diff --git a/assets/argo/argo-cd-6.2.3.tgz b/assets/argo/argo-cd-6.2.3.tgz index 23ef80367..fef34c43d 100644 Binary files a/assets/argo/argo-cd-6.2.3.tgz and b/assets/argo/argo-cd-6.2.3.tgz differ diff --git a/assets/argo/argo-cd-6.7.2.tgz b/assets/argo/argo-cd-6.7.2.tgz new file mode 100644 index 000000000..26c5959f0 Binary files /dev/null and b/assets/argo/argo-cd-6.7.2.tgz differ diff --git a/assets/bitnami/airflow-17.2.4.tgz b/assets/bitnami/airflow-17.2.4.tgz new file mode 100644 index 000000000..3d1e59526 Binary files /dev/null and b/assets/bitnami/airflow-17.2.4.tgz differ diff --git a/assets/bitnami/cassandra-10.12.1.tgz b/assets/bitnami/cassandra-10.12.1.tgz new file mode 100644 index 000000000..55f77247b Binary files /dev/null and b/assets/bitnami/cassandra-10.12.1.tgz differ diff --git a/assets/bitnami/kafka-27.1.2.tgz b/assets/bitnami/kafka-27.1.2.tgz new file mode 100644 index 000000000..54d9d2335 Binary files /dev/null and b/assets/bitnami/kafka-27.1.2.tgz differ diff --git a/assets/bitnami/mariadb-16.5.0.tgz b/assets/bitnami/mariadb-16.5.0.tgz new file mode 100644 index 000000000..3e29bd374 Binary files /dev/null and b/assets/bitnami/mariadb-16.5.0.tgz differ diff --git a/assets/bitnami/mysql-9.23.0.tgz b/assets/bitnami/mysql-9.23.0.tgz new file mode 100644 index 000000000..d6f636857 Binary files /dev/null and b/assets/bitnami/mysql-9.23.0.tgz differ diff --git a/assets/bitnami/postgresql-14.3.3.tgz b/assets/bitnami/postgresql-14.3.3.tgz new file mode 100644 index 000000000..ce4b7e76d Binary files /dev/null and b/assets/bitnami/postgresql-14.3.3.tgz differ diff --git a/assets/bitnami/redis-18.19.2.tgz b/assets/bitnami/redis-18.19.2.tgz new file mode 100644 index 000000000..630716adf Binary files /dev/null and b/assets/bitnami/redis-18.19.2.tgz differ diff --git a/assets/bitnami/spark-8.9.1.tgz b/assets/bitnami/spark-8.9.1.tgz new file mode 100644 index 000000000..66da8ed16 Binary files /dev/null and b/assets/bitnami/spark-8.9.1.tgz differ diff --git a/assets/bitnami/tomcat-10.17.0.tgz b/assets/bitnami/tomcat-10.17.0.tgz new file mode 100644 index 000000000..e2bd94820 Binary files /dev/null and b/assets/bitnami/tomcat-10.17.0.tgz differ diff --git a/assets/bitnami/wordpress-20.1.2.tgz b/assets/bitnami/wordpress-20.1.2.tgz new file mode 100644 index 000000000..0ff7a2fe8 Binary files /dev/null and b/assets/bitnami/wordpress-20.1.2.tgz differ diff --git a/assets/bitnami/zookeeper-12.12.1.tgz b/assets/bitnami/zookeeper-12.12.1.tgz new file mode 100644 index 000000000..cf96ca8b9 Binary files /dev/null and b/assets/bitnami/zookeeper-12.12.1.tgz differ diff --git a/assets/cert-manager/cert-manager-v1.14.4.tgz b/assets/cert-manager/cert-manager-v1.14.4.tgz new file mode 100644 index 000000000..ba0b7cc83 Binary files /dev/null and b/assets/cert-manager/cert-manager-v1.14.4.tgz differ diff --git a/assets/clastix/kamaji-0.15.1.tgz b/assets/clastix/kamaji-0.15.1.tgz new file mode 100644 index 000000000..f02ee127d Binary files /dev/null and b/assets/clastix/kamaji-0.15.1.tgz differ diff --git a/assets/cloudcasa/cloudcasa-3.4.2.tgz b/assets/cloudcasa/cloudcasa-3.4.2.tgz new file mode 100644 index 000000000..706684cdf Binary files /dev/null and b/assets/cloudcasa/cloudcasa-3.4.2.tgz differ diff --git a/assets/cockroach-labs/cockroachdb-12.0.2.tgz b/assets/cockroach-labs/cockroachdb-12.0.2.tgz new file mode 100644 index 000000000..f75eb2253 Binary files /dev/null and b/assets/cockroach-labs/cockroachdb-12.0.2.tgz differ diff --git a/assets/crate/crate-operator-2.38.1.tgz b/assets/crate/crate-operator-2.38.1.tgz new file mode 100644 index 000000000..3058861a2 Binary files /dev/null and b/assets/crate/crate-operator-2.38.1.tgz differ diff --git a/assets/crowdstrike/falcon-sensor-1.26.1.tgz b/assets/crowdstrike/falcon-sensor-1.26.1.tgz new file mode 100644 index 000000000..7f8886d4e Binary files /dev/null and b/assets/crowdstrike/falcon-sensor-1.26.1.tgz differ diff --git a/assets/datadog/datadog-3.57.3.tgz b/assets/datadog/datadog-3.57.3.tgz new file mode 100644 index 000000000..8a86de93a Binary files /dev/null and b/assets/datadog/datadog-3.57.3.tgz differ diff --git a/assets/datadog/datadog-operator-1.5.1.tgz b/assets/datadog/datadog-operator-1.5.1.tgz new file mode 100644 index 000000000..9848a5895 Binary files /dev/null and b/assets/datadog/datadog-operator-1.5.1.tgz differ diff --git a/assets/dell/csi-vxflexos-2.9.2.tgz b/assets/dell/csi-vxflexos-2.9.2.tgz new file mode 100644 index 000000000..fb6acff7f Binary files /dev/null and b/assets/dell/csi-vxflexos-2.9.2.tgz differ diff --git a/assets/haproxy/haproxy-1.38.2.tgz b/assets/haproxy/haproxy-1.38.2.tgz new file mode 100644 index 000000000..ded7ab9f6 Binary files /dev/null and b/assets/haproxy/haproxy-1.38.2.tgz differ diff --git a/assets/hashicorp/consul-1.4.0.tgz b/assets/hashicorp/consul-1.4.0.tgz new file mode 100644 index 000000000..4881d660f Binary files /dev/null and b/assets/hashicorp/consul-1.4.0.tgz differ diff --git a/assets/hpe/hpe-csi-driver-2.4.1.tgz b/assets/hpe/hpe-csi-driver-2.4.1.tgz new file mode 100644 index 000000000..1bd205a45 Binary files /dev/null and b/assets/hpe/hpe-csi-driver-2.4.1.tgz differ diff --git a/assets/instana/instana-agent-1.2.71.tgz b/assets/instana/instana-agent-1.2.71.tgz new file mode 100644 index 000000000..c08b42117 Binary files /dev/null and b/assets/instana/instana-agent-1.2.71.tgz differ diff --git a/assets/jenkins/jenkins-5.1.0.tgz b/assets/jenkins/jenkins-5.1.0.tgz new file mode 100644 index 000000000..0f455e776 Binary files /dev/null and b/assets/jenkins/jenkins-5.1.0.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.77.7.tgz b/assets/jfrog/artifactory-ha-107.77.7.tgz new file mode 100644 index 000000000..43514614a Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.77.7.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.77.7.tgz b/assets/jfrog/artifactory-jcr-107.77.7.tgz new file mode 100644 index 000000000..41a9e229e Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.77.7.tgz differ diff --git a/assets/kasten/k10-6.5.501.tgz b/assets/kasten/k10-6.5.501.tgz new file mode 100644 index 000000000..f77b75a3c Binary files /dev/null and b/assets/kasten/k10-6.5.501.tgz differ diff --git a/assets/kasten/k10-6.5.601.tgz b/assets/kasten/k10-6.5.601.tgz new file mode 100644 index 000000000..1524f8b52 Binary files /dev/null and b/assets/kasten/k10-6.5.601.tgz differ diff --git a/assets/kasten/k10-6.5.801.tgz b/assets/kasten/k10-6.5.801.tgz new file mode 100644 index 000000000..603802d74 Binary files /dev/null and b/assets/kasten/k10-6.5.801.tgz differ diff --git a/assets/kong/kong-2.38.0.tgz b/assets/kong/kong-2.38.0.tgz new file mode 100644 index 000000000..b3598f821 Binary files /dev/null and b/assets/kong/kong-2.38.0.tgz differ diff --git a/assets/kubecost/cost-analyzer-2.0.2.tgz b/assets/kubecost/cost-analyzer-2.0.2.tgz index 661892e11..267be084f 100644 Binary files a/assets/kubecost/cost-analyzer-2.0.2.tgz and b/assets/kubecost/cost-analyzer-2.0.2.tgz differ diff --git a/assets/kubecost/cost-analyzer-2.1.1.tgz b/assets/kubecost/cost-analyzer-2.1.1.tgz new file mode 100644 index 000000000..095159d42 Binary files /dev/null and b/assets/kubecost/cost-analyzer-2.1.1.tgz differ diff --git a/assets/kuma/kuma-2.6.2.tgz b/assets/kuma/kuma-2.6.2.tgz new file mode 100644 index 000000000..cf1367e9f Binary files /dev/null and b/assets/kuma/kuma-2.6.2.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.16.11.tgz b/assets/linkerd/linkerd-control-plane-1.16.11.tgz index 0bf1818e8..d703524bc 100644 Binary files a/assets/linkerd/linkerd-control-plane-1.16.11.tgz and b/assets/linkerd/linkerd-control-plane-1.16.11.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.3.3.tgz b/assets/linkerd/linkerd-control-plane-2024.3.3.tgz new file mode 100644 index 000000000..44a2dac06 Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-2024.3.3.tgz differ diff --git a/assets/linkerd/linkerd-crds-2024.3.3.tgz b/assets/linkerd/linkerd-crds-2024.3.3.tgz new file mode 100644 index 000000000..5dbd1b397 Binary files /dev/null and b/assets/linkerd/linkerd-crds-2024.3.3.tgz differ diff --git a/assets/loft/loft-3.4.1.tgz b/assets/loft/loft-3.4.1.tgz new file mode 100644 index 000000000..3c88d15e6 Binary files /dev/null and b/assets/loft/loft-3.4.1.tgz differ diff --git a/assets/minio/minio-operator-5.0.13.tgz b/assets/minio/minio-operator-5.0.13.tgz new file mode 100644 index 000000000..bdbe3effd Binary files /dev/null and b/assets/minio/minio-operator-5.0.13.tgz differ diff --git a/assets/nats/nats-1.1.10.tgz b/assets/nats/nats-1.1.10.tgz new file mode 100644 index 000000000..4389b89fe Binary files /dev/null and b/assets/nats/nats-1.1.10.tgz differ diff --git a/assets/new-relic/nri-bundle-5.0.69.tgz b/assets/new-relic/nri-bundle-5.0.69.tgz new file mode 100644 index 000000000..d765f5f8d Binary files /dev/null and b/assets/new-relic/nri-bundle-5.0.69.tgz differ diff --git a/assets/ngrok/kubernetes-ingress-controller-0.12.2.tgz b/assets/ngrok/kubernetes-ingress-controller-0.12.2.tgz new file mode 100644 index 000000000..d2c70ddb9 Binary files /dev/null and b/assets/ngrok/kubernetes-ingress-controller-0.12.2.tgz differ diff --git a/assets/percona/psmdb-operator-1.15.3.tgz b/assets/percona/psmdb-operator-1.15.3.tgz new file mode 100644 index 000000000..e55c2640e Binary files /dev/null and b/assets/percona/psmdb-operator-1.15.3.tgz differ diff --git a/assets/percona/pxc-db-1.14.0.tgz b/assets/percona/pxc-db-1.14.0.tgz new file mode 100644 index 000000000..e14252c44 Binary files /dev/null and b/assets/percona/pxc-db-1.14.0.tgz differ diff --git a/assets/percona/pxc-operator-1.14.0.tgz b/assets/percona/pxc-operator-1.14.0.tgz new file mode 100644 index 000000000..7068df353 Binary files /dev/null and b/assets/percona/pxc-operator-1.14.0.tgz differ diff --git a/assets/redpanda/redpanda-5.7.34.tgz b/assets/redpanda/redpanda-5.7.34.tgz new file mode 100644 index 000000000..ebaaab7b8 Binary files /dev/null and b/assets/redpanda/redpanda-5.7.34.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.1.8.tgz b/assets/speedscale/speedscale-operator-2.1.8.tgz new file mode 100644 index 000000000..330cd0c32 Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.1.8.tgz differ diff --git a/assets/stackstate/stackstate-k8s-agent-1.0.76.tgz b/assets/stackstate/stackstate-k8s-agent-1.0.76.tgz new file mode 100644 index 000000000..a8ec79dba Binary files /dev/null and b/assets/stackstate/stackstate-k8s-agent-1.0.76.tgz differ diff --git a/assets/trilio/k8s-triliovault-operator-4.0.2.tgz b/assets/trilio/k8s-triliovault-operator-4.0.2.tgz new file mode 100644 index 000000000..873b09b20 Binary files /dev/null and b/assets/trilio/k8s-triliovault-operator-4.0.2.tgz differ diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index c9c223316..26cc5356c 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/changes: | - kind: changed - description: Updated Redis image tag to 7.2.4 + description: Bump argo-cd to v2.10.3 artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 -appVersion: v2.10.1 +appVersion: v2.10.3 dependencies: - condition: redis-ha.enabled name: redis-ha @@ -33,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 6.2.3 +version: 6.7.2 diff --git a/charts/argo/argo-cd/README.md b/charts/argo/argo-cd/README.md index 7b6fd58b5..d43a0fdab 100644 --- a/charts/argo/argo-cd/README.md +++ b/charts/argo/argo-cd/README.md @@ -278,6 +278,15 @@ For full list of changes please check ArtifactHub [changelog]. Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version. +### 6.4.0 + +Added support for application controller dynamic cluster distribution. +Please refer to [the docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution) for more information. + +Added env variables to handle the non-standard names generated by the helm chart. +Here are the [docs](https://argo-cd.readthedocs.io/en/release-2.9/user-guide/environment-variables/) +and [code](https://github.com/argoproj/argo-cd/blob/99723143b96ceec9ef5b0a7feb7b4f4b0dce3497/common/common.go#L252) + ### 6.1.0 Added support for global domain used by all components. @@ -720,12 +729,15 @@ NAME: my-release | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource | | controller.containerPorts.metrics | int | `8082` | Metrics container port | | controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context | +| controller.deploymentAnnotations | object | `{}` | Annotations for the application controller Deployment | | controller.dnsConfig | object | `{}` | [DNS configuration] | | controller.