +sed "s/SHIPA_INTERNAL_DNS/$SHIPA_INTERNAL_DNS/g" --in-place $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +sed "s/SHIPA_INTERNAL_DNS/$SHIPA_INTERNAL_DNS/g" --in-place $CERTIFICATES_DIRECTORY/csr-api-server.json + +jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-docker-cluster.json > $CERTIFICATES_DIRECTORY/file.tmp && mv $CERTIFICATES_DIRECTORY/file.tmp $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-api-server.json > $CERTIFICATES_DIRECTORY/file.tmp && mv $CERTIFICATES_DIRECTORY/file.tmp $CERTIFICATES_DIRECTORY/csr-api-server.json + +cp /scripts/csr-client-ca.json $CERTIFICATES_DIRECTORY/csr-client-ca.json + +cfssl gencert -initca $CERTIFICATES_DIRECTORY/csr-shipa-ca.json | cfssljson -bare $CERTIFICATES_DIRECTORY/ca +cfssl gencert -initca $CERTIFICATES_DIRECTORY/csr-client-ca.json | cfssljson -bare $CERTIFICATES_DIRECTORY/client-ca + +cfssl gencert \ + -ca=$CERTIFICATES_DIRECTORY/ca.pem \ + -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \ + -profile=server \ + $CERTIFICATES_DIRECTORY/csr-docker-cluster.json | cfssljson -bare $CERTIFICATES_DIRECTORY/docker-cluster + +cfssl gencert \ + -ca=$CERTIFICATES_DIRECTORY/ca.pem \ + -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \ + -config=$CERTIFICATES_DIRECTORY/csr-api-config.json \ + -profile=server \ + $CERTIFICATES_DIRECTORY/csr-api-server.json | cfssljson -bare $CERTIFICATES_DIRECTORY/api-server + +rm -f $CERTIFICATES_DIRECTORY/*.csr +rm -f $CERTIFICATES_DIRECTORY/*.json + +CA_CERT=$(cat $CERTIFICATES_DIRECTORY/ca.pem | base64) +CA_KEY=$(cat $CERTIFICATES_DIRECTORY/ca-key.pem | base64) + +CLIENT_CA_CERT=$(cat $CERTIFICATES_DIRECTORY/client-ca.pem | base64) +CLIENT_CA_KEY=$(cat $CERTIFICATES_DIRECTORY/client-ca-key.pem | base64) + +DOCKER_CLUSTER_CERT=$(cat $CERTIFICATES_DIRECTORY/docker-cluster.pem | base64) +DOCKER_CLUSTER_KEY=$(cat $CERTIFICATES_DIRECTORY/docker-cluster-key.pem | base64) + +API_SERVER_CERT=$(cat $CERTIFICATES_DIRECTORY/api-server.pem | base64) +API_SERVER_KEY=$(cat $CERTIFICATES_DIRECTORY/api-server-key.pem | base64) + +# all ingress controlelers require different type of secret to work with self signed +if [[ $INGRESS_TYPE == "nginx" ]]; then +kubectl -n $POD_NAMESPACE create secret tls $RELEASE_NAME-api-ingress-secret --key=$CERTIFICATES_DIRECTORY/api-server-key.pem --cert=$CERTIFICATES_DIRECTORY/api-server.pem --dry-run -o yaml | kubectl apply -f - +# restart nginx to reload secret +if [[ $WAIT_FOR_NGINX == "true" ]]; then + kubectl -n $POD_NAMESPACE rollout restart deployment $NGINX_DEPLOYMENT_NAME +fi +fi + +if [[ $INGRESS_TYPE == "traefik" ]]; then +openssl x509 -in $CERTIFICATES_DIRECTORY/api-server.pem -out $CERTIFICATES_DIRECTORY/api-server.crt +openssl pkey -in $CERTIFICATES_DIRECTORY/api-server-key.pem -out $CERTIFICATES_DIRECTORY/api-server.key +kubectl -n $POD_NAMESPACE create secret generic $RELEASE_NAME-api-ingress-secret --from-file=tls.crt=$CERTIFICATES_DIRECTORY/api-server.crt --from-file=tls.key=$CERTIFICATES_DIRECTORY/api-server.key --dry-run -o yaml | kubectl apply -f - +fi + +if [[ $INGRESS_TYPE == "istio" ]]; then +openssl x509 -in $CERTIFICATES_DIRECTORY/api-server.pem -out $CERTIFICATES_DIRECTORY/api-server.crt +openssl pkey -in $CERTIFICATES_DIRECTORY/api-server-key.pem -out $CERTIFICATES_DIRECTORY/api-server.key +kubectl -n istio-system create secret tls $RELEASE_NAME-api-ingress-secret --key=$CERTIFICATES_DIRECTORY/api-server.key --cert=$CERTIFICATES_DIRECTORY/api-server.crt --dry-run -o yaml | kubectl apply -f - +fi + +# FIXME: name of secret +kubectl get secrets shipa-certificates -o json \ + | jq ".data[\"ca.pem\"] |= \"$CA_CERT\"" \ + | jq ".data[\"ca-key.pem\"] |= \"$CA_KEY\"" \ + | jq ".data[\"client-ca.crt\"] |= \"$CLIENT_CA_CERT\"" \ + | jq ".data[\"client-ca.key\"] |= \"$CLIENT_CA_KEY\"" \ + | jq ".data[\"cert.pem\"] |= \"$DOCKER_CLUSTER_CERT\"" \ + | jq ".data[\"key.pem\"] |= \"$DOCKER_CLUSTER_KEY\"" \ + | jq ".data[\"api-server.crt\"] |= \"$API_SERVER_CERT\"" \ + | jq ".data[\"api-server.key\"] |= \"$API_SERVER_KEY\"" \ + | kubectl apply -f - + + +echo "CA:" +openssl x509 -in $CERTIFICATES_DIRECTORY/ca.pem -text -noout + +echo "Docker cluster:" +openssl x509 -in $CERTIFICATES_DIRECTORY/docker-cluster.pem -text -noout diff --git a/charts/shipa/shipa/1.7.200/scripts/csr-api-config.json b/charts/shipa/shipa/1.7.200/scripts/csr-api-config.json new file mode 100644 index 000000000..d6a798638 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/csr-api-config.json @@ -0,0 +1,17 @@ +{ + "signing": { + "default": { + "expiry": "168h" + }, + "profiles": { + "server": { + "expiry": "8760h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + } + } + } +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/scripts/csr-api-server.json b/charts/shipa/shipa/1.7.200/scripts/csr-api-server.json new file mode 100644 index 000000000..22fb7d2e2 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/csr-api-server.json @@ -0,0 +1,17 @@ +{ + "CN": "Shipa", + "hosts": [ + "SHIPA_PUBLIC_IP", + "SHIPA_API_CNAMES", + "SHIPA_INTERNAL_DNS" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "shipa" + } + ] +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/scripts/csr-client-ca.json b/charts/shipa/shipa/1.7.200/scripts/csr-client-ca.json new file mode 100644 index 000000000..e2d36c7f8 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/csr-client-ca.json @@ -0,0 +1,12 @@ +{ + "CN": "Shipa", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "shipa" + } + ] +} diff --git a/charts/shipa/shipa/1.7.200/scripts/csr-docker-cluster.json b/charts/shipa/shipa/1.7.200/scripts/csr-docker-cluster.json new file mode 100644 index 000000000..1b52fc79d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/csr-docker-cluster.json @@ -0,0 +1,17 @@ +{ + "CN": "Shipa docker cluster", + "hosts": [ + "SHIPA_PUBLIC_IP", + "SHIPA_API_CNAMES", + "SHIPA_INTERNAL_DNS" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "Shipa" + } + ] +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/scripts/csr-shipa-ca.json b/charts/shipa/shipa/1.7.200/scripts/csr-shipa-ca.json new file mode 100644 index 000000000..e2d36c7f8 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/csr-shipa-ca.json @@ -0,0 +1,12 @@ +{ + "CN": "Shipa", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "shipa" + } + ] +} diff --git a/charts/shipa/shipa/1.7.200/scripts/init-job.sh b/charts/shipa/shipa/1.7.200/scripts/init-job.sh new file mode 100644 index 000000000..d6b655229 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/scripts/init-job.sh @@ -0,0 +1,102 @@ +#!/bin/sh + +echo "Waiting for shipa api" + +until $(curl --output /dev/null --silent http://$SHIPA_ENDPOINT:$SHIPA_ENDPOINT_PORT); do + echo "." + sleep 1 +done + +SHIPA_CLIENT="/bin/shipa" +$SHIPA_CLIENT target add -s local $SHIPA_ENDPOINT --insecure --port=$SHIPA_ENDPOINT_PORT --disable-cert-validation +$SHIPA_CLIENT login <.shipa.cloud + it should be used instead of shipaApi.cnames, as we always want to have this default address +*/}} +{{- define "shipa.cnames" -}} +{{- if has (printf "api.%s.shipa.cloud" .Values.shipaCluster.ingress.ip) .Values.shipaApi.cnames }} +{{ join "," .Values.shipaApi.cnames }} +{{- else }} +{{- if .Values.shipaCluster.ingress.ip }} +{{ join "," (append .Values.shipaApi.cnames (printf "api.%s.shipa.cloud" .Values.shipaCluster.ingress.ip)) }} +{{- else }} +{{ join "," .Values.shipaApi.cnames }} +{{- end }} +{{- end }} +{{- end }} + +{{/* + for shipa managed nginx we use shipa-nginx-ingress as classname + for user managed nginx default is nginx, but user can modify it through values.yaml +*/}} +{{- define "shipa.defaultNginxClassName" }} +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip)}} +shipa-nginx-ingress +{{- else }} +nginx +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/api-istio-resources.yaml b/charts/shipa/shipa/1.7.200/templates/api-istio-resources.yaml new file mode 100644 index 000000000..664621eb7 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/api-istio-resources.yaml @@ -0,0 +1,296 @@ +{{ if eq .Values.shipaCluster.ingress.type "istio" }} +{{- if not .Values.shipaApi.secureIngressOnly }} +{{- range $i, $servicePort := .Values.shipaApi.servicePorts }} +{{- if $.Values.shipaCluster.ingress.apiAccessOnIngressIp }} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + annotations: + kubernetes.io/ingress.class: {{ default ( "istio" ) $.Values.shipaCluster.ingress.className }} +{{- if $.Values.shipaApi.customIngressAnnotations }} +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-http-virutal-service-{{ $i }} +spec: + gateways: + - {{ template "shipa.fullname" $ }}-api-http-gateway-{{ $i }} + hosts: + - "*" + http: + - route: + - destination: + host: {{ template "shipa.fullname" $ }}-api + port: + number: {{ $servicePort }} + weight: 100 +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-http-gateway-{{ $i }} +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - "*" + port: + name: http + number: {{ $servicePort }} + protocol: HTTP +--- +{{- if empty $.Values.shipaApi.serviceSecurePorts }} +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-rule-{{ $i }} +spec: + host: {{ template "shipa.fullname" $ }}-api + subsets: + - labels: + app: {{ template "shipa.fullname" $ }}-api + version: "1" + name: v1 +--- +{{- end }} +{{- end }} +{{- range $j, $cname := splitList "," (trimPrefix "\n" (include "shipa.cnames" $)) }} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + annotations: + kubernetes.io/ingress.class: {{ default ( "istio" ) $.Values.shipaCluster.ingress.className }} +{{- if $.Values.shipaApi.customIngressAnnotations }} +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-http-virutal-service-cname-{{ $i }}-{{ $j }} +spec: + gateways: + - {{ template "shipa.fullname" $ }}-api-http-gateway-cname-{{ $i }}-{{ $j }} + hosts: + - {{ $cname }} + http: + - route: + - destination: + host: {{ template "shipa.fullname" $ }}-api + port: + number: {{ $servicePort }} + weight: 100 +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-http-gateway-cname-{{ $i }}-{{ $j }} +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - {{ $cname }} + port: + name: http + number: {{ $servicePort }} + protocol: HTTP +--- +{{- if empty $.Values.shipaApi.serviceSecurePorts }} +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-rule-cname-{{ $i }}-{{ $j }} +spec: + host: {{ template "shipa.fullname" $ }}-api + subsets: + - labels: + app: {{ template "shipa.fullname" $ }}-api + version: "1" + name: v1 +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- range $i, $servicePort := .Values.shipaApi.serviceSecurePorts }} +{{- if $.Values.shipaCluster.ingress.apiAccessOnIngressIp }} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + annotations: + kubernetes.io/ingress.class: {{ default ( "istio" ) $.Values.shipaCluster.ingress.className }} +{{- if $.Values.shipaApi.customIngressAnnotations }} +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-https-virutal-service-{{ $i }} +spec: + gateways: + - {{ template "shipa.fullname" $ }}-api-https-gateway-{{ $i }} + hosts: + - "*" + http: + - route: + - destination: + host: {{ template "shipa.fullname" $ }}-api + port: + number: {{ $servicePort }} + weight: 100 +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-https-gateway-{{ $i }} +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - "*" + port: + name: https + number: {{ $servicePort }} + protocol: HTTPS + tls: + mode: SIMPLE + {{ if $.Values.shipaApi.customSecretName}} + credentialName: {{ $.Values.shipaApi.customSecretName }} + {{- else }} + credentialName: {{ template "shipa.fullname" $ }}-api-ingress-secret + {{- end }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-rule-{{ $i }} +spec: + host: {{ template "shipa.fullname" $ }}-api + subsets: + - labels: + app: {{ template "shipa.fullname" $ }}-api + version: "1" + name: v1 + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: {{ $servicePort }} + tls: + mode: SIMPLE +--- +{{- end }} +{{- range $j, $cname := splitList "," (trimPrefix "\n" (include "shipa.cnames" $)) }} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + annotations: + kubernetes.io/ingress.class: {{ default ( "istio" ) $.Values.shipaCluster.ingress.className }} +{{- if $.Values.shipaApi.customIngressAnnotations }} +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-https-virutal-service-cname-{{ $i }}-{{ $j }} +spec: + gateways: + - {{ template "shipa.fullname" $ }}-api-https-gateway-cname-{{ $i }}-{{ $j }} + hosts: + - {{ $cname }} + http: + - route: + - destination: + host: {{ template "shipa.fullname" $ }}-api + port: + number: {{ $servicePort }} + weight: 100 +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-https-gateway-cname-{{ $i }}-{{ $j }} +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - {{ $cname }} + port: + name: https + number: {{ $servicePort }} + protocol: HTTPS + tls: + mode: SIMPLE + {{ if $.Values.shipaApi.customSecretName}} + credentialName: {{ $.Values.shipaApi.customSecretName }} + {{- else }} + credentialName: {{ template "shipa.fullname" $ }}-api-ingress-secret + {{- end }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + labels: {{- include "shipa.labels" $ | nindent 4 }} + name: {{ template "shipa.fullname" $ }}-api-rule-cname-{{ $i }}-{{ $j }} +spec: + host: {{ template "shipa.fullname" $ }}-api + subsets: + - labels: + app: {{ template "shipa.fullname" $ }}-api + version: "1" + name: v1 + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: {{ $servicePort }} + tls: + mode: SIMPLE +--- +{{- end }} +{{- end }} +{{- if or (.Values.tags.defaultDB) (.Values.tags.legacyMongoReplicaset) }} +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: {{ template "shipa.fullname" $ }}-mongodb-peer +spec: + mtls: + mode: DISABLE +--- +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: {{ template "shipa.fullname" $ }}-mongo-rule +spec: +{{- if .Values.tags.defaultDB }} + host: "{{ template "shipa.fullname" $ }}-mongodb.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}" +{{- else if .Values.tags.legacyMongoReplicaset }} + host: "{{ template "shipa.fullname" $ }}-mongodb-replicaset.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}" +{{- end }} + trafficPolicy: + tls: + mode: DISABLE +{{ else }} +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: mongo +spec: + hosts: +{{- range $mongoShard := (splitList "," $.Values.externalMongodb.url) }} + - {{ trimSuffix ":27017" $mongoShard }} +{{- end }} + ports: + - number: 27017 + name: tls + protocol: TLS + resolution: DNS +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/api-nginx-resources.yaml b/charts/shipa/shipa/1.7.200/templates/api-nginx-resources.yaml new file mode 100644 index 000000000..91527fa14 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/api-nginx-resources.yaml @@ -0,0 +1,107 @@ +{{ if eq .Values.shipaCluster.ingress.type "nginx" }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-nginx-tcp-services + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +data: +{{- if not .Values.shipaApi.secureIngressOnly }} +{{- range $servicePort := without (.Values.shipaApi.servicePorts | toStrings) "80" }} + {{ $servicePort }}: "{{ $.Release.Namespace }}/{{ include "shipa.fullname" $ }}-api:{{ $servicePort }}" +{{- end }} +{{- end }} +{{- range $secureContainerPort := without (.Values.shipaApi.serviceSecurePorts | toStrings) "443" }} + {{ $secureContainerPort }}: "{{ $.Release.Namespace }}/{{ include "shipa.fullname" $ }}-api:{{ $secureContainerPort }}" +{{- end }} +--- +{{- if has "80" (.Values.shipaApi.servicePorts | toStrings) }} +{{- if .Values.shipaCluster.ingress.apiAccessOnIngressIp }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "shipa.fullname" . }}-api-http-ingress + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: +{{- if $.Values.shipaApi.customIngressAnnotations }} +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} + nginx.org/websocket-services: "{{ template "shipa.fullname" . }}-api" +{{- if and $.Values.shipaApi.secureIngressOnly (has "443" ($.Values.shipaApi.serviceSecurePorts | toStrings)) }} + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/ssl-redirect: "true" +{{- else }} + nginx.ingress.kubernetes.io/ssl-redirect: "false" + ingress.kubernetes.io/ssl-redirect: "false" +{{- end }} +spec: + ingressClassName: {{ default (include "shipa.defaultNginxClassName" . | trim) .Values.shipaCluster.ingress.className }} + rules: + - http: + paths: + - backend: + service: + name: {{ template "shipa.fullname" . }}-api + port: + number: 80 + path: / + pathType: Prefix +{{ if has "443" (.Values.shipaApi.serviceSecurePorts | toStrings) }} + tls: + - secretName: {{ template "shipa.fullname" . }}-api-ingress-secret +{{- end }} +{{- end }} +{{- end }} +--- +{{ if not (empty (trimPrefix "\n" (include "shipa.cnames" .))) }} +{{- range $i, $cname := splitList "," (trimPrefix "\n" (include "shipa.cnames" .)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "shipa.fullname" $ }}-api-http-ingress-cname-{{ $i }} + labels: {{- include "shipa.labels" $ | nindent 4 }} + annotations: +{{- if $.Values.shipaApi.customIngressAnnotations }} +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} + {{- if and $.Values.shipaApi.secureIngressOnly (has "443" ($.Values.shipaApi.serviceSecurePorts | toStrings)) }} + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/ssl-redirect: "true" + {{- else }} + nginx.ingress.kubernetes.io/ssl-redirect: "false" + ingress.kubernetes.io/ssl-redirect: "false" + {{- end }} + nginx.org/websocket-services: "{{ template "shipa.fullname" $ }}-api" +spec: + ingressClassName: {{ default ( include "shipa.defaultNginxClassName" $ | trim) $.Values.shipaCluster.ingress.className }} + rules: + - host: {{ $cname }} + http: + paths: + - backend: + service: + name: {{ template "shipa.fullname" $ }}-api + port: + number: 80 + path: / + pathType: ImplementationSpecific +{{ if has "443" ($.Values.shipaApi.serviceSecurePorts | toStrings) }} +{{ if $.Values.shipaApi.customSecretName}} + tls: + - secretName: {{ $.Values.shipaApi.customSecretName }} + hosts: + - {{ $cname }} +{{- else }} + tls: + - secretName: {{ template "shipa.fullname" $ }}-api-ingress-secret + hosts: + - {{ $cname }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/api-traefik-resources.yaml b/charts/shipa/shipa/1.7.200/templates/api-traefik-resources.yaml new file mode 100644 index 000000000..a33223ace --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/api-traefik-resources.yaml @@ -0,0 +1,108 @@ +{{ if eq .Values.shipaCluster.ingress.type "traefik" }} +{{- if not .Values.shipaApi.secureIngressOnly }} +{{- range $i, $servicePort := .Values.shipaApi.servicePorts }} +{{- if $.Values.shipaCluster.ingress.apiAccessOnIngressIp }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ template "shipa.fullname" $ }}-api-http-ingress-{{ $i }} + labels: {{- include "shipa.labels" $ | nindent 4 }} +{{- if $.Values.shipaApi.customIngressAnnotations }} + annotations: +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} +spec: + entryPoints: + - web + routes: + - match: PathPrefix(`/`) + kind: Rule + services: + - name: {{ template "shipa.fullname" $ }}-api + port: {{ $servicePort }} + scheme: http +--- +{{- end }} +{{- range $j, $cname := splitList "," (trimPrefix "\n" (include "shipa.cnames" $)) }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ template "shipa.fullname" $ }}-api-http-ingress-cname-{{ $i }}-{{ $j }} + labels: {{- include "shipa.labels" $ | nindent 4 }} +{{- if $.Values.shipaApi.customIngressAnnotations }} + annotations: +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} +spec: + entryPoints: + - web + routes: + - match: Host(`{{ $cname }}`) + kind: Rule + services: + - name: {{ template "shipa.fullname" $ }}-api + port: {{ $servicePort }} + scheme: http +--- +{{- end }} +{{- end }} +{{- end }} +{{- if $.Values.shipaCluster.ingress.apiAccessOnIngressIp }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ template "shipa.fullname" $ }}-api-https-ingress + labels: {{- include "shipa.labels" $ | nindent 4 }} +{{- if $.Values.shipaApi.customIngressAnnotations }} + annotations: +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4 }} +{{- end }} +spec: + entryPoints: + - websecure + routes: + - match: PathPrefix(`/`) + kind: Rule + services: + - name: {{ template "shipa.fullname" $ }}-api + port: {{ first .Values.shipaApi.servicePorts }} + scheme: http + tls: + {{ if $.Values.shipaApi.customSecretName}} + secretName: {{ $.Values.shipaApi.customSecretName }} + {{- else }} + secretName: {{ template "shipa.fullname" $ }}-api-ingress-secret + {{- end }} +--- +{{- end }} +{{- range $i, $cname := splitList "," (trimPrefix "\n" (include "shipa.cnames" $)) }} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ template "shipa.fullname" $ }}-api-https-ingress-cname-{{ $i }} + labels: {{- include "shipa.labels" $ | nindent 4 }} +{{- if $.Values.shipaApi.customIngressAnnotations }} + annotations: +{{ toYaml $.Values.shipaApi.customIngressAnnotations | indent 4}} +{{- end }} +spec: + entryPoints: + - websecure + routes: + - match: Host(`{{ $cname }}`) + kind: Rule + services: + - name: {{ template "shipa.fullname" $ }}-api + port: {{ first $.Values.shipaApi.servicePorts }} + scheme: http + tls: + {{ if $.Values.shipaApi.customSecretName}} + secretName: {{ $.Values.shipaApi.customSecretName }} + {{- else }} + secretName: {{ template "shipa.fullname" $ }}-api-ingress-secret + {{- end }} + domains: + - main: {{ $cname }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/clair-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/clair-configmap.yaml new file mode 100644 index 000000000..97a94abf5 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/clair-configmap.yaml @@ -0,0 +1,86 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-clair-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + config.template.yaml: |- + # + # This file is mounted to /clair-config/config.template.yaml and then processed by /entrypoint.sh + # + clair: + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + {{- $host := (default (printf "%s-postgres.%s" (include "shipa.fullname" .) .Release.Namespace) .Values.postgres.source.host) }} + {{- $port := .Values.postgres.source.port }} + {{- $user := .Values.postgres.source.user }} + {{- $sslmode := .Values.postgres.source.sslmode }} + source: host={{ $host }} port={{ $port }} user={{ $user }} sslmode={{ $sslmode }} statement_timeout=60000 password=$POSTGRES_PASSWORD + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + # 32-bit URL-safe base64 key used to encrypt pagination tokens + # If one is not provided, it will be generated. + # Multiple clair instances in the same cluster need the same value. + paginationkey: + + api: + # v3 grpc/RESTful API server address + addr: "0.0.0.0:6060" + + # Health server address + # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. + healthaddr: "0.0.0.0:6061" + + # Deadline before an API request will respond with a 503 + timeout: 900s + + # Optional PKI configuration + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/coreos/etcd-ca + # https://github.com/cloudflare/cfssl + servername: + cafile: + keyfile: + certfile: + + updater: + # Frequency the database will be updated with vulnerabilities from the default data sources + # The value 0 disables the updater entirely. + interval: 2h + enabledupdaters: + - debian + - ubuntu + - rhel + - oracle + - alpine + - suse + + notifier: + # Number of attempts before the notification is marked as failed to be sent + attempts: 3 + + # Duration before a failed notification is retried + renotifyinterval: 2h + + http: + # Optional endpoint that will receive notifications via POST requests + endpoint: + + # Optional PKI configuration + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/cloudflare/cfssl + # https://github.com/coreos/etcd-ca + servername: + cafile: + keyfile: + certfile: + + # Optional HTTP Proxy: must be a valid URL (including the scheme). + proxy: diff --git a/charts/shipa/shipa/1.7.200/templates/clair-deployment.yaml b/charts/shipa/shipa/1.7.200/templates/clair-deployment.yaml new file mode 100644 index 000000000..c4258bf40 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/clair-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-clair + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-clair + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-clair + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: clair + {{- if .Values.clair.image }} + image: "{{ .Values.clair.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.clair.repositoryBasename }}:{{ .Values.clair.tag }}" + {{- end }} + imagePullPolicy: IfNotPresent + ports: + - name: clair + containerPort: 6060 + protocol: TCP + - name: health + containerPort: 6061 + protocol: TCP + volumeMounts: + - name: {{ template "shipa.fullname" . }}-clair-config + mountPath: /clair-config/ + - name: config-dir + mountPath: /etc/clair/ + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: postgres-password + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: config-dir + emptyDir: {} + - name: {{ template "shipa.fullname" . }}-clair-config + configMap: + name: {{ template "shipa.fullname" . }}-clair-config + items: + - key: config.template.yaml + path: config.template.yaml diff --git a/charts/shipa/shipa/1.7.200/templates/clair-service.yaml b/charts/shipa/shipa/1.7.200/templates/clair-service.yaml new file mode 100644 index 000000000..a0bbd8faa --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/clair-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-clair + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-clair + ports: + - port: 6060 + targetPort: 6060 + protocol: TCP + name: clair + - port: 6061 + targetPort: 6061 + protocol: TCP + name: health diff --git a/charts/shipa/shipa/1.7.200/templates/metrics-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/metrics-configmap.yaml new file mode 100644 index 000000000..b7cd013f5 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/metrics-configmap.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-metrics-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + prometheus.yml: |- + # + # DO NOT EDIT. Can be updated by shipa helm chart + # + global: + scrape_interval: 1m + + scrape_configs: + - job_name: "pushgateway" + honor_labels: true + scheme: http + static_configs: + - targets: ['127.0.0.1:9093'] + labels: + source: pushgateway + + - job_name: "traefik" + honor_labels: true + scheme: http + static_configs: + - targets: ['{{ template "shipa.fullname" . }}-traefik-internal.{{ .Release.Namespace }}:9095'] + + {{- if .Values.metrics.extraPrometheusConfiguration }} + # + # User defined extra configuration + # + {{- range $line, $value := ( split "\n" .Values.metrics.extraPrometheusConfiguration ) }} + {{ $value }} + {{- end }} + {{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/metrics-deployment.yaml b/charts/shipa/shipa/1.7.200/templates/metrics-deployment.yaml new file mode 100644 index 000000000..bb2770b6d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/metrics-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-metrics + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-metrics + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-metrics + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + # Please do not scale metrics container. It doesn't use storage lock (--storage.tsdb.no-lockfile) + - name: metrics + {{- if .Values.metrics.image }} + image: "{{ .Values.metrics.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.metrics.repositoryBasename }}:{{ .Values.metrics.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.metrics.pullPolicy }} + env: + - name: PROMETHEUS_ARGS + value: "--web.enable-admin-api {{ default ("--storage.tsdb.retention.time=1d") .Values.metrics.prometheusArgs }}" + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: metrics-password + ports: + - name: prometheus + containerPort: 9090 + protocol: TCP + - name: pushgateway + containerPort: 9091 + protocol: TCP + volumeMounts: + - name: "{{ template "shipa.fullname" . }}-metrics-config" + mountPath: /etc/prometheus/config + + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: {{ template "shipa.fullname" . }}-metrics-config + configMap: + name: {{ template "shipa.fullname" . }}-metrics-config + items: + - key: prometheus.yml + path: prometheus.yml diff --git a/charts/shipa/shipa/1.7.200/templates/metrics-service.yaml b/charts/shipa/shipa/1.7.200/templates/metrics-service.yaml new file mode 100644 index 000000000..2371f76bb --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/metrics-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-metrics + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-metrics + ports: + - port: 9090 + targetPort: 9090 + protocol: TCP + name: prometheus + - port: 9091 + targetPort: 9091 + protocol: TCP + name: pushgateway diff --git a/charts/shipa/shipa/1.7.200/templates/nginx-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/nginx-configmap.yaml new file mode 100644 index 000000000..060f57594 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/nginx-configmap.yaml @@ -0,0 +1,20 @@ +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-nginx + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +data: + {{- if .Values.shipaCluster.ingress.config }} + {{- range $key, $value := .Values.shipaCluster.ingress.config }} + {{ $key }}: {{ $value }} + {{- end }} + {{- else }} + proxy-body-size: "512M" + proxy-read-timeout: "300" + proxy-connect-timeout: "300" + proxy-send-timeout: "300" + upstream-keepalive-timeout: "300" + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/nginx-deployment.yaml b/charts/shipa/shipa/1.7.200/templates/nginx-deployment.yaml new file mode 100644 index 000000000..cd2adb5af --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/nginx-deployment.yaml @@ -0,0 +1,99 @@ +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" + shipa.io/component: nginx + shipa.io/cluster: shipa-cluster + annotations: + sidecar.istio.io/inject: "false" +spec: + replicas: 1 + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-nginx-ingress + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-nginx-ingress + shipa.io/component: nginx + shipa.io/cluster: shipa-cluster + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + spec: + # wait up to 30 seconds for the drain of connections + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + nodeSelector: + kubernetes.io/os: linux + containers: + - name: nginx-ingress-controller + image: {{ .Values.shipaCluster.ingress.image }} + args: + - /nginx-ingress-controller + - --election-id={{ template "shipa.fullname" . }}-leader + - --configmap=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-nginx + - --tcp-services-configmap=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-nginx-tcp-services + - --publish-service=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-ingress-nginx + - --ingress-class={{ default ( include "shipa.defaultNginxClassName" . | trim) .Values.shipaCluster.ingress.className }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "shipa.fullname" . }}-api-ingress-secret + - --controller-class=k8s.io/internal-ingress-nginx + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 101 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + {{- if not .Values.shipaApi.secureIngressOnly }} + {{ range $i, $servicePort := .Values.shipaApi.servicePorts }} + - name: shipa-{{ $i }} + containerPort: {{ $servicePort }} + protocol: TCP + {{- end }} + {{- end }} + {{ range $i, $servicePort := .Values.shipaApi.serviceSecurePorts }} + - name: shipa-secure-{{ $i }} + containerPort: {{ $servicePort }} + protocol: TCP + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + lifecycle: + preStop: + exec: + command: + - /wait-shutdown +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/nginx-ingressclass.yaml b/charts/shipa/shipa/1.7.200/templates/nginx-ingressclass.yaml new file mode 100644 index 000000000..5a09a4be5 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/nginx-ingressclass.yaml @@ -0,0 +1,8 @@ +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ default ( include "shipa.defaultNginxClassName" . | trim) .Values.shipaCluster.ingress.className }} +spec: + controller: k8s.io/internal-ingress-nginx +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/nginx-rbac.yaml b/charts/shipa/shipa/1.7.200/templates/nginx-rbac.yaml new file mode 100644 index 000000000..4d52e7e07 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/nginx-rbac.yaml @@ -0,0 +1,131 @@ +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-role + labels: {{- include "shipa.