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for application controller pods | +| controller.dynamicClusterDistribution | bool | `false` | Enable dynamic cluster distribution (alpha) Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution | | controller.env | list | `[]` | Environment variables to pass to application controller | | controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller | | controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller | | controller.extraContainers | list | `[]` | Additional containers to be added to the application controller pod | +| controller.heartbeatTime | int | `10` | Application controller heartbeat time Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution | | controller.hostNetwork | bool | `false` | Host Network for application controller pods | | controller.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application controller | | controller.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application controller | @@ -940,7 +952,7 @@ NAME: my-release | server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server | | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | server.ingress.annotations | object | `{}` | Additional ingress annotations | -| server.ingress.aws.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service | +| server.ingress.aws.backendProtocolVersion | string | `"GRPC"` | Backend protocol version for the AWS ALB gRPC service | | server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service | | server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` | | server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server | @@ -1077,6 +1089,9 @@ NAME: my-release | dex.initImage.tag | string | `""` (defaults to global.image.tag) | Argo CD init image tag | | dex.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Dex >= 2.28.0 | | dex.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| dex.livenessProbe.httpPath | string | `"/healthz/live"` | Http path to use for the liveness probe | +| dex.livenessProbe.httpPort | string | `"metrics"` | Http port to use for the liveness probe | +| dex.livenessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) | | dex.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | | dex.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | | dex.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | @@ -1109,6 +1124,9 @@ NAME: my-release | dex.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the dex pods | | dex.readinessProbe.enabled | bool | `false` | Enable Kubernetes readiness probe for Dex >= 2.28.0 | | dex.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| dex.readinessProbe.httpPath | string | `"/healthz/ready"` | Http path to use for the readiness probe | +| dex.readinessProbe.httpPort | string | `"metrics"` | Http port to use for the readiness probe | +| dex.readinessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) | | dex.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | | dex.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | | dex.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | @@ -1284,6 +1302,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | Key | Type | Default | Description | |-----|------|---------|-------------| | applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules | +| applicationSet.allowAnyNamespace | bool | `false` | Enable ApplicationSet in any namespace feature | | applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) | | applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate | | applicationSet.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) | @@ -1446,6 +1465,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret | | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret | | notifications.secret.labels | object | `{}` | key:value pairs of labels to be added to the secret | +| notifications.secret.name | string | `"argocd-notifications-secret"` | notifications controller Secret name | | notifications.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | notifications.serviceAccount.create | bool | `true` | Create notifications controller service account | diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/deployment.yaml new file mode 100644 index 000000000..e0c121359 --- /dev/null +++ b/charts/argo/argo-cd/templates/argocd-application-controller/deployment.yaml @@ -0,0 +1,357 @@ +{{- if .Values.controller.dynamicClusterDistribution }} +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.controller.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + name: {{ template "argo-cd.controller.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +spec: + replicas: {{ .Values.controller.replicas }} + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} + template: + metadata: + annotations: + checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} + {{- if .Values.configs.cm.create }} + checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }} + {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- if .Values.controller.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- end }} + serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }} + containers: + - args: + - /usr/local/bin/argocd-application-controller + - --metrics-port={{ .Values.controller.containerPorts.metrics }} + {{- if .Values.controller.metrics.applicationLabels.enabled }} + {{- range .Values.controller.metrics.applicationLabels.labels }} + - --metrics-application-labels + - {{ . }} + {{- end }} + {{- end }} + {{- with .Values.controller.extraArgs }} + {{- toYaml . | nindent 8 }} + {{- end }} + image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }} + name: {{ .Values.controller.name }} + env: + {{- with (concat .Values.global.env .Values.controller.env) }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION + value: "true" + - name: ARGOCD_CONTROLLER_HEARTBEAT_TIME + value: {{ .Values.controller.heartbeatTime | quote }} + - name: ARGOCD_APPLICATION_CONTROLLER_NAME + value: {{ template "argo-cd.controller.fullname" . }} + - name: ARGOCD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cm + key: timeout.reconciliation + optional: true + - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cm + key: timeout.hard.reconciliation + optional: true + - name: ARGOCD_RECONCILIATION_JITTER + valueFrom: + configMapKeyRef: + key: timeout.reconciliation.jitter + name: argocd-cm + optional: true + - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.error.grace.period.seconds + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: repo.server + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.server.timeout.seconds + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.status.processors + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.operation.processors + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.log.format + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.log.level + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.metrics.cache.expiration + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.self.heal.timeout.seconds + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.server.plaintext + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.server.strict.tls + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.resource.health.persist + optional: true + - name: ARGOCD_APP_STATE_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.app.state.cache.expiration + optional: true + - name: REDIS_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.server + optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.compression + optional: true + - name: REDISDB + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.db + optional: true + - name: REDIS_USERNAME + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-username + optional: true + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-password + optional: true + - name: ARGOCD_DEFAULT_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.default.cache.expiration + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.address + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.insecure + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.headers + optional: true + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: application.namespaces + optional: true + - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.sharding.algorithm + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.kubectl.parallelism.limit + optional: true + - name: ARGOCD_K8SCLIENT_RETRY_MAX + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8sclient.retry.max + optional: true + - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8sclient.retry.base.backoff + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.diff.server.side + optional: true + {{- with .Values.controller.envFrom }} + envFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.controller.containerPorts.metrics }} + protocol: TCP + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + resources: + {{- toYaml .Values.controller.resources | nindent 10 }} + {{- with .Values.controller.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + workingDir: /home/argocd + volumeMounts: + {{- with .Values.controller.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + - mountPath: /app/config/controller/tls + name: argocd-repo-server-tls + - mountPath: /home/argocd + name: argocd-home + {{- with .Values.controller.extraContainers }} + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} + {{- with .Values.controller.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} + {{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }} + affinity: + {{- trim . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations | default .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + volumes: + {{- with .Values.controller.volumes }} + {{- toYaml . | nindent 6 }} + {{- end }} + - name: argocd-home + emptyDir: {} + - name: argocd-repo-server-tls + secret: + secretName: argocd-repo-server-tls + optional: true + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + - key: ca.crt + path: ca.crt + {{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} + {{- with .Values.controller.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml index 8c929e41e..3b72d19f5 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.controller.dynamicClusterDistribution | default false }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -77,6 +78,8 @@ spec: {{- end }} - name: ARGOCD_CONTROLLER_REPLICAS value: {{ .Values.controller.replicas | quote }} + - name: ARGOCD_APPLICATION_CONTROLLER_NAME + value: {{ template "argo-cd.controller.fullname" . }} - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -350,3 +353,4 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/clusterrole.yaml new file mode 100644 index 000000000..6ac4c1e70 --- /dev/null +++ b/charts/argo/argo-cd/templates/argocd-applicationset/clusterrole.yaml @@ -0,0 +1,89 @@ +{{- if .Values.applicationSet.allowAnyNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argo-cd.applicationSet.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} +rules: + - apiGroups: + - argoproj.io + resources: + - applications + - applicationsets + - applicationsets/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - argoproj.io + resources: + - applicationsets/status + verbs: + - get + - patch + - update + - apiGroups: + - argoproj.io + resources: + - appprojects + verbs: + - get + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - update + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml new file mode 100644 index 000000000..152b31f41 --- /dev/null +++ b/charts/argo/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.applicationSet.allowAnyNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "argo-cd.applicationSet.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "argo-cd.applicationSet.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "argo-cd.applicationSet.