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - "{{ template "shipa.fullname" . }}-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-role-nisa-binding + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "shipa.fullname" . }}-nginx-ingress-role +subjects: + - kind: ServiceAccount + name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole-nisa-binding + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole +subjects: + - kind: ServiceAccount + name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/nginx-service.yaml b/charts/shipa/shipa/1.7.200/templates/nginx-service.yaml new file mode 100644 index 000000000..414d480bf --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/nginx-service.yaml @@ -0,0 +1,59 @@ +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-ingress-nginx + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" + annotations: +{{- if $.Values.shipaCluster.ingress.customNginxServiceAnnotations }} +{{ toYaml $.Values.shipaCluster.ingress.customNginxServiceAnnotations | indent 4 }} +{{- end }} +spec: + type: "{{ .Values.shipaCluster.ingress.serviceType }}" + {{- if eq .Values.shipaCluster.ingress.serviceType "LoadBalancer" }} + {{- if .Values.shipaCluster.ingress.loadBalancerIp }} + loadBalancerIP: "{{ .Values.shipaCluster.ingress.loadBalancerIp }}" + {{- end }} + {{- end }} + {{- if eq .Values.shipaCluster.ingress.serviceType "ClusterIP" }} + {{- if .Values.shipaCluster.ingress.clusterIp }} + clusterIP: "{{ .Values.shipaCluster.ingress.clusterIp }}" + {{- end }} + {{- end }} + selector: + name: {{ template "shipa.fullname" . }}-nginx-ingress + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + {{- if not .Values.shipaApi.secureIngressOnly }} + {{- range $i, $servicePort := without (.Values.shipaApi.servicePorts | toStrings) "80" }} + - port: {{ $servicePort }} + name: shipa-{{ $i }} + targetPort: {{ $.Values.shipaApi.port }} + protocol: TCP + {{- if eq $.Values.shipaCluster.ingress.serviceType "NodePort" }} + {{- if $.Values.shipaCluster.ingress.nodePort }} + nodePort: {{ $.Values.shipaCluster.ingress.nodePort }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- range $i, $servicePort := without (.Values.shipaApi.serviceSecurePorts | toStrings) "443" }} + - port: {{ $servicePort }} + name: shipa-secure-{{ $i }} + targetPort: {{ $.Values.shipaApi.securePort }} + protocol: TCP + {{- if eq $.Values.shipaCluster.ingress.serviceType "NodePort" }} + {{- if $.Values.shipaCluster.ingress.nodePort }} + nodePort: {{ $.Values.shipaCluster.ingress.nodePort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/nginx-serviceaccount.yaml b/charts/shipa/shipa/1.7.200/templates/nginx-serviceaccount.yaml new file mode 100644 index 000000000..ba9aafc09 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/nginx-serviceaccount.yaml @@ -0,0 +1,8 @@ +{{ if and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/postgres-pvc.yaml b/charts/shipa/shipa/1.7.200/templates/postgres-pvc.yaml new file mode 100644 index 000000000..caf8ef0ba --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/postgres-pvc.yaml @@ -0,0 +1,20 @@ +{{- if .Values.postgres.create }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-postgres-pvc + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.postgres.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.postgres.persistence.size | quote }} + {{- if .Values.postgres.persistence.storageClass }} + {{- if (eq "-" .Values.postgres.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.postgres.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/postgres-service.yaml b/charts/shipa/shipa/1.7.200/templates/postgres-service.yaml new file mode 100644 index 000000000..01ef2dd61 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/postgres-service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.postgres.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-postgres + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-postgres + ports: + - port: 5432 + targetPort: 5432 + protocol: TCP + name: postgres +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/postgres-statefulset.yaml b/charts/shipa/shipa/1.7.200/templates/postgres-statefulset.yaml new file mode 100644 index 000000000..0e9a06024 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/postgres-statefulset.yaml @@ -0,0 +1,50 @@ +{{- if .Values.postgres.create }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "shipa.fullname" . }}-postgres + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-postgres + serviceName: {{ template "shipa.fullname" . }}-postgres + replicas: 1 + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-postgres + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: postgres + image: {{ .Values.postgres.image }} + imagePullPolicy: IfNotPresent + ports: + - name: postgres + containerPort: 5432 + protocol: TCP + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + subPath: postgres + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: postgres-password + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ template "shipa.fullname" . }}-postgres-pvc +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/pre-upgrade-hook.yaml b/charts/shipa/shipa/1.7.200/templates/pre-upgrade-hook.yaml new file mode 100644 index 000000000..7de157f86 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/pre-upgrade-hook.yaml @@ -0,0 +1,84 @@ +{{- if .Values.tags.defaultDB }} +{{- if .Values.tags.legacyMongoReplicaset }} +{{- fail "tags.defaultDB and tags.legacyMongoReplicaset cannot both be set to true. See https://learn.shipa.io/docs/upgrading-self-managed-shipa" }} +{{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-pre-upgrade-config + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-upgrade" + "helm.sh/hook-weight": "-1" +data: + pre-upgrade.sh: | +{{ .Files.Get "scripts/pre-upgrade.sh" | indent 4 }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "shipa.fullname" . }}-pre-upgrade-hook-{{ .Release.Revision }}" + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-upgrade" + "helm.sh/hook-weight": 0" + "helm.sh/hook-delete-policy": hook-succeeded + sidecar.istio.io/inject: "false" +spec: + backoffLimit: 0 + template: + metadata: + name: "{{ template "shipa.fullname" . }}-pre-upgrade-hook-{{ .Release.Revision }}" + labels: + shipa-hook: "pre-upgrade" + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + terminationGracePeriodSeconds: 3 + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }} + {{- else }} + serviceAccountName: default + {{- end }} + restartPolicy: Never + containers: + - name: pre-upgrade-hook + {{- if .Values.cli.image }} + image: "{{ .Values.cli.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.cli.repositoryBasename }}:{{ .Values.cli.tag }}" + {{- end }} + command: + - /scripts/pre-upgrade.sh + imagePullPolicy: {{ .Values.cli.pullPolicy }} + env: + - name: RELEASE_NAME + value: {{ template "shipa.fullname" . }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PERSISTENCE_EXISTING_CLAIM + value: "{{ .Values.mongodb.persistence.existingClaim }}" + - name: PERSISTENCE_SIZE + value: "{{ .Values.mongodb.persistence.size }}" + volumeMounts: + - name: scripts + mountPath: /scripts + - name: scripts-out + mountPath: /etc/shipa/ + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: scripts + configMap: + defaultMode: 0755 + name: {{ template "shipa.fullname" . }}-pre-upgrade-config + - name: scripts-out + emptyDir: {} + +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-configmap.yaml new file mode 100644 index 000000000..86222ef1d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-configmap.yaml @@ -0,0 +1,198 @@ +{{- if and (.Values.tags.defaultDB) (.Values.tags.legacyMongoReplicaset) }} +{{- fail "tags.defaultDB and tags.legacyMongoReplicaset cannot both be true.\n To use the legacy MongoDB chart set tags.defaultDB to false, tags.legacyMongoReplicaset to true,\n and if upgrading, provide mongodb.persistence.existingClaim to match the existing PVC, which can be found with:\n kubectl get pvc -A -l app=mongodb-replicaset -o jsonpath='{.items[].metadata.name}'\n To use the current MongoDB chart set tags.defaultDB to true, tags.legacyMongoReplicaset to false (these are the default values)" }} +{{- end }} +{{- if and (or .Values.tags.defaultDB .Values.tags.legacyMongoReplicaset) (and (.Values.externalMongodb.url) (ne .Values.externalMongodb.url "< database url >")) }} +{{- fail "externalMongodb.url cannot be set when either tags.defaultDB or tags.legacyMongoReplicaset are true.\n Either set tags.defaultDB and tags.legacyMongoReplicaset to false to use an external MongoDB instance, or remove the value for externalMongodb.url" }} +{{- end }} +{{ $shipaCloud := default dict .Values.shipaCloud }} +{{ $shipaCloudEnabled := $shipaCloud.enabled | default "false" | quote}} +{{ $shipaPayApi := default dict $shipaCloud.shipaPayApi }} +{{ $shipaPayApiHost := $shipaPayApi.host | default "" | quote}} +{{ $shipaPayApiToken := $shipaPayApi.token | default "" | quote}} +{{ $googleRecaptcha := default dict $shipaCloud.googleRecaptcha }} +{{ $googleRecaptchaSitekey := $googleRecaptcha.sitekey | default "" | quote}} +{{ $googleRecaptchaSecret := $googleRecaptcha.secret | default "" | quote}} +{{ $smartlook := default dict $shipaCloud.smartlook }} +{{ $smartlookProjectKey := $smartlook.projectKey | default "" | quote}} +{{ $launchDarkly := default dict $shipaCloud.launchDarkly }} +{{ $launchDarklySdkKey := $launchDarkly.sdkKey | default "" | quote}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-api-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + shipa.conf: |- + shipaVersion: {{ .Chart.Version }} + tls-listen: "0.0.0.0:{{ .Values.shipaApi.securePort }}" + listen: "0.0.0.0:{{ .Values.shipaApi.port }}" + host: https://SHIPA_PUBLIC_IP:{{ first .Values.shipaApi.serviceSecurePorts }} + host-internal: http://{{ template "shipa.fullname" . }}-api.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}:{{ first .Values.shipaApi.servicePorts }} + use-internal-host: {{ .Values.shipaApi.useInternalHost }} + use-tls: true + shipaCloud: + enabled: {{ $shipaCloudEnabled }} + tls: + server-cert: /certs/api-server.crt + server-key: /certs/api-server.key + + database: + {{- if or (.Values.tags.defaultDB) (.Values.tags.legacyMongoReplicaset) }} + {{- if eq .Values.shipaCluster.ingress.type "istio" }} + {{- if .Values.tags.defaultDB }} + url: {{ .Release.Name }}-mongodb.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}:{{ .Values.mongodb.service.port }} + {{- else if .Values.tags.legacyMongoReplicaset }} + url: {{ .Release.Name }}-mongodb-replicaset.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}:{{ .Values.mongodb.service.port }} + {{- end }} + {{ else }} + {{- if .Values.tags.defaultDB }} + url: {{ .Release.Name }}-mongodb:{{ .Values.mongodb.service.port }} + {{- else if .Values.tags.legacyMongoReplicaset }} + url: {{ .Release.Name }}-mongodb-replicaset:{{ .Values.mongodb.service.port }} + {{- end }} + {{- end }} + tls: false + {{ else }} + url: {{ .Values.externalMongodb.url }} + tls: {{ .Values.externalMongodb.tls.enable }} + {{- end }} + name: shipa + username: $DB_USERNAME + password: $DB_PASSWORD + organization: + id: SHIPA_ORGANIZATION_ID + dashboard: + enabled: $DASHBOARD_ENABLED + image: $DASHBOARD_IMAGE + envs: + SHIPA_ADMIN_USER: {{ .Values.auth.adminUser | quote }} + SHIPA_TARGETS: {{ trimPrefix "\n" (include "shipa.cnames" .) }} + SHIPA_API_INTERNAL_URL: http://{{ template "shipa.fullname" . }}-api.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}:{{ first .Values.shipaApi.servicePorts }} + SHIPA_CLOUD: {{ $shipaCloudEnabled }} + SHIPA_PAY_API_HOST: {{ $shipaPayApiHost }} + SHIPA_PAY_API_TOKEN: {{ $shipaPayApiToken }} + GOOGLE_RECAPTCHA_SITEKEY: {{ $googleRecaptchaSitekey }} + GOOGLE_RECAPTCHA_SECRET: {{ $googleRecaptchaSecret }} + SMARTLOOK_PROJECT_KEY: {{ $smartlookProjectKey }} + LAUNCH_DARKLY_SDK_KEY: {{ $launchDarklySdkKey }} + + auth: + admin-email: {{ .Values.auth.adminUser | quote }} + token-expire-days: 2 + hash-cost: 4 + user-registration: true + user-activation: + cert: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6TXIwd3hETklDcm9JN3VEVkdoTgpFZytVbTdkQzk3NVZpM1l1NnJHUUdlc3ZwZTY5T2NhT0VxZHFML0NNWGVRMW1oTVFtUnplQnlxWEJ1Q2xOemphCjlEbjV2WTBlVnNIZUhuVTJ4bkkyV1dSR3JjUE1mRGJuRzlDSnNZQmdHd3A2eDcrYVR2RXZCRFBtS3YrcjdOcysKUXhhNzBFZEk4NTZLMWQyTTQ1U3RuZW1hcm51cjdOTDdGb2VsS1FWNGREd1hxU2EvVW1tdHdOOGNSTENUQ0N4NQpObkVya2UrTWo1RFFqTW5TUlRHbjFxOE91azlOUXRxNDlrbFMwMUhIQTJBWnR6ZExteTMrTktXRVZta3Z0cGgxClJseHBtZVQ5SERNbHI5aFI3U3BidnRHeVZVUG1pbXVYWFA4cXdOcHZab01Ka3hWRm4zbWNRVHRMbk8xa0Jjb1cKZVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + provisioner: kubernetes + metrics: + host: {{ template "shipa.fullname" . }}-metrics + password: $METRICS_PASSWORD + + # section contains configuration of Prometheus Metrics Exporter + prometheus-metrics-exporter: + {{- if .Values.prometheusMetricsExporter.image }} + image: "{{ .Values.prometheusMetricsExporter.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.prometheusMetricsExporter.repositoryBasename }}:{{ .Values.prometheusMetricsExporter.tag }}" + {{- end }} + + docker: + cluster: + storage: mongodb + mongo-database: cluster + collection: docker + registry-scheme: https + repository-namespace: shipa + router: traefik + deploy-cmd: /var/lib/shipa/deploy + run-cmd: + bin: /var/lib/shipa/start + port: "8888" + tls: + root-path: /certs + auto-scale: + enabled: true + run-interval: $DOCKER_AUTOSCALE_RUN_INTERVAL + routers: + traefik: + type: traefik + domain: shipa.cloud + istio: + type: istio + nginx: + type: nginx + serviceType: {{ .Values.shipaCluster.ingress.serviceType }} + ip: {{ .Values.shipaCluster.ingress.ip }} + queue: + mongo-database: queuedb + quota: + units-per-app: 4 + apps-per-user: 8 + log: + disable-syslog: true + use-stderr: true + clair: + server: http://{{ template "shipa.fullname" . }}-clair:6060 + disabled: false + kubernetes: + # pod name is used by a leader election thing as an identifier for the current shipa-api instance + pod-name: $POD_NAME + pod-namespace: $POD_NAMESPACE + use-pool-namespaces: true + remote-cluster-ingress: + http-port: 80 + https-port: 443 + service-type: LoadBalancer + ketch: + enabled: true + {{- if .Values.ketch.image }} + image: "{{ .Values.ketch.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.ketch.repositoryBasename }}:{{ .Values.ketch.tag }}" + {{- end }} + metrics-address: {{ .Values.ketch.metricsAddress }} + cert-manager: + install-url: {{ .Values.certManager.installUrl }} + + cluster-update: + # it's a default value that specifies if cluster-update operations can restart ingress controllers + ingress-restart-is-allowed: {{ .Values.shipaApi.allowRestartIngressControllers }} + + app-auto-discovery: + enabled: true + event-updates: {{ .Values.shipaController.enableEventUpdater }} + shipa-controller: + network-policy-violation: {{ .Values.shipaController.enableNetworkPolicyViolation }} + + debug: {{ .Values.shipaApi.debug }} + certificates: + root: /certs/ + ca: ca.pem + ca-key: ca-key.pem + client-ca: client-ca.crt + client-ca-key: client-ca.key + is-ca-endpoint-disabled: {{ .Values.shipaApi.isCAEndpointDisabled }} + + shipa-controller: + {{- if .Values.shipaController.image }} + image: "{{ .Values.shipaController.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.shipaController.repositoryBasename }}:{{ .Values.shipaController.tag }}" + {{- end }} + + + agent: + image-repository: {{ .Values.images.shipaRepositoryDirname }} + repository-name: {{ .Values.agent.repositoryBasename }} + tag: {{ .Values.agent.tag }} + busybody: + {{- if .Values.busybody.image }} + image: "{{ .Values.busybody.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.busybody.repositoryBasename }}:{{ .Values.busybody.tag }}" + {{- end }} + socket: /var/run/docker.sock + + signatures: single # multiple/single + launch-darkly: + api-key: {{ $launchDarklySdkKey }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-deployment.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-deployment.yaml new file mode 100644 index 000000000..25ead9c88 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-deployment.yaml @@ -0,0 +1,236 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "shipa.fullname" . }}-api + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: {{ eq .Values.shipaCluster.ingress.type "istio" | quote }} + checksum/config: {{ include (print $.Template.BasePath "/shipa-api-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/shipa-secret.yaml") . | sha256sum }} + checksum/mongo-auth-secret: {{ include (print $.Template.BasePath "/shipa-mongo-auth-secrets.yaml") . | sha256sum }} +spec: +{{- if .Values.shipaApi.allowMigrationDowntime }} + strategy: + type: Recreate +{{- end }} + selector: + matchLabels: + {{- include "shipa.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "shipa.selectorLabels" . | nindent 8 }} + annotations: + timestamp: "{{ date "20060102150405" now }}" + sidecar.istio.io/inject: {{ eq .Values.shipaCluster.ingress.type "istio" | quote }} + spec: + nodeSelector: + kubernetes.io/os: linux + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }} + {{- else }} + serviceAccountName: default + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + initContainers: + - name: bootstrap + {{- if .Values.cli.image }} + image: "{{ .Values.cli.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.cli.repositoryBasename }}:{{ .Values.cli.tag }}" + {{- end }} + command: + - /scripts/bootstrap.sh + imagePullPolicy: {{ .Values.cli.pullPolicy }} + volumeMounts: + - name: scripts + mountPath: /scripts + - name: shipa-conf + mountPath: /etc/shipa-default/ + - name: config-dir + mountPath: /etc/shipa/ + env: + - name: RELEASE_NAME + value: {{ template "shipa.fullname" . }} + - name: INGRESS_TYPE + value: {{ default ( "nginx" ) .Values.shipaCluster.ingress.type | quote }} + - name: NGINX_SERVICE + value: {{ template "shipa.fullname" . }}-ingress-nginx + - name: SHIPA_PORT + value: {{ first .Values.shipaApi.servicePorts | quote }} + - name: SHIPA_API_CNAMES + value: {{ join "\",\"" (splitList "," (trimPrefix "\n" (include "shipa.cnames" .)) ) | quote }} + - name: SHIPA_INTERNAL_DNS + value: "{{ template "shipa.fullname" . }}-api.