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml index 88c45f620..fbaa862b7 100644 --- a/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml +++ b/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml @@ -24,7 +24,7 @@ spec: http: paths: {{- with .Values.applicationSet.ingress.extraPaths }} - {{- toYaml . | nindent 10 }} + {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - path: {{ .Values.applicationSet.ingress.path }} pathType: {{ .Values.applicationSet.ingress.pathType }} @@ -46,7 +46,7 @@ spec: number: {{ $.Values.applicationSet.service.port }} {{- end }} {{- with .Values.applicationSet.ingress.extraRules }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} {{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }} tls: diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml index 75027ed5a..9c261c6ad 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: argocd-notifications-secret + name: {{ .Values.notifications.secret.name }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml index 793bb5d35..edb957f32 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml @@ -38,14 +38,12 @@ rules: verbs: - get {{- end }} - {{- if .Values.notifications.secret.create }} - apiGroups: - "" resourceNames: - - argocd-notifications-secret + - {{ .Values.notifications.secret.name }} resources: - secrets verbs: - get - {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml index f9b766f4a..674639f4d 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml @@ -66,6 +66,7 @@ spec: - --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }} - --namespace={{ .Release.Namespace }} - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} + - --secret-name={{ .Values.notifications.secret.name }} {{- range .Values.notifications.extraArgs }} - {{ . | squote }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/role.yaml b/charts/argo/argo-cd/templates/argocd-notifications/role.yaml index 128c24f5d..22eaa473e 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/role.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/role.yaml @@ -37,7 +37,7 @@ rules: - apiGroups: - "" resourceNames: - - argocd-notifications-secret + - {{ .Values.notifications.secret.name }} resources: - secrets verbs: diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml index 9f72d33bc..d27c15d91 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -85,6 +85,8 @@ spec: - name: USER_NAME value: argocd {{- end }} + - name: ARGOCD_REPO_SERVER_NAME + value: {{ template "argo-cd.repoServer.fullname" . }} - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: diff --git a/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml b/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml index 2238acbc1..ffe0b79b7 100644 --- a/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml @@ -26,7 +26,7 @@ spec: http: paths: {{- with .Values.server.ingress.extraPaths }} - {{- toYaml . | nindent 10 }} + {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - path: {{ .Values.server.ingress.path }} pathType: {{ $.Values.server.ingressGrpc.pathType }} @@ -55,7 +55,7 @@ spec: number: {{ $servicePort }} {{- end }} {{- with .Values.server.ingress.extraRules }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} tls: diff --git a/charts/argo/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-server/deployment.yaml index 6de12319e..6d614b0f5 100644 --- a/charts/argo/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/deployment.yaml @@ -75,6 +75,8 @@ spec: {{- with (concat .Values.global.env .Values.server.env) }} {{- toYaml . | nindent 10 }} {{- end }} + - name: ARGOCD_SERVER_NAME + value: {{ template "argo-cd.server.fullname" . }} - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: diff --git a/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml b/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml index c2644491a..160308bd9 100644 --- a/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml @@ -31,7 +31,7 @@ spec: http: paths: {{- with .Values.server.ingress.extraPaths }} - {{- toYaml . | nindent 10 }} + {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - path: {{ .Values.server.ingress.path }} pathType: {{ .Values.server.ingress.pathType }} @@ -53,7 +53,7 @@ spec: number: {{ $servicePort }} {{- end }} {{- with .Values.server.ingress.extraRules }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} tls: diff --git a/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml b/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml index 3c6e5303f..2d15b9d72 100644 --- a/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.server.ingressGrpc.enabled (eq .Values.server.ingress.controller "generic") -}} +{{- if .Values.server.ingressGrpc.enabled -}} {{- $hostname := printf "grpc.%s" (.Values.server.ingress.hostname | default .Values.global.domain) -}} apiVersion: networking.k8s.io/v1 kind: Ingress @@ -25,7 +25,7 @@ spec: http: paths: {{- with .Values.server.ingressGrpc.extraPaths }} - {{- toYaml . | nindent 10 }} + {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - path: {{ .Values.server.ingressGrpc.path }} pathType: {{ .Values.server.ingressGrpc.pathType }} @@ -47,13 +47,13 @@ spec: number: {{ $.Values.server.service.servicePortHttps }} {{- end }} {{- with .Values.server.ingressGrpc.extraRules }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} {{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }} tls: {{- if .Values.server.ingressGrpc.tls }} - hosts: - - {{ $hostname }} + - {{ .Values.server.ingressGrpc.hostname | default $hostname }} secretName: argocd-server-grpc-tls {{- end }} {{- with .Values.server.ingressGrpc.extraTls }} diff --git a/charts/argo/argo-cd/templates/argocd-server/ingress.yaml b/charts/argo/argo-cd/templates/argocd-server/ingress.yaml index 1739de4f8..cfd0696da 100644 --- a/charts/argo/argo-cd/templates/argocd-server/ingress.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/ingress.yaml @@ -26,7 +26,7 @@ spec: http: paths: {{- with .Values.server.ingress.extraPaths }} - {{- toYaml . | nindent 10 }} + {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - path: {{ .Values.server.ingress.path }} pathType: {{ $.Values.server.ingress.pathType }} @@ -48,7 +48,7 @@ spec: number: {{ $servicePort }} {{- end }} {{- with .Values.server.ingress.extraRules }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} tls: diff --git a/charts/argo/argo-cd/templates/dex/deployment.yaml b/charts/argo/argo-cd/templates/dex/deployment.yaml index c8e2c9293..61f3fe86a 100644 --- a/charts/argo/argo-cd/templates/dex/deployment.yaml +++ b/charts/argo/argo-cd/templates/dex/deployment.yaml @@ -99,8 +99,9 @@ spec: {{- if .Values.dex.livenessProbe.enabled }} livenessProbe: httpGet: - path: /healthz/live - port: metrics + path: {{ .Values.dex.livenessProbe.httpPath }} + port: {{ .Values.dex.livenessProbe.httpPort }} + scheme: {{ .Values.dex.livenessProbe.httpScheme }} initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }} @@ -110,8 +111,9 @@ spec: {{- if .Values.dex.readinessProbe.enabled }} readinessProbe: httpGet: - path: /healthz/ready - port: metrics + path: {{ .Values.dex.readinessProbe.httpPath }} + port: {{ .Values.dex.readinessProbe.httpPort }} + scheme: {{ .Values.dex.readinessProbe.httpScheme }} initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }} diff --git a/charts/argo/argo-cd/templates/redis/deployment.yaml b/charts/argo/argo-cd/templates/redis/deployment.yaml index 94c445c8f..a25c1bd86 100644 --- a/charts/argo/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo/argo-cd/templates/redis/deployment.yaml @@ -193,7 +193,7 @@ spec: - name: health configMap: name: {{ include "argo-cd.redis.fullname" . }}-health-configmap - defaultMode: 0755 + defaultMode: 493 {{- with .Values.redis.volumes }} {{- toYaml . | nindent 8}} {{- end }} diff --git a/charts/argo/argo-cd/values.yaml b/charts/argo/argo-cd/values.yaml index b8fcdc55f..a281d0197 100644 --- a/charts/argo/argo-cd/values.yaml +++ b/charts/argo/argo-cd/values.yaml @@ -577,8 +577,22 @@ controller: # -- The number of application controller pods to run. # Additional replicas will cause sharding of managed clusters across number of replicas. + ## With dynamic cluster distribution turned on, sharding of the clusters will gracefully + ## rebalance if the number of replica's changes or one becomes unhealthy. (alpha) replicas: 1 + # -- Enable dynamic cluster distribution (alpha) + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution + ## This is done using a deployment instead of a statefulSet + ## When replicas are added or removed, the sharding algorithm is re-run to ensure that the + ## clusters are distributed according to the algorithm. If the algorithm is well-balanced, + ## like round-robin, then the shards will be well-balanced. + dynamicClusterDistribution: false + + # -- Application controller heartbeat time + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution + heartbeatTime: 10 + # -- Maximum number of controller revisions that will be maintained in StatefulSet history revisionHistoryLimit: 5 @@ -662,6 +676,9 @@ controller: # -- Annotations for the application controller StatefulSet statefulsetAnnotations: {} + # -- Annotations for the application controller Deployment + deploymentAnnotations: {} + # -- Annotations to be added to application controller pods podAnnotations: {} @@ -1039,6 +1056,12 @@ dex: livenessProbe: # -- Enable Kubernetes liveness probe for Dex >= 2.28.0 enabled: false + # -- Http path to use for the liveness probe + httpPath: /healthz/live + # -- Http port to use for the liveness probe + httpPort: metrics + # -- Scheme to use for for the liveness probe (can be HTTP or HTTPS) + httpScheme: HTTP # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 # -- Number of seconds after the container has started before [probe] is initiated @@ -1053,6 +1076,12 @@ dex: readinessProbe: # -- Enable Kubernetes readiness probe for Dex >= 2.28.0 enabled: false + # -- Http path to use for the readiness probe + httpPath: /healthz/ready + # -- Http port to use for the readiness probe + httpPort: metrics + # -- Scheme to use for for the liveness probe (can be HTTP or HTTPS) + httpScheme: HTTP # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 # -- Number of seconds after the container has started before [probe] is initiated @@ -2009,6 +2038,7 @@ server: # -- Additional ingress paths # @default -- `[]` (See [values.yaml]) + ## Note: Supports use of custom Helm templates extraPaths: [] # - path: /* # pathType: Prefix @@ -2020,15 +2050,17 @@ server: # -- Additional ingress rules # @default -- `[]` (See [values.yaml]) + ## Note: Supports use of custom Helm templates extraRules: [] - # - host: example.example.com - # http: - # path: / + # - http: + # paths: + # - path: / + # pathType: Prefix # backend: # service: - # name: example-svc + # name: '{{ include "argo-cd.server.fullname" . }}' # port: - # name: http + # name: '{{ .Values.server.service.servicePortHttpsName }}' # -- Additional TLS configuration # @default -- `[]` (See [values.yaml]) @@ -2042,8 +2074,9 @@ server: ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode aws: # -- Backend protocol version for the AWS ALB gRPC service - ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features - backendProtocolVersion: HTTP2 + ## This tells AWS to send traffic from the ALB using gRPC. + ## For more information: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html#health-check-settings + backendProtocolVersion: GRPC # -- Service type for the AWS ALB gRPC service ## Can be of type NodePort or ClusterIP depending on which mode you are running. ## Instance mode needs type NodePort, IP mode needs type ClusterIP @@ -2114,6 +2147,7 @@ server: # -- Additional ingress paths for dedicated [gRPC-ingress] # @default -- `[]` (See [values.yaml]) + ## Note: Supports use of custom Helm templates extraPaths: [] # - path: /* # pathType: Prefix @@ -2125,15 +2159,17 @@ server: # -- Additional ingress rules # @default -- `[]` (See [values.yaml]) + ## Note: Supports use of custom Helm templates extraRules: [] - # - host: example.example.com - # http: - # path: / + # - http: + # paths: + # - path: / + # pathType: Prefix # backend: # service: - # name: example-svc + # name: '{{ include "argo-cd.server.fullname" . }}' # port: - # name: http + # name: '{{ .Values.server.service.servicePortHttpName }}' # -- Additional TLS configuration for dedicated [gRPC-ingress] # @default -- `[]` (See [values.yaml]) @@ -2874,15 +2910,17 @@ applicationSet: # -- Additional ingress rules # @default -- `[]` (See [values.yaml]) + ## Note: Supports use of custom Helm templates extraRules: [] - # - host: example.example.com - # http: - # path: / - # backend: - # service: - # name: example-svc - # port: - # name: http + # - http: + # paths: + # - path: /api/webhook + # pathType: Prefix + # backend: + # service: + # name: '{{ include "argo-cd.applicationSet.fullname" . }}' + # port: + # name: '{{ .Values.applicationSet.service.portName }}' # -- Additional ingress TLS configuration # @default -- `[]` (See [values.yaml]) @@ -2890,7 +2928,8 @@ applicationSet: # - secretName: argocd-applicationset-tls # hosts: # - argocd-applicationset.example.com - + # -- Enable ApplicationSet in any namespace feature + allowAnyNamespace: false ## Notifications controller notifications: # -- Enable notifications controller @@ -2978,8 +3017,12 @@ notifications: secret: # -- Whether helm chart creates notifications controller secret + ## If true, will create a secret with the name below. Otherwise, will assume existence of a secret with that name. create: true + # -- notifications controller Secret name + name: "argocd-notifications-secret" + # -- key:value pairs of annotations to be added to the secret annotations: {} diff --git a/charts/bitnami/airflow/Chart.lock b/charts/bitnami/airflow/Chart.lock index f316b2b77..632aa3699 100644 --- a/charts/bitnami/airflow/Chart.lock +++ b/charts/bitnami/airflow/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.13.0 + version: 18.19.2 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.4.4 + version: 14.3.3 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:dd4296369ab03a8c9f1940b4fc34ba57020a63afa6f761220f4f1249ab9e9e08 -generated: "2024-02-14T12:34:36.945245545+01:00" + version: 2.19.0 +digest: sha256:ef8c5318de55f20f28fd5f98a2201bf883baab63e2faf37ef4b4d05ec14a0635 +generated: "2024-03-13T11:46:34.191714+01:00" diff --git a/charts/bitnami/airflow/Chart.yaml b/charts/bitnami/airflow/Chart.yaml index 1325bac99..b74e096f8 100644 --- a/charts/bitnami/airflow/Chart.yaml +++ b/charts/bitnami/airflow/Chart.yaml @@ -5,21 +5,21 @@ annotations: catalog.cattle.io/release-name: airflow category: WorkFlow images: | - - name: airflow-exporter - image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r448 - - name: airflow-scheduler - image: docker.io/bitnami/airflow-scheduler:2.8.1-debian-11-r4 - - name: airflow-worker - image: docker.io/bitnami/airflow-worker:2.8.1-debian-11-r4 - name: airflow - image: docker.io/bitnami/airflow:2.8.1-debian-11-r4 + image: docker.io/bitnami/airflow:2.8.3-debian-12-r0 + - name: airflow-exporter + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-12-r27 + - name: airflow-scheduler + image: docker.io/bitnami/airflow-scheduler:2.8.3-debian-12-r0 + - name: airflow-worker + image: docker.io/bitnami/airflow-worker:2.8.3-debian-12-r0 - name: git - image: docker.io/bitnami/git:2.43.0-debian-11-r9 + image: docker.io/bitnami/git:2.44.0-debian-12-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.8.1 +appVersion: 2.8.3 dependencies: - condition: redis.enabled name: redis @@ -28,7 +28,7 @@ dependencies: - condition: postgresql.enabled name: postgresql repository: file://./charts/postgresql - version: 13.x.x + version: 14.x.x - name: common repository: file://./charts/common tags: @@ -50,4 +50,4 @@ maintainers: name: airflow sources: - https://github.com/bitnami/charts/tree/main/bitnami/airflow -version: 16.7.0 +version: 17.2.4 diff --git a/charts/bitnami/airflow/README.md b/charts/bitnami/airflow/README.md index 322693938..38b2ac301 100644 --- a/charts/bitnami/airflow/README.md +++ b/charts/bitnami/airflow/README.md @@ -55,11 +55,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -155,9 +156,11 @@ The command removes all the Kubernetes components associated with the chart and | `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` | | `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` | +| `web.containerSecurityContext.runAsGroup` | Set Airflow web containers' Security Context runAsGroup | `0` | | `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` | | `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` | | `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` | +| `web.containerSecurityContext.readOnlyRootFilesystem` | Set web container's Security Context readOnlyRootFilesystem | `false` | | `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `web.lifecycleHooks` | for the Airflow web container(s) to automate configuration before or after startup | `{}` | @@ -236,9 +239,11 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` | | `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` | +| `scheduler.containerSecurityContext.runAsGroup` | Set Airflow scheduler containers' Security Context runAsGroup | `0` | | `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` | | `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` | | `scheduler.containerSecurityContext.allowPrivilegeEscalation` | Set scheduler container's Security Context allowPrivilegeEscalation | `false` | +| `scheduler.containerSecurityContext.readOnlyRootFilesystem` | Set scheduler container's Security Context readOnlyRootFilesystem | `false` | | `scheduler.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `scheduler.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `scheduler.lifecycleHooks` | for the Airflow scheduler container(s) to automate configuration before or after startup | `{}` | @@ -324,9 +329,11 @@ The command removes all the Kubernetes components associated with the chart and | `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` | | `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` | +| `worker.containerSecurityContext.runAsGroup` | Set Airflow worker containers' Security Context runAsGroup | `0` | | `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` | | `worker.containerSecurityContext.allowPrivilegeEscalation` | Set worker container's Security Context allowPrivilegeEscalation | `false` | +| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set worker container's Security Context readOnlyRootFilesystem | `false` | | `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `worker.lifecycleHooks` | for the Airflow worker container(s) to automate configuration before or after startup | `{}` | @@ -486,9 +493,11 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` | | `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Airflow exporter containers' Security Context runAsGroup | `0` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set metrics container's Security Context readOnlyRootFilesystem | `false` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `metrics.lifecycleHooks` | for the Airflow exporter container(s) to automate configuration before or after startup | `{}` | @@ -765,6 +774,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 17.0.0 + +This major release bumps the PostgreSQL chart version to [14.x.x](https://github.com/bitnami/charts/pull/22750); no major issues are expected during the upgrade. + ### To 16.0.0 This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. diff --git a/charts/bitnami/airflow/charts/common/Chart.yaml b/charts/bitnami/airflow/charts/common/Chart.yaml index 3046b5910..f86ccd23a 100644 --- a/charts/bitnami/airflow/charts/common/Chart.yaml +++ b/charts/bitnami/airflow/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.19.0 diff --git a/charts/bitnami/airflow/charts/common/templates/_compatibility.tpl b/charts/bitnami/airflow/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/airflow/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/airflow/charts/common/templates/_resources.tpl b/charts/bitnami/airflow/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/airflow/charts/common/templates/_resources.tpl +++ b/charts/bitnami/airflow/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.lock b/charts/bitnami/airflow/charts/postgresql/Chart.lock index 5f5e5abcf..5320fb8e1 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.lock +++ b/charts/bitnami/airflow/charts/postgresql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.14.1 -digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 -generated: "2023-12-20T20:39:13.141839286Z" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-11T20:27:44.112846437Z" diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/Chart.yaml index 1fb01b8ca..d1c130aee 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/Chart.yaml @@ -2,14 +2,14 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r95 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r7 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r25 + image: docker.io/bitnami/postgresql:16.2.0-debian-12-r8 licenses: Apache-2.0 apiVersion: v2 -appVersion: 16.1.0 +appVersion: 16.2.0 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -34,4 +34,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.4.4 +version: 14.3.3 diff --git a/charts/bitnami/airflow/charts/postgresql/README.md b/charts/bitnami/airflow/charts/postgresql/README.md index 24a4b1fe6..e05a3dfb7 100644 --- a/charts/bitnami/airflow/charts/postgresql/README.md +++ b/charts/bitnami/airflow/charts/postgresql/README.md @@ -66,20 +66,21 @@ kubectl delete pvc -l release=my-release ### Global parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | -| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | -| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | -| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | -| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | -| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -159,304 +160,302 @@ kubectl delete pvc -l release=my-release ### PostgreSQL Primary parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | -| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | -| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | -| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | -| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | -| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | -| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | -| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | -| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | -| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | -| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | -| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | -| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | -| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | -| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | -| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | -| `primary.command` | Override default container command (useful when using custom images) | `[]` | -| `primary.args` | Override default container args (useful when using custom images) | `[]` | -| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | -| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` | -| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | -| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | -| `primary.podSecurityContext.enabled` | Enable security context | `true` | -| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | -| `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | -| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | -| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | -| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | -| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | -| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | -| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | -| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | -| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | -| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | -| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | -| `primary.service.type` | Kubernetes Service type | `ClusterIP` | -| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | -| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | -| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` | -| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | -| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | -| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | -| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | -| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | -| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | -| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `primary.persistence.annotations` | Annotations for the PVC | `{}` | -| `primary.persistence.labels` | Labels for the PVC | `{}` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `primary.persistence.dataSource` | Custom PVC data source | `{}` | -| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary Statefulset | `false` | -| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | +| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | +| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | +| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | +| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | +| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | +| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | +| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | +| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | +| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | +| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | +| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | +| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | +| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | +| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | +| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.command` | Override default container command (useful when using custom images) | `[]` | +| `primary.args` | Override default container args (useful when using custom images) | `[]` | +| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | +| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | +| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | +| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | +| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | +| `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `primary.