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}" + - name: SHIPA_ORGANIZATION_ID + valueFrom: + configMapKeyRef: + name: {{ template "shipa.fullname" . }}-defaults-configmap + key: shipa-org-id + - name: SHIPA_MAIN_TARGET + value: {{ template "shipa.GetMainTarget" . }} + - name: WAIT_FOR_NGINX + value: {{ and (eq .Values.shipaCluster.ingress.type "nginx") (not .Values.shipaCluster.ingress.ip) | quote }} + - name: INGRESS_IP + value: {{ .Values.shipaCluster.ingress.ip }} + - name: NGINX_DEPLOYMENT_NAME + value: {{ template "shipa.fullname" . }}-nginx-ingress + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: init + {{- if .Values.shipaApi.image }} + image: "{{ .Values.shipaApi.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.shipaApi.repositoryBasename }}:{{ .Values.shipaApi.tag }}" + {{- end }} + # this init container creates an admin user. + # Let's avoid having ENV variables with admin credentials in the main shipa container. + command: + - /bin/shipad + - root + - user + - create + - --ignore-if-exists + imagePullPolicy: {{ .Values.shipaApi.pullPolicy }} + volumeMounts: + - name: config-dir + mountPath: /etc/shipa/ + - name: certificates + mountPath: /certs/ + env: + - name: SHIPA_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: username + - name: SHIPA_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: password + {{- if not (or (.Values.tags.defaultDB) (.Values.tags.legacyMongoReplicaset)) }} + {{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }} + - name: DB_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-mongo-auth-secret + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-mongo-auth-secret + key: password + {{- end }} + {{- end }} + containers: + - name: shipa + {{- if .Values.shipaApi.image }} + image: "{{ .Values.shipaApi.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.shipaApi.repositoryBasename }}:{{ .Values.shipaApi.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.shipaApi.pullPolicy }} + env: + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: metrics-password + - name: DASHBOARD_IMAGE + {{- if .Values.dashboard.image }} + value: "{{ .Values.dashboard.image }}" + {{- else }} + value: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.dashboard.repositoryBasename }}:{{ .Values.dashboard.tag }}" + {{- end }} + - name: DASHBOARD_ENABLED + value: "{{ .Values.dashboard.enabled }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if not (or (.Values.tags.defaultDB) (.Values.tags.legacyMongoReplicaset)) }} + {{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }} + - name: DB_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-mongo-auth-secret + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-mongo-auth-secret + key: password + {{- end }} + {{- end }} + ports: + - name: shipa + containerPort: {{ .Values.shipaApi.port }} + protocol: TCP + - name: shipa-secure + containerPort: {{ .Values.shipaApi.securePort }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: {{ .Values.shipaApi.port }} + periodSeconds: 2 + failureThreshold: 4 + startupProbe: + httpGet: + path: / + port: {{ .Values.shipaApi.port }} + failureThreshold: 90 + periodSeconds: 2 + readinessProbe: + httpGet: + path: / + port: {{ .Values.shipaApi.port }} + periodSeconds: 3 + initialDelaySeconds: 5 + failureThreshold: 50 + successThreshold: 1 + resources: + {{- toYaml .Values.shipaApi.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config-dir + mountPath: /etc/shipa/ + readOnly: true + - name: certificates + mountPath: /certs/ + readOnly: true + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: config-dir + emptyDir: {} + - name: shipa-conf + configMap: + name: {{ template "shipa.fullname" . }}-api-config + items: + - key: shipa.conf + path: shipa.conf + - name: certificates + secret: + secretName: shipa-certificates + - name: scripts + configMap: + defaultMode: 0755 + name: {{ template "shipa.fullname" . }}-api-init-config diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-init-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-init-configmap.yaml new file mode 100644 index 000000000..07078a90a --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-init-configmap.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-api-init-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + init-job.sh: | +{{ .Files.Get "scripts/init-job.sh" | indent 4 }} + bootstrap.sh: | +{{ .Files.Get "scripts/bootstrap.sh" | indent 4 }} + csr-docker-cluster.json: | +{{ .Files.Get "scripts/csr-docker-cluster.json" | indent 4 }} + csr-shipa-ca.json: | +{{ .Files.Get "scripts/csr-shipa-ca.json" | indent 4 }} + csr-client-ca.json: | +{{ .Files.Get "scripts/csr-client-ca.json" | indent 4 }} + csr-api-config.json: | +{{ .Files.Get "scripts/csr-api-config.json" | indent 4 }} + csr-api-server.json: | +{{ .Files.Get "scripts/csr-api-server.json" | indent 4 }} + default-framework-template.yaml: | + shipaFramework: shipa-framework + resources: + general: + setup: + force: false + default: true + public: true + kubeNamespace: {{ .Release.Namespace }} + security: + disableScan: true + router: {{ default ( "nginx" ) .Values.shipaCluster.ingress.type }} + access: + append: + - shipa-admin-team + - shipa-system-team + default-cluster-template.yaml: | + cluster: + name: shipa-cluster + kubernetesPublicEndpoint: CLUSTER_ADDR + frameworks: + - shipa-framework + ingress: + ip: {{ .Values.shipaCluster.ingress.ip }} + serviceType: {{ default ( "LoadBalancer" ) .Values.shipaCluster.ingress.serviceType | quote }} + type: {{ default ( "nginx" ) .Values.shipaCluster.ingress.type }} + {{ if eq .Values.shipaCluster.ingress.type "nginx" }} + className: {{ default ( include "shipa.defaultNginxClassName" . | trim ) .Values.shipaCluster.ingress.className }} + {{- end }} + {{ if eq .Values.shipaCluster.ingress.type "traefik" }} + className: {{ default ("traefik") .Values.shipaCluster.ingress.className }} + {{- end }} + {{ if eq .Values.shipaCluster.ingress.type "istio" }} + className: {{ default ("istio") .Values.shipaCluster.ingress.className }} + {{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-init-job.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-init-job.yaml new file mode 100644 index 000000000..a29d25007 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-init-job.yaml @@ -0,0 +1,111 @@ +{{ $shipaCloud := default dict .Values.shipaCloud }} +{{ $shipaCloudEnabled := $shipaCloud.enabled | default "false" | quote}} +{{ $shipaPayApi := default dict $shipaCloud.shipaPayApi }} +{{ $shipaPayApiHost := $shipaPayApi.host | default "" | quote}} +{{ $shipaPayApiToken := $shipaPayApi.token | default "" | quote}} +{{ $googleRecaptcha := default dict $shipaCloud.googleRecaptcha }} +{{ $googleRecaptchaSitekey := $googleRecaptcha.sitekey | default "" | quote}} +{{ $googleRecaptchaSecret := $googleRecaptcha.secret | default "" | quote}} +{{ $smartlook := default dict $shipaCloud.smartlook }} +{{ $smartlookProjectKey := $smartlook.projectKey | default "" | quote}} +{{ $launchDarkly := default dict $shipaCloud.launchDarkly }} +{{ $launchDarklySdkKey := $launchDarkly.sdkKey | default "" | quote}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "shipa.fullname" . }}-init-job-{{ .Release.Revision }}" + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "post-install" + sidecar.istio.io/inject: "false" +spec: + backoffLimit: 5 + template: + metadata: + name: "{{ template "shipa.fullname" . }}-init-job-{{ .Release.Revision }}" + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + terminationGracePeriodSeconds: 3 + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }} + {{- else }} + serviceAccountName: default + {{- end }} + restartPolicy: Never + containers: + - name: migrations + {{- if .Values.cli.image }} + image: "{{ .Values.cli.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.cli.repositoryBasename }}:{{ .Values.cli.tag }}" + {{- end }} + command: + - /scripts/init-job.sh + imagePullPolicy: {{ .Values.cli.pullPolicy }} + env: + - name: RELEASE_NAME + value: {{ template "shipa.fullname" . }} + - name: SHIPA_ENDPOINT + value: "{{ template "shipa.fullname" . }}-api.{{ .Release.Namespace }}.svc.{{ .Values.shipaCluster.clusterDomain }}" + - name: SHIPA_ENDPOINT_PORT + value: "{{ first .Values.shipaApi.servicePorts }}" + - name: USERNAME + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: username + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: password + - name: INGRESS_TYPE + value: {{ default ( "nginx" ) .Values.shipaCluster.ingress.type | quote }} + - name: DASHBOARD_IMAGE + {{- if .Values.dashboard.image }} + value: "{{ .Values.dashboard.image }}" + {{- else }} + value: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.dashboard.repositoryBasename }}:{{ .Values.dashboard.tag }}" + {{- end }} + - name: DASHBOARD_ENABLED + value: "{{ .Values.dashboard.enabled }}" + - name: SHIPA_CLOUD + value: {{ $shipaCloudEnabled }} + - name: SHIPA_PAY_API_HOST + value: {{ $shipaPayApiHost }} + - name: SHIPA_PAY_API_TOKEN + value: {{ $shipaPayApiToken }} + - name: GOOGLE_RECAPTCHA_SITEKEY + value: {{ $googleRecaptchaSitekey }} + - name: GOOGLE_RECAPTCHA_SECRET + value: {{ $googleRecaptchaSecret }} + - name: SMARTLOOK_PROJECT_KEY + value: {{ $smartlookProjectKey }} + - name: LAUNCH_DARKLY_SDK_KEY + value: {{ $launchDarklySdkKey }} + - name: SHIPA_TARGETS + value: {{ trimPrefix "\n" (include "shipa.cnames" .) }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: scripts + mountPath: /scripts + - name: scripts-out + mountPath: /etc/shipa/ + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: scripts + configMap: + defaultMode: 0755 + name: {{ template "shipa.fullname" . }}-api-init-config + - name: scripts-out + emptyDir: {} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-init-secrets.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-init-secrets.yaml new file mode 100644 index 000000000..c9ed28138 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-init-secrets.yaml @@ -0,0 +1,19 @@ +{{- if or (.Release.IsInstall) (.Values.auth.adminUser) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "shipa.fullname" . }}-api-init-secret + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + {{- if or (not .Values.auth.adminPassword) (not .Values.auth.adminUser) }} + {{- fail "auth.adminUser and auth.adminPassword must be supplied on initial install" }} + {{- end }} + {{- if or (lt (len .Values.auth.adminPassword) 6) (gt (len .Values.auth.adminPassword) 50) }} + {{- fail "adminPassword must be between 6 and 50 characters" }} + {{- end }} + username: {{ required "Admin username is required! Use --set=auth.adminUser=..." .Values.auth.adminUser | toString | b64enc | quote }} + password: {{ required "Admin password is required! Use --set=auth.adminPassword=..." .Values.auth.adminPassword | toString | b64enc | quote }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-rbac.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-rbac.yaml new file mode 100644 index 000000000..cf2109939 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-rbac.yaml @@ -0,0 +1,98 @@ +{{- if .Values.rbac.enabled }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +rules: + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + - services + - extensions + - rbac.authorization.k8s.io + - apiextensions.k8s.io + - networking.k8s.io + - core + - apps + - shipa.io + - config.istio.io + - networking.istio.io + - rbac.istio.io + - authentication.istio.io + - cert-manager.io + - admissionregistration.k8s.io + - coordination.k8s.io + - theketch.io + - traefik.containo.us + resources: ["*"] + verbs: ["*"] + - apiGroups: ["*"] + resources: ["*"] + verbs: + - list + - get + - watch + - nonResourceURLs: ["*"] + verbs: + - list + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "shipa.fullname" . }}-role + labels: {{- include "shipa.labels" . | nindent 4 }} +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "shipa.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "shipa.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "shipa.fullname" . }}-role +subjects: + - kind: ServiceAccount + name: {{ template "shipa.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-api-service.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-api-service.yaml new file mode 100644 index 000000000..dc7c0b42d --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-api-service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "shipa.fullname" . }}-api + labels: + {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "shipa.selectorLabels" . | nindent 4 }} + ports: +{{- range $i, $servicePort := .Values.shipaApi.servicePorts }} + - targetPort: {{ $.Values.shipaApi.port }} + port: {{ $servicePort }} + protocol: TCP + name: shipa-{{ $i }} +{{- end }} +{{- range $i, $servicePort := .Values.shipaApi.serviceSecurePorts }} + - targetPort: {{ $.Values.shipaApi.securePort }} + port: {{ $servicePort }} + protocol: TCP + name: shipa-secure-{{ $i }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-certificates-secret.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-certificates-secret.yaml new file mode 100644 index 000000000..42505db2b --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-certificates-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: shipa-certificates + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + ca.pem: "" + ca-key.pem: "" + cert.pem: "" + key.pem: "" + api-server.crt: "" + api-server.key: "" + client-ca.crt: "" + client-ca.key: "" diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-defaults-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-defaults-configmap.yaml new file mode 100644 index 000000000..55245b93f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-defaults-configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-defaults-configmap + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + shipa-org-id: {{ uuidv4 | replace "-" "" | quote }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-mongo-auth-secrets.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-mongo-auth-secrets.yaml new file mode 100644 index 000000000..ef5c820a3 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-mongo-auth-secrets.yaml @@ -0,0 +1,12 @@ +{{- if not (or (.Values.tags.defaultDB) (.Values.tags.legacyMongoReplicaset)) }} +{{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "shipa.fullname" . }}-mongo-auth-secret + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + username: {{ required "Database username is required! Use --set=externalMongodb.auth.username=..." .Values.externalMongodb.auth.username | toString | b64enc | quote }} + password: {{ required "Database password is required! Use --set=externalMongodb.auth.password=..." .Values.externalMongodb.auth.password | toString | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-secret.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-secret.yaml new file mode 100644 index 000000000..798997347 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "shipa.fullname" . }}-secret + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + metrics-password: {{ default (randAlphaNum 15) .Values.metrics.password | toString | b64enc | quote }} + postgres-password: {{ default (randAlphaNum 15) .Values.postgres.source.password | toString | b64enc | quote }} diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-job-configmap.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-job-configmap.yaml new file mode 100644 index 000000000..8967017c3 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-job-configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-uninstall-job-config + labels: {{- include "shipa.uninstall-labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +data: + uninstall-job.sh: | +{{ .Files.Get "scripts/uninstall-job.sh" | indent 4 }} + diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-job.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-job.yaml new file mode 100644 index 000000000..8b9894858 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-job.yaml @@ -0,0 +1,52 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.uninstall-labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded + sidecar.istio.io/inject: "false" +spec: + template: + metadata: + name: "{{ template "shipa.fullname" . }}-uninstall-job-{{ .Release.Revision }}" + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }}-uninstall + {{- else }} + serviceAccountName: default + {{- end }} + restartPolicy: Never + containers: + - name: cleanup + {{- if .Values.cli.image }} + image: "{{ .Values.cli.image }}" + {{- else }} + image: "{{ .Values.images.shipaRepositoryDirname }}/{{ .Values.cli.repositoryBasename }}:{{ .Values.cli.tag }}" + {{- end }} + command: + - /scripts/uninstall-job.sh + imagePullPolicy: IfNotPresent + env: + - name: SELECTOR + value: "shipa.io/is-shipa=true" + - name: NAMESPACE_MOD + value: "-A" + - name: RELEASE_NAME + value: {{ template "shipa.fullname" . }} + - name: RELEASE_NAMESPACE + value: {{ .Release.Namespace }} + volumeMounts: + - name: scripts + mountPath: /scripts + volumes: + - name: scripts + configMap: + defaultMode: 0755 + name: {{ template "shipa.fullname" . }}-uninstall-job-config \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-rbac.yaml b/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-rbac.yaml new file mode 100644 index 000000000..cf12335a4 --- /dev/null +++ b/charts/shipa/shipa/1.7.200/templates/shipa-uninstall-rbac.yaml @@ -0,0 +1,58 @@ +{{- if .Values.rbac.enabled }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.uninstall-labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.uninstall-labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +rules: + - apiGroups: + - "" + - apps + - batch + - services + - extensions + - rbac.authorization.k8s.io + - networking.k8s.io + - apiextensions.k8s.io + - core + - shipa.io + - clusterroles + - ingresses + - endpoints + - networkpolicies + - namespaces + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.uninstall-labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "shipa.fullname" . }}-uninstall +subjects: +- kind: ServiceAccount + name: {{ template "shipa.fullname" . }}-uninstall + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/shipa/shipa/1.7.200/values.schema.json b/charts/shipa/shipa/1.7.200/values.schema.json new file mode 100644 index 000000000..e800c09af --- /dev/null +++ b/charts/shipa/shipa/1.7.200/values.schema.json @@ -0,0 +1,985 @@ +{ + "title": "Chart Values", + "type": "object", + "properties": { + "nameOverride": { + "type": "string", + "description": "If provided, overrides the release name, for example, in the app.kubernetes.io/name label", + "default": "" + }, + "fullnameOverride": { + "type": "string", + "description": "If provided, overrides the release name, for example, in the naming of resources (pods, deployments, etc.)", + "default": "" + }, + "imagePullSecrets": { + "type": "array", + "description": "If provided, these will be configured as imagePullSecrets for pulling images directly included in this chart (the MongoDB(®) sub-chart has its own imagePullSecrets configuration). The array is a list of Kubernetes secrets, likely of type `kubernetes.io/dockerconfigjson`. Example:
imagePullSecrets:
  - name: image-pull-secret", + "default": [] + }, + "images": { + "type": "object", + "properties": { + "shipaRepositoryDirname": { + "type": "string", + "description": "The base directory for Shipa Corp images. For Shipa Corp images this value has repositoryBasename and tag appended to it to determine the location to pull images from. This does not affect non-Shipa Corp images, such as k8s.gcr.io/ingress-nginx/controller, docker.io/postgres, k8s.gcr.io/mongodb-install, docker.io/mongo, and docker.io/busybox", + "default": "docker.io/shipasoftware" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If enabled, a Shipa specific ServiceAccount will be used by resources, otherwise `\"default\"` is used", + "default": true + } + } + }, + "auth": { + "type": "object", + "properties": { + "adminUser": { + "type": "string", + "description": "is the login name for the initial admin", + "default": "" + }, + "adminPassword": { + "type": "string", + "description": "is the password for the initial admin", + "default": "" + } + } + }, + "shipaApi": { + "type": "object", + "properties": { + "port": { + "type": "string", + "description": "Port to expose for HTTP traffic to the Shipa API pod", + "default": "8080" + }, + "securePort": { + "type": "string", + "description": "Port to expose for HTTPS traffic to the Shipa API pod", + "default": "8081" + }, + "servicePorts": { + "type": "array", + "description": "Ports to expose for HTTP traffic to the Shipa API Service", + "default": [ + "80" + ] + }, + "serviceSecurePorts": { + "type": "array", + "description": "Ports to expose for HTTPS traffic to the Shipa API Service", + "default": [ + "443" + ] + }, + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Shipa API image", + "default": "api" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Shipa API image", + "default": "6e4a1bc373b4afffa1e5851813271cf61be6dd9a" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy to use for pulling the Shipa API image", + "default": "Always" + }, + "debug": { + "type": "boolean", + "description": "Enables debug log level for the Shipa API", + "default": false + }, + "resources": { + "type": "object", + "description": "Can be used to put resource limits on the Shipa API pod. Example:
shipaApi:
  resources:
    requests:
      memory: 16Mi
      cpu: 50m
    limits:
      memory: 64Mi
      cpu: 250m", + "default": {} + }, + "cnames": { + "type": "array", + "description": "If there are any DNS names that will be used they need to be specified here for appropriate ingress and cert provisioning. Example:
shipaApi:
  cnames:
    - target.myshipa.lan
    - other-target.myshipa.lan", + "default": [] + }, + "allowRestartIngressControllers": { + "type": "boolean", + "description": "If set to false, disables the ability for a cluster update to restart the ingress controllers", + "default": true + }, + "isCAEndpointDisabled": { + "type": "boolean", + "description": "If set to true, the ca/certificates endpoint of the Shipa API will be disabled, which disallows the Shipa CLI from trusting invalid TLS certificates when connecting to this Shipa API", + "default": false + }, + "secureIngressOnly": { + "type": "boolean", + "description": "If set to true, all HTTP traffic to the Shipa API ingress will be redirected to HTTPS", + "default": false + }, + "useInternalHost": { + "type": "boolean", + "description": "If true (recommended), the main shipa cluster will communicate with the Shipa API using the internal Kubernetes host name, rather than an external CNAME", + "default": true + }, + "customSecretName": { + "type": "string", + "description": "If provided, this secret will be used as the TLS secret for the API ingress controller. Use this if you have a trusted certificate that you wish to use instead of the default, self-signed certificate", + "default": "" + }, + "customIngressAnnotations": { + "type": "object", + "description": "If provided, these annotations will be added to the Shipa API Ingress resources. Example:
shipaApi
  customIngressAnnotations:
    custom-keys/first-key: \"bbb\"
    custom-keys/second-key: \"ddd\"", + "default": {} + } + } + }, + "shipaCluster": { + "type": "object", + "properties": { + "clusterDomain": { + "type": "string", + "description": "The domain that your cluster uses internally, through coredns, kube-dns, etc.", + "default": "cluster.local" + }, + "ingress": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "ingress controller type. Supported values: (nginx, istio, traefik)", + "default": "nginx" + }, + "image": { + "type": "string", + "description": "NGINX ingress controller image. If the ingress controller type is nginx and no ingress controller ip address is provided, an ingress controller will be deployed using this image", + "default": "k8s.gcr.io/ingress-nginx/controller:v1.1.0" + }, + "serviceType": { + "type": "string", + "description": "ingress controller serviceType. When using shipa managed nginx, we reconcile looking for the right Host of LoadBalancer or ClusterIP based on what is provided here. When using non user managed ingress controller we use this just to store it in DB", + "default": "LoadBalancer" + }, + "ip": { + "type": "string", + "description": "Ingress controller ip address. If provided, we assume user provided ingress controller should be used and create api resources for it", + "default": "" + }, + "className": { + "type": "string", + "description": "Ingress controller class name. If undefined, in most places we set default: nginx, traefik, istio. If we detect that it's shipa managed nginx, we default to shipa-nginx-ingress", + "default": "" + }, + "apiAccessOnIngressIp": { + "type": "boolean", + "description": "If enabled, we will create ingress controller resources to allow api to be accessible on root ip of ingress controller.
NOTE: all ingresses require Host targeting instead of Path targeting for TLS. Also if you use nginxinc/kubernetes-ingress, using Ingress without host is not allowed until this is resolved: https://github.com/nginxinc/kubernetes-ingress/issues/209", + "default": true + }, + "clusterIp": { + "type": "string", + "description": "Ingress controller ClusterIp address. If provided, it will be used for shipa managed nginx ingress controller", + "default": "" + }, + "loadBalancerIp": { + "type": "string", + "description": "Ingress controller LoadBalancerIp address. If provided, it will be used for shipa managed nginx ingress controller", + "default": "" + }, + "nodePort": { + "type": "string", + "description": "If provided, it will be used as node port for shipa managed nginx ingress controller", + "default": "" + }, + "customNginxServiceAnnotations": { + "type": "object", + "description": "If provided, these annotations will be appended to the Shipa managed Nginx ingress controller Service resource. Example for configuring internet facing NLB in AWS:
", + "default": {} + }, + "config": { + "type": "object", + "description": "Configuration overrides for the Shipa managed Nginx ingress controller. Example (these are the defaults if you leave this empty):
shipaCluster:
  ingress:
    config:
      proxy-body-size: \"512M\"
      proxy-read-timeout: \"300\"
      proxy-connect-timeout: \"300\"
      proxy-send-timeout: \"300\"
      upstream-keepalive-timeout: \"300\"", + "default": {} + } + } + } + } + }, + "postgres": { + "type": "object", + "properties": { + "source": { + "type": "object", + "properties": { + "host": { + "type": "string", + "description": "Host to connect to for Clair database. Leave blank to default to {{ template \"shipa.fullname\" . }}-postgres.{{ .Release.Namespace }}", + "default": "" + }, + "port": { + "type": "number", + "description": "Port to connect to for Clair database", + "default": 5432 + }, + "user": { + "type": "string", + "description": "User to connect to for Clair database", + "default": "postgres" + }, + "password": { + "type": "string", + "description": "Password to connect to for Clair database. Leave blank to generate a random value", + "default": "" + }, + "sslmode": { + "type": "string", + "description": "The SSL mode to run PostgreSQL in. Options: \"require\", \"verify-full\", \"verify-ca\", or \"disable", + "default": "disable" + } + } + }, + "create": { + "type": "boolean", + "description": "Set to false to avoid creating a PostgreSQL instance, for example, if you are using an external PostgreSQL instance", + "default": true + }, + "image": { + "type": "string", + "description": "If postgres.create is set to true, this is the image that will be used", + "default": "docker.io/postgres:13" + }, + "persistence": { + "type": "object", + "properties": { + "storageClass": { + "type": "string", + "description": "The storageClassName to use. Undefined or null will use the default provisioner, or \"-\" will to set storageClassName to \"\", disabling dynamic provisioning", + "default": "" + }, + "accessMode": { + "type": "string", + "description": "The PVC access mode to use. Options: ReadWriteOnce, ReadOnlyMany or ReadWriteMany", + "default": "ReadWriteOnce" + }, + "size": { + "type": "string", + "description": "The amount of storage to provision for the Clair database", + "default": "10Gi" + } + } + } + } + }, + "certManager": { + "type": "object", + "properties": { + "installUrl": { + "type": "string", + "description": "When Shipa is installed, if cert-manager is not yet installed (existence of cert-manager ClusterIssuer CRD) it will be installed via the resources at the provided URL", + "default": "https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml" + } + } + }, + "dashboard": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If set to false, the Shipa Dashboard will not be deployed", + "default": true + }, + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the dashboard image", + "default": "dashboard" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the dashboard image", + "default": "c18b7d0031047c48d8c3b4666d489a498ca58653" + } + } + }, + "cli": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Shipa CLI image", + "default": "cli" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Shipa CLI image", + "default": "eb516ebb0bb625748cd6baaa5312e8330469ae34" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy to use for pulling the Shipa CLI image", + "default": "Always" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the metrics image", + "default": "metrics" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the metrics image", + "default": "v0.0.7" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy to use for pulling the metrics image", + "default": "Always" + }, + "password": { + "type": "string", + "description": "Password to setup for connecting to the Shipa metrics. If left blank, a random value will be generated and used", + "default": "" + }, + "prometheusArgs": { + "type": "string", + "description": "Arguments to pass to Prometheus on starting the Shipa metrics", + "default": "--storage.tsdb.retention.time=1d" + }, + "extraPrometheusConfiguration": { + "type": "string", + "description": "Extra configuration to add to `prometheus.yaml`. Example for configuring remote reads and writes:
metrics:
  extraPrometheusConfiguration: \\|
    remote_read:
      - url: http://localhost:9268/read
    remote_write:
      - url: http://localhost:9268/write", + "default": "" + } + } + }, + "busybody": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the busybody image", + "default": "bb" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the busybody image", + "default": "ead64d61a7dab4dca50bd90e18b908e6f44bb9f9" + } + } + }, + "shipaController": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Shipa controller image", + "default": "shipa-controller" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Shipa controller image", + "default": "5e7f221a1adce3bd40b5c352418d9da8de94ada2" + }, + "enableEventUpdater": { + "type": "boolean", + "description": "Shipa creates and shows more shipa events for discovered applications", + "default": true + }, + "enableNetworkPolicyViolation": { + "type": "boolean", + "description": "Enables network policy violations", + "default": true + } + } + }, + "prometheusMetricsExporter": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Prometheus exporter image", + "default": "prometheus-metrics-exporter" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Prometheus exporter image", + "default": "b123eb79bdbe56f83812b5ad3cfb8bbb568b2e3d" + } + } + }, + "clair": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Clair image", + "default": "clair" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Clair image", + "default": "v2.1.7" + } + } + }, + "ketch": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Ketch controller image", + "default": "ketch" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Ketch controller image", + "default": "4105c20ee2ca27c2ce4811764901565aa5035393" + }, + "metricsAddress": { + "type": "string", + "description": "Address of where metrics will be sent. Leave empty to disable metrics for Ketch", + "default": "127.0.0.1:8080" + } + } + }, + "agent": { + "type": "object", + "properties": { + "repositoryBasename": { + "type": "string", + "description": "The repository name to use for pulling the Shipa agent image", + "default": "shipa-cluster-agent" + }, + "tag": { + "type": "string", + "description": "The tag to use for pulling the Shipa agent image", + "default": "d130d858d71522bbbffbfaaba6097dceaba4c0d8" + } + } + }, + "externalMongodb": { + "type": "object", + "properties": { + "url": { + "type": "string", + "description": "Connection URL for external MongoDB instance.", + "default": "" + }, + "auth": { + "type": "object", + "properties": { + "username": { + "type": "string", + "description": "Username for authenticating to an external MongoDB instance", + "default": "" + }, + "password": { + "type": "string", + "description": "Password for authenticating to an external MongoDB instance", + "default": "" + } + } + }, + "tls": { + "type": "object", + "properties": { + "enable": { + "type": "boolean", + "description": "Set to false to disable TLS when connecting to external DB instance.", + "default": true + } + } + } + } + }, + "tags": { + "type": "object", + "properties": { + "defaultDB": { + "type": "boolean", + "description": "Set defaultDB (and legacyMongoReplicaset) to `false` when using external DB to not install default DB. It will also prevent creating Persistent Volumes. This cannot be used with tags.legacyMongoReplicaset", + "default": true + }, + "legacyMongoReplicaset": { + "type": "boolean", + "description": "(Deprecated) Set legacyMongoReplicaset to 'true' in order to use