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `primary.service.type` | Kubernetes Service type | `ClusterIP` | +| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | +| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` | +| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | +| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | +| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `primary.persistence.annotations` | Annotations for the PVC | `{}` | +| `primary.persistence.labels` | Labels for the PVC | `{}` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `primary.persistence.dataSource` | Custom PVC data source | `{}` | +| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary Statefulset | `false` | +| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | ### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) -| Name | Description | Value | -| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | -| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | -| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | -| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | -| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | -| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | -| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | -| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | -| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | -| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | -| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | -| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | -| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | -| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` | -| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | -| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | -| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | -| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | -| `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `readReplicas.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | -| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | -| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | -| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | -| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | -| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | -| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | -| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | -| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | -| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | -| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | -| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | -| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | -| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | -| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | -| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | -| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | -| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | -| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | -| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | -| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` | -| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | -| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | -| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | -| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | -| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | -| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | -| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | -| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | -| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | -| `readReplicas.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only Statefulset | `false` | -| `readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| Name | Description | Value | +| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | +| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | +| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | +| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | +| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | +| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | +| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | +| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | +| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `none` | +| `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `readReplicas.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | +| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | +| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | +| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | +| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | +| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | +| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | +| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | +| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | +| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | +| `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `readReplicas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | +| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | +| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | +| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` | +| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | +| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | +| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | +| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | +| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | +| `readReplicas.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only Statefulset | `false` | +| `readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | ### Backup parameters -| Name | Description | Value | -| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | -| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | -| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | -| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | -| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | -| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | -| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | -| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | -| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | -| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | -| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | -| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | -| `backup.cronjob.labels` | Set the cronjob labels | `{}` | -| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | -| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | -| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | -| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | -| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | -| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | -| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | -| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | -| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | - -### NetworkPolicy parameters - -| Name | Description | Value | -| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` | +| Name | Description | Value | +| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | +| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `none` | +| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | ### Volume Permissions parameters -| Name | Description | Value | -| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | -| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | -| `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | -| `volumePermissions.containerSecurityContext.seccompProfile.type` | seccompProfile.type for the init container | `RuntimeDefault` | +| Name | Description | Value | +| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | +| `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | +| `volumePermissions.containerSecurityContext.seccompProfile.type` | seccompProfile.type for the init container | `RuntimeDefault` | ### Other Parameters @@ -473,68 +472,69 @@ kubectl delete pvc -l release=my-release ### Metrics Parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `metrics.enabled` | Start a prometheus exporter | `false` | -| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` | -| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | -| `metrics.collectors` | Control enabled collectors | `{}` | -| `metrics.customMetrics` | Define additional custom metrics | `{}` | -| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | -| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` | -| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | -| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` | +| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | +| `metrics.collectors` | Control enabled collectors | `{}` | +| `metrics.customMetrics` | Define additional custom metrics | `{}` | +| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -562,6 +562,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg ## Configuration and installation details +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + ### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -787,6 +793,12 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 14.0.0 + +This major version adapts the NetworkPolicy objects to the most recent Bitnami standards. Now there is a separate object for `primary` and for `readReplicas`, being located in their corresponding sections. It is also enabled by default in other to comply with the best security standards. + +Check the parameter section for the new value structure. + ### To 13.0.0 This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x. diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/.helmignore b/charts/bitnami/airflow/charts/postgresql/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/.helmignore +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml index 9a6aa881f..f86ccd23a 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.14.1 +version: 2.19.0 diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/README.md b/charts/bitnami/airflow/charts/postgresql/charts/common/README.md index a76fa46a2..0d01a1e06 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/README.md +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/README.md @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_compatibility.tpl b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_resources.tpl b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_warnings.tpl +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/NOTES.txt b/charts/bitnami/airflow/charts/postgresql/templates/NOTES.txt index 73c4a34e5..ac8a6b5f0 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/NOTES.txt +++ b/charts/bitnami/airflow/charts/postgresql/templates/NOTES.txt @@ -113,3 +113,4 @@ WARNING: The configured password will be ignored on new installation in case whe {{- include "postgresql.v1.validateValues" . -}} {{- include "common.warnings.rollingTag" .Values.image -}} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml b/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml index cdf87f743..f48f6c487 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml @@ -77,7 +77,7 @@ spec: {{- if .Values.tls.autoGenerated }} value: /tmp/certs/ca.crt {{- else }} - value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} + value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }} {{- end }} {{- end }} command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} @@ -89,8 +89,16 @@ spec: - name: datadir mountPath: {{ .Values.backup.cronjob.storage.mountPath }} subPath: {{ .Values.backup.cronjob.storage.subPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 14 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.backup.cronjob.resources }} + resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }} + {{- else if ne .Values.backup.cronjob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }} {{- end }} restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} {{- if .Values.backup.cronjob.podSecurityContext.enabled }} @@ -111,4 +119,6 @@ spec: persistentVolumeClaim: claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall {{- end }} + - name: empty-dir + emptyDir: {} {{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/networkpolicy-egress.yaml b/charts/bitnami/airflow/charts/postgresql/templates/networkpolicy-egress.yaml deleted file mode 100644 index b67817c05..000000000 --- a/charts/bitnami/airflow/charts/postgresql/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/networkpolicy.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/networkpolicy.yaml index 9da3fb491..7fa3b05fa 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/networkpolicy.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/networkpolicy.yaml @@ -3,59 +3,76 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +{{- if .Values.primary.networkPolicy.enabled }} kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: - name: {{ printf "%s-ingress" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: primary {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: primary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: - - port: {{ .Values.metrics.containerPorts.metrics }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: + policyTypes: + - Ingress + - Egress + {{- if .Values.primary.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to read-replicas + - ports: - port: {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} - - from: - {{- $readPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + to: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $readPodLabels "context" $ ) | nindent 14 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} app.kubernetes.io/component: read - ports: - - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.primary.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.primary.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "postgresql.v1.primary.fullname" . }}-client: "true" + {{- if .Values.primary.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.primary.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml index 1f0c96203..c08191bbd 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml @@ -80,7 +80,7 @@ spec: terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} {{- end }} hostNetwork: {{ .Values.primary.hostNetwork }} hostIPC: {{ .Values.primary.hostIPC }} @@ -92,10 +92,12 @@ spec: imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} {{- if .Values.primary.resources }} resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} {{- end }} # We don't require a privileged container in this case {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/sh @@ -104,6 +106,9 @@ spec: cp /tmp/certs/* /opt/bitnami/postgresql/certs/ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: raw-certificates mountPath: /tmp/certs - name: postgresql-certificates @@ -114,6 +119,8 @@ spec: imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} command: - /bin/sh @@ -152,13 +159,14 @@ spec: securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.primary.persistence.enabled }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: {{ .Values.primary.persistence.mountPath }} {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} - {{- end }} {{- if .Values.shmVolume.enabled }} - name: dshm mountPath: /dev/shm @@ -179,7 +187,7 @@ spec: image: {{ include "postgresql.v1.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -442,11 +450,25 @@ spec: {{- end }} {{- if .Values.primary.resources }} resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} {{- end }} {{- if .Values.primary.lifecycleHooks }} lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/logs + subPath: app-logs-dir {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d/ @@ -491,7 +513,7 @@ spec: image: {{ include "postgresql.v1.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -555,6 +577,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ @@ -566,12 +591,16 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.primary.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} - name: postgresql-config configMap: diff --git a/charts/bitnami/airflow/charts/postgresql/templates/read/networkpolicy.yaml b/charts/bitnami/airflow/charts/postgresql/templates/read/networkpolicy.yaml index 79d3a5aa8..b59777195 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/read/networkpolicy.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/read/networkpolicy.yaml @@ -3,12 +3,13 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +{{- if eq .Values.architecture "replication" }} +{{- if .Values.readReplicas.networkPolicy.enabled }} kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: - name: {{ printf "%s-ingress" (include "postgresql.v1.readReplica.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: read {{- if .Values.commonAnnotations }} @@ -19,21 +20,61 @@ spec: podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: read - ingress: - {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: + policyTypes: + - Ingress + - Egress + {{- if .Values.readReplicas.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to primary + - ports: - port: {{ .Values.containerPorts.postgresql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: primary + {{- if .Values.readReplicas.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.readReplicas.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "postgresql.v1.readReplica.fullname" . }}-client: "true" + {{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml index f11ae0a89..7cfa06bda 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml @@ -78,7 +78,7 @@ spec: terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.readReplicas.podSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }} {{- end }} hostNetwork: {{ .Values.readReplicas.hostNetwork }} hostIPC: {{ .Values.readReplicas.hostIPC }} @@ -90,10 +90,12 @@ spec: imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} {{- if .Values.readReplicas.resources }} resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- else if ne .Values.readReplicas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} {{- end }} # We don't require a privileged container in this case {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/sh @@ -102,6 +104,9 @@ spec: cp /tmp/certs/* /opt/bitnami/postgresql/certs/ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: raw-certificates mountPath: /tmp/certs - name: postgresql-certificates @@ -112,6 +117,8 @@ spec: imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} {{- if .Values.readReplicas.resources }} resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- else if ne .Values.readReplicas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} {{- end }} command: - /bin/sh @@ -150,13 +157,14 @@ spec: securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} {{- end }} volumeMounts: - {{ if .Values.readReplicas.persistence.enabled }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: {{ .Values.readReplicas.persistence.mountPath }} {{- if .Values.readReplicas.persistence.subPath }} subPath: {{ .Values.readReplicas.persistence.subPath }} {{- end }} - {{- end }} {{- if .Values.shmVolume.enabled }} - name: dshm mountPath: /dev/shm @@ -177,7 +185,7 @@ spec: image: {{ include "postgresql.v1.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -369,11 +377,25 @@ spec: {{- end }} {{- if .Values.readReplicas.resources }} resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- else if ne .Values.readReplicas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} {{- end }} {{- if .Values.readReplicas.lifecycleHooks }} lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/logs + subPath: app-logs-dir {{- if .Values.auth.usePasswordFiles }} - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ @@ -406,7 +428,7 @@ spec: image: {{ include "postgresql.v1.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -462,6 +484,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ @@ -473,6 +498,8 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.readReplicas.sidecars }} @@ -509,6 +536,8 @@ spec: sizeLimit: {{ .Values.shmVolume.sizeLimit }} {{- end }} {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.readReplicas.extraVolumes }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} {{- end }} @@ -526,7 +555,9 @@ spec: whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }} {{- end }} volumeClaimTemplates: - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: data {{- if .Values.readReplicas.persistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} diff --git a/charts/bitnami/airflow/charts/postgresql/values.yaml b/charts/bitnami/airflow/charts/postgresql/values.yaml index 2a353ff63..c97426e5f 100644 --- a/charts/bitnami/airflow/charts/postgresql/values.yaml +++ b/charts/bitnami/airflow/charts/postgresql/values.yaml @@ -42,7 +42,15 @@ global: service: ports: postgresql: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -81,7 +89,6 @@ diagnosticMode: ## args: - infinity - ## @section PostgreSQL common parameters ## @@ -98,7 +105,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r25 + tag: 16.2.0-debian-12-r8 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -286,7 +293,6 @@ tls: ## @param tls.crlFilename File containing a Certificate Revocation List ## crlFilename: "" - ## @section PostgreSQL Primary parameters ## primary: @@ -439,15 +445,21 @@ primary: lifecycleHooks: {} ## PostgreSQL Primary resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers - ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers - ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m + resourcesPreset: "none" + ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.podSecurityContext.enabled Enable security context @@ -467,6 +479,7 @@ primary: ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -478,6 +491,7 @@ primary: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -602,6 +616,61 @@ primary: ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) ## extraPodSpec: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param primary.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## PostgreSQL Primary service configuration ## service: @@ -723,7 +792,6 @@ primary: ## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted ## whenDeleted: Retain - ## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) ## readReplicas: @@ -814,15 +882,21 @@ readReplicas: lifecycleHooks: {} ## PostgreSQL read only resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m + resourcesPreset: "none" + ## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.podSecurityContext.enabled Enable security context @@ -842,6 +916,7 @@ readReplicas: ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged ## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -853,6 +928,7 @@ readReplicas: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -977,6 +1053,61 @@ readReplicas: ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) ## extraPodSpec: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## PostgreSQL read only service configuration ## service: @@ -1098,8 +1229,6 @@ readReplicas: ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted ## whenDeleted: Retain - - ## @section Backup parameters ## This section implements a trivial logical dump cronjob of the database. ## This only comes with the consistency guarantees of the dump program. @@ -1141,6 +1270,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1151,6 +1281,7 @@ backup: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1164,7 +1295,6 @@ backup: - /bin/sh - -c - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" - ## @param backup.cronjob.labels Set the cronjob labels labels: {} ## @param backup.cronjob.annotations Set the cronjob annotations @@ -1173,6 +1303,22 @@ backup: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ ## nodeSelector: {} + ## backup cronjob container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory + ## Example: + resources: {} + ## resources: + ## requests: + ## cpu: 1 + ## memory: 512Mi + ## limits: + ## cpu: 2 + ## memory: 1024Mi storage: ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) ## If defined, PVC must be created manually before volume will be bound @@ -1191,7 +1337,7 @@ backup: ## @param backup.cronjob.storage.accessModes PV Access Mode ## accessModes: - - ReadWriteOnce + - ReadWriteOnce ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume ## size: 8Gi @@ -1213,103 +1359,6 @@ backup: ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details ## selector: {} - -## @section NetworkPolicy parameters -## - -## Add networkpolicies -## -networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## Ingress Rules - ## - ingressRules: - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node. - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes. - ## - readReplicasAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @section Volume Permissions parameters ## @@ -1330,7 +1379,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r95 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1343,12 +1392,21 @@ volumePermissions: pullSecrets: [] ## Init container resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser @@ -1373,7 +1431,6 @@ volumePermissions: ## serviceBindings: enabled: false - ## Service account for PostgreSQL to use. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @@ -1415,10 +1472,8 @@ rbac: ## psp: create: false - ## @section Metrics Parameters ## - metrics: ## @param metrics.enabled Start a prometheus exporter ## @@ -1433,7 +1488,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r7 + tag: 0.15.0-debian-12-r14 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1477,6 +1532,7 @@ metrics: ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1488,6 +1544,7 @@ metrics: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1555,12 +1612,21 @@ metrics: metrics: 9187 ## PostgreSQL Prometheus exporter resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container - ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Service configuration ## service: diff --git a/charts/bitnami/airflow/charts/redis/Chart.lock b/charts/bitnami/airflow/charts/redis/Chart.lock index 01190b829..b57246baa 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.lock +++ b/charts/bitnami/airflow/charts/redis/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.14.1 -digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 -generated: "2023-12-19T19:11:00.40217662Z" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-08T15:56:40.04210215Z" diff --git a/charts/bitnami/airflow/charts/redis/Chart.yaml b/charts/bitnami/airflow/charts/redis/Chart.yaml index 8714ffa06..b72d1d5c4 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/Chart.yaml @@ -1,14 +1,16 @@ annotations: category: Database images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 - - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2 - - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r5 + image: docker.io/bitnami/redis:7.2.4-debian-12-r9 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7 licenses: Apache-2.0 apiVersion: v2 appVersion: 7.2.4 @@ -33,4 +35,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.13.0 +version: 18.19.2 diff --git a/charts/bitnami/airflow/charts/redis/README.md b/charts/bitnami/airflow/charts/redis/README.md index 1a9971d14..8cac98b7e 100644 --- a/charts/bitnami/airflow/charts/redis/README.md +++ b/charts/bitnami/airflow/charts/redis/README.md @@ -71,12 +71,13 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ------------------------------------------------------ | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -120,342 +121,347 @@ The command removes all the Kubernetes components associated with the chart and | `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | | `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | | `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | | `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | | `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | ### Redis® master configuration parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------ | -| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | -| `master.configuration` | Configuration for Redis® master nodes | `""` | -| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | -| `master.command` | Override default container command (useful when using custom images) | `[]` | -| `master.args` | Override default container args (useful when using custom images) | `[]` | -| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | -| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | -| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | -| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | -| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | -| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | -| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | -| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | -| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | -| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | -| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | -| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `master.resources.limits` | The resources limits for the Redis® master containers | `{}` | -| `master.resources.requests` | The requested resources for the Redis® master containers | `{}` | -| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | -| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | -| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | -| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | -| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | -| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | -| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | -| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | -| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | -| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | -| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | -| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | -| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `master.hostAliases` | Redis® master pods host aliases | `[]` | -| `master.podLabels` | Extra labels for Redis® master pods | `{}` | -| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | -| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | -| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | -| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | -| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | -| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | -| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | -| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | -| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | -| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | -| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | -| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | -| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | -| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | -| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | -| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | -| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | -| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.storageClass` | Persistent Volume storage class | `""` | -| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `master.persistence.size` | Persistent Volume size | `8Gi` | -| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `master.persistence.dataSource` | Custom PVC data source | `{}` | -| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `master.service.type` | Redis® master service type | `ClusterIP` | -| `master.service.ports.redis` | Redis® master service port | `6379` | -| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | -| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | -| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | -| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | -| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | -| `master.service.externalIPs` | Redis® master service External IPs | `[]` | -| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | -| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | -| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | +| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | +| `master.configuration` | Configuration for Redis® master nodes | `""` | +| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | +| `master.command` | Override default container command (useful when using custom images) | `[]` | +| `master.args` | Override default container args (useful when using custom images) | `[]` | +| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | +| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | +| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | +| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | +| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | +| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | +| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | +| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | +| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | +| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | +| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` | +| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | +| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | +| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | +| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | +| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | +| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | +| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | +| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | +| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | +| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | +| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `master.hostAliases` | Redis® master pods host aliases | `[]` | +| `master.podLabels` | Extra labels for Redis® master pods | `{}` | +| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | +| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | +| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | +| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | +| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | +| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | +| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | +| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | +| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | +| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | +| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | +| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | +| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | +| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | +| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | +| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | +| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | +| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.storageClass` | Persistent Volume storage class | `""` | +| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `master.persistence.size` | Persistent Volume size | `8Gi` | +| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `master.persistence.dataSource` | Custom PVC data source | `{}` | +| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `master.service.type` | Redis® master service type | `ClusterIP` | +| `master.service.ports.redis` | Redis® master service port | `6379` | +| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | +| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | +| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | +| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | +| `master.service.externalIPs` | Redis® master service External IPs | `[]` | +| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | +| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | +| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Redis® replicas configuration parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------ | -| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | -| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | -| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | -| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | -| `replica.command` | Override default container command (useful when using custom images) | `[]` | -| `replica.args` | Override default container args (useful when using custom