the deprecated https://charts.helm.sh/stable/mongodb-replicaset chart as an internal MongoDB. This cannot be used with tags.defaultDB", + "default": false + } + } + }, + "mongodb": { + "type": "object", + "properties": { + "global": { + "type": "object", + "properties": { + "imageRegistry": { + "type": "string", + "description": "Global Docker image registry for MongoDB(®) dependent chart", + "default": "" + }, + "imagePullSecrets": { + "type": "array", + "description": "Global Docker registry secret names as an array", + "default": [] + } + } + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "MongoDB(®) image registry for MongoDB(®) dependent chart", + "default": "docker.io" + }, + "repository": { + "type": "string", + "description": "MongoDB(®) image registry for MongoDB(®) dependent chart", + "default": "bitnami/mongodb" + }, + "tag": { + "type": "string", + "description": "MongoDB(®) image tag (immutable tags are recommended) for MongoDB(®) dependent chart", + "default": "5.0.6-debian-10-r29" + }, + "pullPolicy": { + "type": "string", + "description": "MongoDB(®) image pull policy for MongoDB(®) dependent chart", + "default": "IfNotPresent" + }, + "pullSecrets": { + "type": "array", + "description": "Specify docker-registry secret names as an array for MongoDB(®) dependent chart", + "default": [] + } + } + }, + "persistence": { + "type": "object", + "properties": { + "existingClaim": { + "type": "string", + "description": "Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) for MongoDB(®) dependent chart", + "default": "" + }, + "size": { + "type": "string", + "description": "PVC Storage Request for MongoDB(®) data volume for MongoDB(®) dependent chart", + "default": "10Gi" + } + } + }, + "architecture": { + "type": "string", + "description": "MongoDB(®) architecture (`standalone` or `replicaset`) for MongoDB(®) dependent chart", + "default": "standalone" + }, + "useStatefulSet": { + "type": "boolean", + "description": "Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) for MongoDB(®) dependent chart", + "default": true + }, + "replicaSetName": { + "type": "string", + "description": "Name of the replica set (only when `architecture=replicaset`) for MongoDB(®) dependent chart", + "default": "rs0" + }, + "service": { + "type": "object", + "properties": { + "port": { + "type": "number", + "description": "MongoDB(®) service port for MongoDB(®) dependent chart", + "default": 27017 + } + } + }, + "arbiter": { + "type": "object", + "properties": { + "podSecurityContext": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable Arbiter pod(s)' Security Context for MongoDB(®) dependent chart", + "default": true + }, + "fsGroup": { + "type": "number", + "description": "Group ID for the volumes of the Arbiter pod(s) for MongoDB(®) dependent chart", + "default": 999 + } + } + }, + "containerSecurityContext": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable Arbiter container(s)' Security Context for MongoDB(®) dependent chart", + "default": true + }, + "runAsUser": { + "type": "number", + "description": "User ID for the Arbiter container for MongoDB(®) dependent chart", + "default": 999 + } + } + } + } + }, + "auth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable authentication for MongoDB(®) dependent chart", + "default": false + } + } + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes for MongoDB(®) dependent chart", + "default": false + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "Init container TLS certs setup image registry for MongoDB(®) dependent chart", + "default": "docker.io" + }, + "repository": { + "type": "string", + "description": "Init container TLS certs setup image repository for MongoDB(®) dependent chart", + "default": "bitnami/nginx" + }, + "tag": { + "type": "string", + "description": "Init container TLS certs setup image tag (immutable tags are recommended) for MongoDB(®) dependent chart", + "default": "1.21.6-debian-10-r30" + }, + "pullPolicy": { + "type": "string", + "description": "Init container TLS certs setup image pull policy for MongoDB(®) dependent chart", + "default": "IfNotPresent" + }, + "pullSecrets": { + "type": "array", + "description": "Init container TLS certs specify docker-registry secret names as an array for MongoDB(®) dependent chart", + "default": [] + } + } + } + } + }, + "externalAccess": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) for MongoDB(®) dependent chart", + "default": false + }, + "autoDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable using an init container to auto-detect external IPs by querying the K8s API for MongoDB(®) dependent chart", + "default": false + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "Init container auto-discovery image registry for MongoDB(®) dependent chart", + "default": "docker.io" + }, + "repository": { + "type": "string", + "description": "Init container auto-discovery image repository for MongoDB(®) dependent chart", + "default": "bitnami/kubectl" + }, + "tag": { + "type": "string", + "description": "Init container auto-discovery image tag (immutable tags are recommended) for MongoDB(®) dependent chart", + "default": "1.23.4-debian-10-r7" + }, + "pullPolicy": { + "type": "string", + "description": "Init container auto-discovery image pull policy for MongoDB(®) dependent chart", + "default": "IfNotPresent" + }, + "pullSecrets": { + "type": "array", + "description": "Init container auto-discovery image pull secrets for MongoDB(®) dependent chart", + "default": [] + } + } + } + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` for MongoDB(®) dependent chart", + "default": false + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "Init container volume-permissions image registry for MongoDB(®) dependent chart", + "default": "docker.io" + }, + "repository": { + "type": "string", + "description": "Init container volume-permissions image repository for MongoDB(®) dependent chart", + "default": "bitnami/bitnami-shell" + }, + "tag": { + "type": "string", + "description": "Init container volume-permissions image tag (immutable tags are recommended) for MongoDB(®) dependent chart", + "default": "10-debian-10-r350" + }, + "pullPolicy": { + "type": "string", + "description": "Init container volume-permissions image pull policy for MongoDB(®) dependent chart", + "default": "IfNotPresent" + }, + "pullSecrets": { + "type": "array", + "description": "Specify docker-registry secret names as an array for MongoDB(®) dependent chart", + "default": [] + } + } + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable using a sidecar Prometheus exporter for MongoDB(®) dependent chart", + "default": false + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "MongoDB(®) Prometheus exporter image registry for MongoDB(®) dependent chart", + "default": "docker.io" + }, + "repository": { + "type": "string", + "description": "MongoDB(®) Prometheus exporter image repository for MongoDB(®) dependent chart", + "default": "bitnami/mongodb-exporter" + }, + "tag": { + "type": "string", + "description": "MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) for MongoDB(®) dependent chart", + "default": "0.30.0-debian-10-r83" + }, + "pullPolicy": { + "type": "string", + "description": "MongoDB(®) Prometheus exporter image pull policy for MongoDB(®) dependent chart", + "default": "IfNotPresent" + }, + "pullSecrets": { + "type": "array", + "description": "Specify docker-registry secret names as an array for MongoDB(®) dependent chart", + "default": [] + } + } + } + } + }, + "extraFlags": { + "type": "string", + "description": "MongoDB(®) additional command line flags for MongoDB(®) dependent chart", + "default": "--dbpath=/bitnami/mongodb" + }, + "containerSecurityContext": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable MongoDB(®) container(s)' Security Context for MongoDB(®) dependent chart", + "default": true + }, + "runAsUser": { + "type": "number", + "description": "User ID for the MongoDB(®) container for MongoDB(®) dependent chart", + "default": 999 + }, + "runAsNonRoot": { + "type": "boolean", + "description": "Set MongoDB(®) container's Security Context runAsNonRoot for MongoDB(®) dependent chart", + "default": true + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable MongoDB(®) pod(s)' Security Context for MongoDB(®) dependent chart", + "default": true + }, + "fsGroup": { + "type": "number", + "description": "Group ID for the volumes of the MongoDB(®) pod(s) for MongoDB(®) dependent chart", + "default": 999 + } + } + } + } + }, + "mongodb-replicaset": { + "type": "object", + "properties": { + "replicaSetName": { + "type": "string", + "description": "", + "default": "rs0" + }, + "replicas": { + "type": "number", + "description": "", + "default": 1 + }, + "port": { + "type": "number", + "description": "", + "default": 27017 + }, + "auth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "installImage": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "", + "default": "k8s.gcr.io/mongodb-install" + }, + "tag": { + "type": "number", + "description": "", + "default": 0.6 + }, + "pullPolicy": { + "type": "string", + "description": "", + "default": "IfNotPresent" + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "", + "default": "docker.io/mongo" + }, + "tag": { + "type": "number", + "description": "", + "default": 5 + }, + "pullPolicy": { + "type": "string", + "description": "", + "default": "IfNotPresent" + } + } + }, + "copyConfigImage": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "", + "default": "docker.io/busybox" + }, + "tag": { + "type": "string", + "description": "", + "default": "1.29.3" + }, + "pullPolicy": { + "type": "string", + "description": "", + "default": "IfNotPresent" + } + } + }, + "persistentVolume": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "", + "default": true + }, + "size": { + "type": "string", + "description": "", + "default": "10Gi" + } + } + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "", + "default": false + } + } + }, + "configmap": { + "type": "string", + "description": "", + "default": "" + } + } + } + } +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.7.200/values.yaml b/charts/shipa/shipa/1.7.200/values.yaml new file mode 100644 index 000000000..81bd3b83f --- /dev/null +++ b/charts/shipa/shipa/1.7.200/values.yaml @@ -0,0 +1,555 @@ +# Default values for shipa. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +## @section Common parameters +## + +## @param nameOverride If provided, overrides the release name, for example, in the app.kubernetes.io/name label +nameOverride: "" + +## @param fullnameOverride If provided, overrides the release name, for example, in the naming of resources (pods, deployments, etc.) +fullnameOverride: "" + +## @param imagePullSecrets If provided, these will be configured as imagePullSecrets for pulling images directly included in this chart (the MongoDB(®) sub-chart has its own imagePullSecrets configuration). The array is a list of Kubernetes secrets, likely of type `kubernetes.io/dockerconfigjson`. Example:
imagePullSecrets:
  - name: image-pull-secret +## @example imagePullSecrets +## imagePullSecrets: +## - name: image-pull-secret +imagePullSecrets: [] + +images: + ## @param images.shipaRepositoryDirname The base directory for Shipa Corp images. For Shipa Corp images this value has repositoryBasename and tag appended to it to determine the location to pull images from. This does not affect non-Shipa Corp images, such as k8s.gcr.io/ingress-nginx/controller, docker.io/postgres, k8s.gcr.io/mongodb-install, docker.io/mongo, and docker.io/busybox + shipaRepositoryDirname: docker.io/shipasoftware + +rbac: + ## @param rbac.enabled If enabled, a Shipa specific ServiceAccount will be used by resources, otherwise `"default"` is used + enabled: true + +## @section Initial Admin account credentials +## @descriptionStart +## `auth.adminUser` and `auth.adminPassword` are required for install and will not be changed and are not required on upgrade +## @descriptionEnd +## + +auth: + ## @param auth.adminUser is the login name for the initial admin + adminUser: "" + + ## @param auth.adminPassword is the password for the initial admin + adminPassword: "" + +## @section Shipa API configuration +shipaApi: + ## @param shipaApi.port Port to expose for HTTP traffic to the Shipa API pod + port: "8080" + + ## @param shipaApi.securePort Port to expose for HTTPS traffic to the Shipa API pod + securePort: "8081" + + ## @param shipaApi.servicePorts Ports to expose for HTTP traffic to the Shipa API Service + servicePorts: + - "80" + + ## @param shipaApi.serviceSecurePorts Ports to expose for HTTPS traffic to the Shipa API Service + serviceSecurePorts: + - "443" + + ## @param shipaApi.repositoryBasename The repository name to use for pulling the Shipa API image + repositoryBasename: api + + ## @param shipaApi.tag The tag to use for pulling the Shipa API image + tag: 6e4a1bc373b4afffa1e5851813271cf61be6dd9a + + ## @param shipaApi.pullPolicy Image pull policy to use for pulling the Shipa API image + pullPolicy: Always + + ## @param shipaApi.debug Enables debug log level for the Shipa API + debug: false + + ## @param shipaApi.resources Can be used to put resource limits on the Shipa API pod. Example:
shipaApi:
  resources:
    requests:
      memory: 16Mi
      cpu: 50m
    limits:
      memory: 64Mi
      cpu: 250m + ## @example shipaApi.resources + ## shipaApi: + ## resources: + ## requests: + ## memory: 16Mi + ## cpu: 50m + ## limits: + ## memory: 64Mi + ## cpu: 250m + resources: {} + + ## @param shipaApi.cnames If there are any DNS names that will be used they need to be specified here for appropriate ingress and cert provisioning. Example:
shipaApi:
  cnames:
    - target.myshipa.lan
    - other-target.myshipa.lan + ## @example shipaApi.cnames + ## shipaApi + ## cnames: + ## - target.myshipa.lan + ## - other-target.myshipa.lan + cnames: [] + + ## @param shipaApi.allowRestartIngressControllers If set to false, disables the ability for a cluster update to restart the ingress controllers + allowRestartIngressControllers: true + + ## @param shipaApi.isCAEndpointDisabled If set to true, the ca/certificates endpoint of the Shipa API will be disabled, which disallows the Shipa CLI from trusting invalid TLS certificates when connecting to this Shipa API + isCAEndpointDisabled: false + + ## @param shipaApi.secureIngressOnly If set to true, all HTTP traffic to the Shipa API ingress will be redirected to HTTPS + secureIngressOnly: false + + ## @param shipaApi.useInternalHost If true (recommended), the main shipa cluster will communicate with the Shipa API using the internal Kubernetes host name, rather than an external CNAME + useInternalHost: true + + ## @param shipaApi.customSecretName If provided, this secret will be used as the TLS secret for the API ingress controller. Use this if you have a trusted certificate that you wish to use instead of the default, self-signed certificate + customSecretName: "" + + ## @param shipaApi.customIngressAnnotations If provided, these annotations will be added to the Shipa API Ingress resources. Example:
shipaApi
  customIngressAnnotations:
    custom-keys/first-key: "bbb"
    custom-keys/second-key: "ddd" + ## @example shipaApi.customIngressAnnotations + ## shipaApi + ## customIngressAnnotations: + ## custom-keys/first-key: "bbb" + ## custom-keys/second-key: "ddd" + customIngressAnnotations: {} + +## @section Shipa cluster access configuration +## + +shipaCluster: + ## @param shipaCluster.clusterDomain The domain that your cluster uses internally, through coredns, kube-dns, etc. + clusterDomain: cluster.local + + ingress: + ## @param shipaCluster.ingress.type ingress controller type. Supported values: (nginx, istio, traefik) + type: nginx + + ## @param shipaCluster.ingress.image NGINX ingress controller image. If the ingress controller type is nginx and no ingress controller ip address is provided, an ingress controller will be deployed using this image + image: k8s.gcr.io/ingress-nginx/controller:v1.1.0 + + ## @param shipaCluster.ingress.serviceType ingress controller serviceType. When using shipa managed nginx, we reconcile looking for the right Host of LoadBalancer or ClusterIP based on what is provided here. When using non user managed ingress controller we use this just to store it in DB + serviceType: LoadBalancer + + ## @param shipaCluster.ingress.ip Ingress controller ip address. If provided, we assume user provided ingress controller should be used and create api resources for it + ip: "" + + ## @param shipaCluster.ingress.className Ingress controller class name. If undefined, in most places we set default: nginx, traefik, istio. If we detect that it's shipa managed nginx, we default to shipa-nginx-ingress + className: "" + + ## @param shipaCluster.ingress.apiAccessOnIngressIp If enabled, we will create ingress controller resources to allow api to be accessible on root ip of ingress controller.
NOTE: all ingresses require Host targeting instead of Path targeting for TLS. Also if you use nginxinc/kubernetes-ingress, using Ingress without host is not allowed until this is resolved: https://github.com/nginxinc/kubernetes-ingress/issues/209 + apiAccessOnIngressIp: true + + ## @section Shipa managed Nginx configs + ## @descriptionStart + ## These configurations only apply if you are using a Shipa managed Nginx ingress controller + ## @descriptionEnd + ## + + ## @param shipaCluster.ingress.clusterIp Ingress controller ClusterIp address. If provided, it will be used for shipa managed nginx ingress controller + clusterIp: "" + + ## @param shipaCluster.ingress.loadBalancerIp Ingress controller LoadBalancerIp address. If provided, it will be used for shipa managed nginx ingress controller + loadBalancerIp: "" + + ## @param shipaCluster.ingress.nodePort If provided, it will be used as node port for shipa managed nginx ingress controller + nodePort: "" + + ## @param shipaCluster.ingress.customNginxServiceAnnotations If provided, these annotations will be appended to the Shipa managed Nginx ingress controller Service resource. Example for configuring internet facing NLB in AWS:
+ ## shipaCluster:
  ingress:
    customNginxServiceAnnotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
      service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-abcd1234 + ## @example shipaCluster.ingress.customNginxServiceAnnotations for configuring internet facing NLB in AWS: + ## shipaCluster: + ## ingress: + ## customNginxServiceAnnotations: + ## service.beta.kubernetes.io/aws-load-balancer-type: nlb + ## service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-abcd1234 + customNginxServiceAnnotations: {} + + ## @param shipaCluster.ingress.config Configuration overrides for the Shipa managed Nginx ingress controller. Example (these are the defaults if you leave this empty):
shipaCluster:
  ingress:
    config:
      proxy-body-size: "512M"
      proxy-read-timeout: "300"
      proxy-connect-timeout: "300"
      proxy-send-timeout: "300"
      upstream-keepalive-timeout: "300" + ## @example shipaCluster.ingress.config + ## shipaCluster: + ## ingress: + ## config: + ## proxy-body-size: "512M" + ## proxy-read-timeout: "300" + ## proxy-connect-timeout: "300" + ## proxy-send-timeout: "300" + ## upstream-keepalive-timeout: "300" + config: {} + +## @section PostgreSQL configuration for use by Clair +## @descriptionStart +## `source` parameters pertain to both a Shipa managed in-cluster database, as well as a separately managed database, while `image` and `persistence` only relate to a Shipa managed database. +## @descriptionEnd +## + +postgres: + source: + ## @param postgres.source.host Host to connect to for Clair database. Leave blank to default to {{ template "shipa.fullname" . }}-postgres.{{ .Release.Namespace }} + host: "" + + ## @param postgres.source.port Port to connect to for Clair database + port: 5432 + + ## @param postgres.source.user User to connect to for Clair database + user: postgres + + ## @param postgres.source.password Password to connect to for Clair database. Leave blank to generate a random value + password: "" + + ## @param postgres.source.sslmode The SSL mode to run PostgreSQL in. Options: "require", "verify-full", "verify-ca", or "disable + sslmode: disable + + ## @param postgres.create Set to false to avoid creating a PostgreSQL instance, for example, if you are using an external PostgreSQL instance + create: true + + ## @param postgres.image If postgres.create is set to true, this is the image that will be used + image: docker.io/postgres:13 + + persistence: + ## @param postgres.persistence.storageClass The storageClassName to use. Undefined or null will use the default provisioner, or "-" will to set storageClassName to "", disabling dynamic provisioning + storageClass: "" + + ## @param postgres.persistence.accessMode The PVC access mode to use. Options: ReadWriteOnce, ReadOnlyMany or ReadWriteMany + accessMode: "ReadWriteOnce" + + ## @param postgres.persistence.size The amount of storage to provision for the Clair database + size: 10Gi + +## @section cert-manager configuration +## + +certManager: + ## @param certManager.installUrl When Shipa is installed, if cert-manager is not yet installed (existence of cert-manager ClusterIssuer CRD) it will be installed via the resources at the provided URL + installUrl: https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml + +## @section Shipa Dashboard configuration +## + +dashboard: + ## @param dashboard.enabled If set to false, the Shipa Dashboard will not be deployed + enabled: true + + ## @param dashboard.repositoryBasename The repository name to use for pulling the dashboard image + repositoryBasename: dashboard + + ## @param dashboard.tag The tag to use for pulling the dashboard image + tag: c18b7d0031047c48d8c3b4666d489a498ca58653 + +## @section Shipa CLI configuration +## + +cli: + ## @param cli.repositoryBasename The repository name to use for pulling the Shipa CLI image + repositoryBasename: cli + + ## @param cli.tag The tag to use for pulling the Shipa CLI image + tag: eb516ebb0bb625748cd6baaa5312e8330469ae34 + + ## @param cli.pullPolicy Image pull policy to use for pulling the Shipa CLI image + pullPolicy: Always + +## @section Metrics configuration +## + +metrics: + ## @param metrics.repositoryBasename The repository name to use for pulling the metrics image + repositoryBasename: metrics + + ## @param metrics.tag The tag to use for pulling the metrics image + tag: v0.0.7 + + ## @param metrics.pullPolicy Image pull policy to use for pulling the metrics image + pullPolicy: Always + + ## @param metrics.password Password to setup for connecting to the Shipa metrics. If left blank, a random value will be generated and used + password: "" + + ## @param metrics.prometheusArgs Arguments to pass to Prometheus on starting the Shipa metrics + prometheusArgs: "--storage.tsdb.retention.time=1d" + + ## @param metrics.extraPrometheusConfiguration Extra configuration to add to `prometheus.yaml`. Example for configuring remote reads and writes:
metrics:
  extraPrometheusConfiguration: \|
    remote_read:
      - url: http://localhost:9268/read
    remote_write:
      - url: http://localhost:9268/write + ## @example metrics.extraPrometheusConfiguration for remote read and write + ## metrics: + ## extraPrometheusConfiguration: | + ## remote_read: + ## - url: http://localhost:9268/read + ## remote_write: + ## - url: http://localhost:9268/write + extraPrometheusConfiguration: "" + +## @section busybody configuration +## + +busybody: + ## @param busybody.repositoryBasename The repository name to use for pulling the busybody image + repositoryBasename: bb + + ## @param busybody.tag The tag to use for pulling the busybody image + tag: ead64d61a7dab4dca50bd90e18b908e6f44bb9f9 + +## @section Shipa controller configuration +## + +shipaController: + ## @param shipaController.repositoryBasename The repository name to use for pulling the Shipa controller image + repositoryBasename: shipa-controller + + ## @param shipaController.tag The tag to use for pulling the Shipa controller image + tag: 5e7f221a1adce3bd40b5c352418d9da8de94ada2 + + ## @param shipaController.enableEventUpdater Shipa creates and shows more shipa events for discovered applications + enableEventUpdater: true + + ## @param shipaController.enableNetworkPolicyViolation Enables network policy violations + enableNetworkPolicyViolation: true + +## @section prometheus-metrics-exporter configuration +## + +prometheusMetricsExporter: + ## @param prometheusMetricsExporter.repositoryBasename The repository name to use for pulling the Prometheus exporter image + repositoryBasename: prometheus-metrics-exporter + + ## @param prometheusMetricsExporter.tag The tag to use for pulling the Prometheus exporter image + tag: b123eb79bdbe56f83812b5ad3cfb8bbb568b2e3d + +## @section Clair configuration +## + +clair: + ## @param clair.repositoryBasename The repository name to use for pulling the Clair image + repositoryBasename: clair + + ## @param clair.tag The tag to use for pulling the Clair image + tag: v2.1.7 + +## @section Ketch controller configuration +## + +ketch: + ## @param ketch.repositoryBasename The repository name to use for pulling the Ketch controller image + repositoryBasename: ketch + + ## @param ketch.tag The tag to use for pulling the Ketch controller image + tag: 4105c20ee2ca27c2ce4811764901565aa5035393 + + ## @param ketch.metricsAddress Address of where metrics will be sent. Leave empty to disable metrics for Ketch + metricsAddress: 127.0.0.1:8080 + +## @section Shipa agent configuration +## + +agent: + ## @param agent.repositoryBasename The repository name to use for pulling the Shipa agent image + repositoryBasename: shipa-cluster-agent + + ## @param agent.tag The tag to use for pulling the Shipa agent image + tag: d130d858d71522bbbffbfaaba6097dceaba4c0d8 + +## @section External MongoDB(®) configuration +## @descriptionStart +## External MongoDB(®) configuration allows Shipa to connect to your own instance. *This is highly recommended for production usage.* +## `externalMongodb.url` must follow Standard Connection String Format as described here: https://docs.mongodb.com/manual/reference/connection-string/#standard-connection-string-format +## Due to some limitations of the dependencies, we currently do not support url with _'DNS Seed List Connection Format'_, hence connection strings with `mongodb+srv` will not work and will instead need to be provided as a comma separated list of shards, e.g.: +##     `mongos0.example.com:27017,mongos1.example.com:27017,mongos2.example.com:27017` +## @descriptionEnd +## + +externalMongodb: + ## @param externalMongodb.url Connection URL for external MongoDB instance. + url: "" + + auth: + ## @param externalMongodb.auth.username Username for authenticating to an external MongoDB instance + username: "" + + ## @param externalMongodb.auth.password Password for authenticating to an external MongoDB instance + password: "" + + tls: + ## @param externalMongodb.tls.enable Set to false to disable TLS when connecting to external DB instance. + enable: true + +#-------------------------------------------------------------------------------------------------------------------------- +# tags, mongodb, mongodb-replicaset Below config is for managing dependent charts specific to MongoDB. +# Note that the in-cluster MongoDB instance should be used for POC purposes only +#-------------------------------------------------------------------------------------------------------------------------- + +## @section Dependent chart tags +## @descriptionStart +## `tags` are used to enable or disable dependent charts. +## _Note that the in-cluster MongoDB(®) instance should be used for POC purposes only_ +## @descriptionEnd +## + +tags: + ## @param tags.defaultDB Set defaultDB (and legacyMongoReplicaset) to `false` when using external DB to not install default DB. It will also prevent creating Persistent Volumes. This cannot be used with tags.legacyMongoReplicaset + defaultDB: true + + ## @param tags.legacyMongoReplicaset (Deprecated) Set legacyMongoReplicaset to 'true' in order to use the deprecated https://charts.helm.sh/stable/mongodb-replicaset chart as an internal MongoDB. This cannot be used with tags.defaultDB + legacyMongoReplicaset: false + +## @section MongoDB(®) dependent chart parameters +## @descriptionStart +## Default DB config, enabled by setting tag.defaultDB to true. This is not intended for production use, where externalMongodb should be used to connect to a operationally hardened database +## Full list of configuration values can be found at https://github.com/bitnami/charts/blob/d997058e6f9c99826242c0ae6d19ccc1cdc2106a/bitnami/mongodb/values.yaml +## @descriptionEnd +## + +mongodb: + global: + ## @param mongodb.global.imageRegistry Global Docker image registry for MongoDB(®) dependent chart + imageRegistry: "" + ## @param mongodb.global.imagePullSecrets Global Docker registry secret names as an array + imagePullSecrets: [] + image: + ## @param mongodb.image.registry MongoDB(®) image registry for MongoDB(®) dependent chart + registry: docker.io + ## @param mongodb.image.repository MongoDB(®) image registry for MongoDB(®) dependent chart + repository: bitnami/mongodb + ## @param mongodb.image.tag MongoDB(®) image tag (immutable tags are recommended) for MongoDB(®) dependent chart + tag: 5.0.6-debian-10-r29 + ## @param mongodb.image.pullPolicy MongoDB(®) image pull policy for MongoDB(®) dependent chart + pullPolicy: IfNotPresent + ## @param mongodb.image.pullSecrets Specify docker-registry secret names as an array for MongoDB(®) dependent chart + pullSecrets: [] + persistence: + ## @param mongodb.persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) for MongoDB(®) dependent chart + existingClaim: "" + ## @param mongodb.persistence.size PVC Storage Request for MongoDB(®) data volume for MongoDB(®) dependent chart + size: "10Gi" + ## @param mongodb.architecture MongoDB(®) architecture (`standalone` or `replicaset`) for MongoDB(®) dependent chart + architecture: "standalone" + ## @param mongodb.useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) for MongoDB(®) dependent chart + useStatefulSet: true + ## @param mongodb.replicaSetName Name of the replica set (only when `architecture=replicaset`) for MongoDB(®) dependent chart + replicaSetName: rs0 + service: + ## @param mongodb.service.port MongoDB(®) service port for MongoDB(®) dependent chart + port: 27017 + ## @param mongodb.nodeSelector [object] MongoDB(®) Node labels for pod assignment for MongoDB(®) dependent chart + nodeSelector: + kubernetes.io/os: linux + arbiter: + podSecurityContext: + ## @param mongodb.arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context for MongoDB(®) dependent chart + enabled: true + ## @param mongodb.arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) for MongoDB(®) dependent chart + fsGroup: 999 + containerSecurityContext: + ## @param mongodb.arbiter.containerSecurityContext.enabled Enable Arbiter container(s)' Security Context for MongoDB(®) dependent chart + enabled: true + ## @param mongodb.arbiter.containerSecurityContext.runAsUser User ID for the Arbiter container for MongoDB(®) dependent chart + runAsUser: 999 + ## @param mongodb.arbiter.nodeSelector [object] Arbiter Node labels for pod assignment for MongoDB(®) dependent chart + nodeSelector: + kubernetes.io/os: linux + auth: + ## @param mongodb.auth.enabled Enable authentication for MongoDB(®) dependent chart + enabled: false + tls: + ## @param mongodb.tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes for MongoDB(®) dependent chart + enabled: false + image: + ## @param mongodb.tls.image.registry Init container TLS certs setup image registry for MongoDB(®) dependent chart + registry: docker.io + ## @param mongodb.tls.image.repository Init container TLS certs setup image repository for MongoDB(®) dependent chart + repository: bitnami/nginx + ## @param mongodb.tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) for MongoDB(®) dependent chart + tag: 1.21.6-debian-10-r30 + ## @param mongodb.tls.image.pullPolicy Init container TLS certs setup image pull policy for MongoDB(®) dependent chart + pullPolicy: IfNotPresent + ## @param mongodb.tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array for MongoDB(®) dependent chart + pullSecrets: [] + externalAccess: + ## @param mongodb.externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) for MongoDB(®) dependent chart + enabled: false + autoDiscovery: + ## @param mongodb.externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API for MongoDB(®) dependent chart + enabled: false + image: + ## @param mongodb.externalAccess.autoDiscovery.image.registry Init container auto-discovery image registry for MongoDB(®) dependent chart + registry: docker.io + ## @param mongodb.externalAccess.autoDiscovery.image.repository Init container auto-discovery image repository for MongoDB(®) dependent chart + repository: bitnami/kubectl + ## @param mongodb.externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) for MongoDB(®) dependent chart + tag: 1.23.4-debian-10-r7 + ## @param mongodb.externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy for MongoDB(®) dependent chart + pullPolicy: IfNotPresent + ## @param mongodb.externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets for MongoDB(®) dependent chart + pullSecrets: [] + + volumePermissions: + ## @param mongodb.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` for MongoDB(®) dependent chart + enabled: false + image: + ## @param mongodb.volumePermissions.image.registry Init container volume-permissions image registry for MongoDB(®) dependent chart + registry: docker.io + ## @param mongodb.volumePermissions.image.repository Init container volume-permissions image repository for MongoDB(®) dependent chart + repository: bitnami/bitnami-shell + ## @param mongodb.volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) for MongoDB(®) dependent chart + tag: 10-debian-10-r350 + ## @param mongodb.volumePermissions.image.pullPolicy Init container volume-permissions image pull policy for MongoDB(®) dependent chart + pullPolicy: IfNotPresent + ## @param mongodb.volumePermissions.image.pullSecrets Specify docker-registry secret names as an array for MongoDB(®) dependent chart + pullSecrets: [] + metrics: + ## @param mongodb.metrics.enabled Enable using a sidecar Prometheus exporter for MongoDB(®) dependent chart + enabled: false + image: + ## @param mongodb.metrics.image.registry MongoDB(®) Prometheus exporter image registry for MongoDB(®) dependent chart + registry: docker.io + ## @param mongodb.metrics.image.repository MongoDB(®) Prometheus exporter image repository for MongoDB(®) dependent chart + repository: bitnami/mongodb-exporter + ## @param mongodb.metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) for MongoDB(®) dependent chart + tag: 0.30.0-debian-10-r83 + ## @param mongodb.metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy for MongoDB(®) dependent chart + pullPolicy: IfNotPresent + ## @param mongodb.metrics.image.pullSecrets Specify docker-registry secret names as an array for MongoDB(®) dependent chart + pullSecrets: [] + ## @param mongodb.extraFlags MongoDB(®) additional command line flags for MongoDB(®) dependent chart + extraFlags: "--dbpath=/bitnami/mongodb" + containerSecurityContext: + ## @param mongodb.containerSecurityContext.enabled Enable MongoDB(®) container(s)' Security Context for MongoDB(®) dependent chart + enabled: true + ## @param mongodb.containerSecurityContext.runAsUser User ID for the MongoDB(®) container for MongoDB(®) dependent chart + runAsUser: 999 + ## @param mongodb.containerSecurityContext.runAsNonRoot Set MongoDB(®) container's Security Context runAsNonRoot for MongoDB(®) dependent chart + runAsNonRoot: true + podSecurityContext: + ## @param mongodb.podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context for MongoDB(®) dependent chart + enabled: true + ## @param mongodb.podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) for MongoDB(®) dependent chart + fsGroup: 999 + +## (Deprecated) DB config using deprecated dependent chart, enabled by setting tag.legacyMongoReplicaset to true. This is not intended for production use and will be removed in a future release +## @skip mongodb-replicaset +mongodb-replicaset: + replicaSetName: rs0 + replicas: 1 + port: 27017 + nodeSelector: + kubernetes.io/os: linux + auth: + enabled: false + installImage: + repository: k8s.gcr.io/mongodb-install + tag: 0.6 + pullPolicy: IfNotPresent + image: + repository: docker.io/mongo + tag: 5.0 + pullPolicy: IfNotPresent + copyConfigImage: + repository: docker.io/busybox + tag: 1.29.3 + pullPolicy: IfNotPresent + persistentVolume: + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + ## storageClass: "" + enabled: true + size: 10Gi + tls: + enabled: false + configmap: "" diff --git a/charts/vals-operator/vals-operator/0.6.201/.gitignore b/charts/vals-operator/vals-operator/0.6.201/.gitignore new file mode 100644 index 000000000..d9f7c8d36 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/.gitignore @@ -0,0 +1,49 @@ +# These are some examples of commonly ignored file patterns. +# You should customize this list as applicable to your project. +# Learn more about .gitignore: +# https://www.atlassian.com/git/tutorials/saving-changes/gitignore + +# Node artifact files +node_modules/ +dist/ + +# Compiled Java class files +*.class + +# Compiled Python bytecode +*.py[cod] + +# Log files +*.log + +# Package files +*.jar + +# Maven +target/ +dist/ + +# JetBrains IDE +.idea/ + +# Unit test reports +TEST*.xml + +# Generated by MacOS +.DS_Store + +# Generated by Windows +Thumbs.db + +# Applications +*.app +*.exe +*.war + +# Large media files +*.mp4 +*.tiff +*.avi +*.flv +*.mov +*.wmv diff --git a/charts/vals-operator/vals-operator/0.6.201/Chart.yaml b/charts/vals-operator/vals-operator/0.6.201/Chart.yaml new file mode 100644 index 000000000..a192bc3a9 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Vals-Operator + catalog.cattle.io/release-name: vals-operator +apiVersion: v2 +appVersion: v0.6.2 +description: This helm chart installs the Digitalis Vals Operator to manage sync secrets + from supported backends into Kubernetes +icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png +kubeVersion: '>= 1.19.0-0' +maintainers: +- email: info@digitalis.io + name: Digitalis.IO +name: vals-operator +type: application +version: 0.6.201 diff --git a/charts/vals-operator/vals-operator/0.6.201/README.md b/charts/vals-operator/vals-operator/0.6.201/README.md new file mode 100644 index 000000000..3efb45778 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/README.md @@ -0,0 +1,33 @@ +vals-operator +============= +This helm chart installs the Digitalis Vals Operator to manage sync secrets from supported backends into Kubernetes + + +## Chart Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| args | list | `[]` | | +| env | list | `[]` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"digitalisdocker/vals-operator"` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| manageCrds | bool | `true` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| secretEnv | list | `[]` | | +| securityContext | object | `{}` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| serviceMonitor.enabled | bool | `false` | | +| serviceMonitor.labels | object | `{}` | | +| tolerations | list | `[]` | | +| volumeMounts | list | `[]` | | +| volumes | list | `[]` | | diff --git a/charts/vals-operator/vals-operator/0.6.201/app-readme.md b/charts/vals-operator/vals-operator/0.6.201/app-readme.md new file mode 100644 index 000000000..3458f2059 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/app-readme.md @@ -0,0 +1,9 @@ +# Vals-Operator + +Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/variantdev/vals), it's a tool we use daily to keep secrets stored securely. We also use [secrets-manager](https://github.com/tuenti/secrets-manager) on the Kubernetes deployment we manage. Inspired by these two wonderful tools we have created this operator. + +*vals-operator* syncs secrets from any secrets store supported by [vals](https://github.com/variantdev/vals) into Kubernetes. It works very similarly to [secrets-manager](https://github.com/tuenti/secrets-manager) and the code is actually based on it. Where they differ is that it not just supports HashiCorp Vault but many other secrets stores. + +## Mirroring secrets + +We have also added the ability to copy secrets between namespaces. It uses the format `ref+k8s://namespace/secret#key`. This way you can keep secrets generated in one namespace in sync with any other namespace in the cluster. diff --git a/charts/vals-operator/vals-operator/0.6.201/crds/valssecrets.yaml b/charts/vals-operator/vals-operator/0.6.201/crds/valssecrets.yaml new file mode 100644 index 000000000..406ba1e83 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/crds/valssecrets.yaml @@ -0,0 +1,130 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + "helm.sh/hook": crd-install + "helm.sh/hook-delete-policy": "before-hook-creation" + creationTimestamp: null + name: valssecrets.digitalis.io +spec: + group: digitalis.io + names: + kind: ValsSecret + listKind: ValsSecretList + plural: valssecrets + singular: valssecret + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ValsSecret is the Schema for the valssecrets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ValsSecretSpec defines the desired state of ValsSecret + properties: + data: + additionalProperties: + properties: + encoding: + description: Encoding type for the secret. Only base64 supported. + Optional + type: string + ref: + description: Ref value to the secret in the format ref+backend://path + https://github.com/variantdev/vals + type: string + required: + - ref + type: object + type: object + databases: + items: + properties: + driver: + description: Defines the database type + type: string + hosts: + description: List of hosts to connect to, they'll be tried in + sequence until one succeeds + items: + type: string + type: array + loginCredentials: + description: Credentials to access the database + properties: + namespace: + description: Optional namespace of the secret, default current + namespace + type: string + passwordKey: + description: Key in the secret containing the database username + type: string + secretName: + description: Name of the secret containing the credentials + to be able to log in to the database + type: string + usernameKey: + description: Key in the secret containing the database username + type: string + required: + - passwordKey + - secretName + type: object + passwordKey: + description: Key in the secret containing the database username + type: string + port: + description: Database port number + type: integer + userHost: + description: Used for MySQL only, the host part for the username + type: string + usernameKey: + description: Key in the secret containing the database username + type: string + required: + - driver + - hosts + - passwordKey + type: object + type: array + name: + type: string + ttl: + format: int64 + type: integer + type: + type: string + required: + - data + type: object + status: + description: ValsSecretStatus defines the observed state of ValsSecret + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/vals-operator/vals-operator/0.6.201/questions.yaml b/charts/vals-operator/vals-operator/0.6.201/questions.yaml new file mode 100644 index 000000000..7976cff0c --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/questions.yaml @@ -0,0 +1,26 @@ +questions: +#image configurations +- variable: image.repository + default: "digitalisdocker/vals-operator" + description: image registry + type: string + label: Image Registry + group: "Container Images" +- variable: image.tag + default: "v0.3.0" + description: Image tag + type: string + label: Image Tag + group: "Container Images" +- variable: imagePullSecrets + default: "" + description: secret name to pull image + type: string + label: Image Pull Secrets + group: "Container Images" +- variable: environmentSecret + default: "" + description: "The secret containing env variables to access the backend secrets store." + label: Config Secret + type: string + group: "Settings" diff --git a/charts/vals-operator/vals-operator/0.6.201/templates/NOTES.txt b/charts/vals-operator/vals-operator/0.6.201/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/vals-operator/vals-operator/0.6.201/templates/_helpers.tpl b/charts/vals-operator/vals-operator/0.6.201/templates/_helpers.tpl new file mode 100644 index 000000000..dcd31f04a --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "vals-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vals-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vals-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vals-operator.labels" -}} +helm.sh/chart: {{ include "vals-operator.chart" . }} +{{ include "vals-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vals-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vals-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vals-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vals-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.6.201/templates/crds.yaml b/charts/vals-operator/vals-operator/0.6.201/templates/crds.yaml new file mode 100644 index 000000000..0b71ef8c6 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.manageCrds -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} +{{ $.Files.Get $path }} +--- +{{- end }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.6.201/templates/deployment.yaml b/charts/vals-operator/vals-operator/0.6.201/templates/deployment.yaml new file mode 100644 index 000000000..334c566e7 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vals-operator.fullname" . }} + labels: + {{- include "vals-operator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "vals-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vals-operator.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "vals-operator.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.args }} + args: + {{- toYaml .Values.args | nindent 12 }} + {{- end }} + {{- if .Values.environmentSecret }} + envFrom: + - secretRef: + name: "{{ .Values.environmentSecret }}" + {{- else }} + envFrom: + {{- toYaml .Values.secretEnv | nindent 12 }} + {{- end }} + {{- if .Values.env }} + env: + {{- toYaml .Values.env | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.volumeMounts }} + volumeMounts: + {{- toYaml .Values.volumeMounts | nindent 12 }} + {{- end }} + ports: + - containerPort: {{ .Values.metricsPort | default 8080 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.volumes }} + volumes: + {{- toYaml .Values.volumes | nindent 8 }} + {{- end }} diff --git a/charts/vals-operator/vals-operator/0.6.201/templates/serviceaccount.yaml b/charts/vals-operator/vals-operator/0.6.201/templates/serviceaccount.yaml new file mode 100644 index 000000000..67f271063 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/templates/serviceaccount.yaml @@ -0,0 +1,64 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vals-operator + labels: + {{- include "vals-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "list" + - "watch" + - "update" + - "delete" + - "create" +- apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" +- apiGroups: + - "digitalis.io" + resources: + - "valssecrets" + verbs: + - "get" + - "list" + - "watch" + - "update" + - "delete" + - "create" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vals-operator + labels: + {{- include "vals-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vals-operator +subjects: + - kind: ServiceAccount + name: {{ include "vals-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vals-operator.serviceAccountName" . }} + labels: + {{- include "vals-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.6.201/templates/servicemonitor.yaml b/charts/vals-operator/vals-operator/0.6.201/templates/servicemonitor.yaml new file mode 100644 index 000000000..4b6e11eeb --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/templates/servicemonitor.yaml @@ -0,0 +1,37 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vals-operator.fullname" . }} + labels: + {{- if .Values.serviceMonitor.labels }} + {{ toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- else }} + app: {{ template "vals-operator.name" . }} + chart: {{ template "vals-operator.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- end }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- end }} +spec: + endpoints: + - targetPort: "metrics" + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- end }} + path: /metrics + port: {{ .Values.metricsPort | default 8080 }} + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "vals-operator.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.6.201/values.yaml b/charts/vals-operator/vals-operator/0.6.201/values.yaml new file mode 100644 index 000000000..5bc2d97ad --- /dev/null +++ b/charts/vals-operator/vals-operator/0.6.201/values.yaml @@ -0,0 +1,106 @@ +replicaCount: 1 + +image: + repository: digitalisdocker/vals-operator + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +manageCrds: true + +# additional arguments to operator +args: [] + # -exclude-namespaces string + # Comma separated list of namespaces to ignore. + # -health-probe-bind-address string + # The address the probe endpoint binds to. (default ":8081") + # -kubeconfig string + # Paths to a kubeconfig. Only required if out-of-cluster. + # -leader-elect + # Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. + # -metrics-bind-address string + # The address the metric endpoint binds to. (default ":8080") + # -reconcile-period duration + # How often the controller will re-queue vals-operator events. (default 5s) + # -record-changes + # Records every time a secret has been updated. You can view them with kubectl describe. It may also be disabled globally and enabled per secret via the annotation 'vals-operator.digitalis.io/record: "true"' (default true) + # -ttl duration + # How often to check backend for updates. (default 5m0s) + # -watch-namespaces string + # Comma separated list of namespaces that vals-operator will watch. + # -zap-devel + # Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true) + # -zap-encoder value + # Zap log encoding (one of 'json' or 'console') + # -zap-log-level value + # Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity + # -zap-stacktrace-level value + # Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic'). + + +environmentSecret: "" + +# See https://github.com/variantdev/vals +# for information on setting up your backend environment. +env: [] + # - name: VAULT_SKIP_VERIFY + # value: "true" + +secretEnv: [] + # - secretRef: + # name: aws-creds + +volumes: [] + # - name: creds + # secret: + # secretName: gcs-credentials +volumeMounts: [] + # - name: creds + # mountPath: /secret + # readOnly: true + + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +metricsPort: 8080 +serviceMonitor: + # When set to true then use a ServiceMonitor to collect metrics + enabled: false + # Custom labels to use in the ServiceMonitor to be matched with a specific Prometheus + labels: {} + # Set the namespace the ServiceMonitor should be deployed to + # namespace: default + # Set how frequently Prometheus should scrape + # interval: 30s + # Set timeout for scrape + # scrapeTimeout: 10s + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/index.yaml b/index.yaml index 89484bf33..8e70da5ef 100755 --- a/index.yaml +++ b/index.yaml @@ -2836,6 +2836,25 @@ entries: - assets/k8s-triliovault-operator/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 5.0.2 + created: "2022-07-01T18:05:44.07335306Z" + description: Kasten’s K10 Data Management Platform + digest: a97efad5241f866c9cbc950205757877f2f07359baf27f2bc490f754e5a9f0b7 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@kasten.io + name: kastenIO + name: k10 + urls: + - assets/k10/k10-5.0.200.tgz + version: 5.0.200 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -4270,6 +4289,43 @@ entries: - assets/sextant/sextant-2.2.1700.tgz version: 2.2.1700 shipa: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Shipa + catalog.cattle.io/namespace: shipa-system + catalog.cattle.io/release-name: shipa + apiVersion: v2 + appVersion: 1.7.2 + created: "2022-07-05T13:08:45.444721-04:00" + dependencies: + - name: mongodb + repository: file://./charts/mongodb + tags: + - defaultDB + - name: mongodb-replicaset + repository: file://./charts/mongodb-replicaset + tags: + - legacyMongoReplicaset + description: A Helm chart for Kubernetes to install the Shipa Control Plane + digest: fe4a95c0d5dd7ec7864c598ed4bc8b28e30a583b7fbd745a6f4dd66700f5c352 + home: https://www.shipa.io + icon: https://www.shipa.io/wp-content/uploads/2020/11/Shipa-banner-768x307.png + keywords: + - shipa + - deployment + - aac + kubeVersion: '>= 1.16.0-0' + maintainers: + - email: rlachhman@shipa.io + name: ravi + name: shipa + sources: + - https://github.com/shipa-corp + - https://github.com/shipa-corp/helm-chart + type: application + urls: + - assets/shipa/shipa-1.7.200.tgz + version: 1.7.200 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Shipa @@ -4636,6 +4692,24 @@ entries: urls: - assets/sysdig/sysdig-1.9.200.tgz version: 1.9.200 + tcs-issuer: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel Trusted Certificate Issuer + catalog.cattle.io/release-name: tcs-issuer + apiVersion: v2 + appVersion: 0.1.0 + created: "2022-06-29T10:32:33.302669+03:00" + description: A Helm chart for Trusted Certificate Service for Kubernetes Platform + digest: ac32f402a14d249acb94a7cea9141c7efe5d7761230380c5ac2f508b7df2a638 + home: https://github.com/intel/trusted-certificate-issuer + icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 + kubeVersion: '>= 1.19-0' + name: tcs-issuer + type: application + urls: + - assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz + version: 0.1.0 traefik: - annotations: catalog.cattle.io/certified: partner @@ -5161,6 +5235,26 @@ entries: - assets/universal-crossplane/universal-crossplane-1.2.200100.tgz version: 1.2.200100 vals-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Vals-Operator + catalog.cattle.io/release-name: vals-operator + apiVersion: v2 + appVersion: v0.6.2 + created: "2022-07-04T11:13:38.987167+01:00" + description: This helm chart installs the Digitalis Vals Operator to manage sync + secrets from supported backends into Kubernetes + digest: d03f516db3f9283cdcbb8c001aa5ed3aeea6b38b838ff86afd2855f73fec3e7a + icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: info@digitalis.io + name: Digitalis.IO + name: vals-operator + type: application + urls: + - assets/vals-operator/vals-operator-0.6.201.tgz + version: 0.6.201 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Vals-Operator