images) | `[]` | -| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | -| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | -| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | -| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | -| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | -| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `replica.externalMaster.host` | External master host to bootstrap from | `""` | -| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | -| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | -| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | -| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `replica.resources.limits` | The resources limits for the Redis® replicas containers | `{}` | -| `replica.resources.requests` | The requested resources for the Redis® replicas containers | `{}` | -| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | -| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | -| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | -| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | -| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | -| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | -| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | -| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | -| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | -| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | -| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | -| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | -| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | -| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | -| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | -| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | -| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | -| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | -| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | -| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | -| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | -| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | -| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | -| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | -| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | -| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | -| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | -| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | -| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | -| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | -| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | -| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | -| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | -| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `replica.persistence.size` | Persistent Volume size | `8Gi` | -| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `replica.persistence.dataSource` | Custom PVC data source | `{}` | -| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `replica.service.type` | Redis® replicas service type | `ClusterIP` | -| `replica.service.ports.redis` | Redis® replicas service port | `6379` | -| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | -| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | -| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | -| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | -| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | -| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | -| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | -| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | -| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | -| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | -| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | -| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | -| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | +| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | +| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | +| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | +| `replica.command` | Override default container command (useful when using custom images) | `[]` | +| `replica.args` | Override default container args (useful when using custom images) | `[]` | +| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | +| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | +| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | +| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | +| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | +| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `replica.externalMaster.host` | External master host to bootstrap from | `""` | +| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | +| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | +| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | +| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `none` | +| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | +| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | +| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | +| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | +| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | +| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | +| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | +| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | +| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | +| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | +| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | +| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | +| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | +| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | +| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | +| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | +| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | +| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | +| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | +| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | +| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | +| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | +| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | +| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | +| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | +| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | +| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | +| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | +| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | +| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | +| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `replica.persistence.size` | Persistent Volume size | `8Gi` | +| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `replica.persistence.dataSource` | Custom PVC data source | `{}` | +| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `replica.service.type` | Redis® replicas service type | `ClusterIP` | +| `replica.service.ports.redis` | Redis® replicas service port | `6379` | +| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | +| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | +| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | +| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | +| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | +| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | +| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | +| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | +| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | +| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | +| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | +| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Redis® Sentinel configuration parameters -| Name | Description | Value | -| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | -| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | -| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | -| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | -| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | -| `sentinel.image.debug` | Enable image debug mode | `false` | -| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | -| `sentinel.masterSet` | Master set name | `mymaster` | -| `sentinel.quorum` | Sentinel Quorum | `2` | -| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | -| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | -| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | -| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | -| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | -| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | -| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | -| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | -| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | -| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | -| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | -| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | -| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | -| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | -| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | -| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | -| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | -| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | -| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | -| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` | -| `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` | -| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | -| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | -| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | -| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | -| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | -| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | -| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | -| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | -| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | -| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | -| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | -| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | -| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | -| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | -| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | -| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | -| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | -| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | -| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | -| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | -| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | -| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | +| Name | Description | Value | +| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | +| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | +| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | +| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | +| `sentinel.image.debug` | Enable image debug mode | `false` | +| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | +| `sentinel.masterSet` | Master set name | `mymaster` | +| `sentinel.quorum` | Sentinel Quorum | `2` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | +| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | +| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | +| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | +| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | +| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | +| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | +| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | +| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | +| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | +| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | +| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | +| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | +| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | +| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | +| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | +| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `none` | +| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | +| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | +| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | +| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | +| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | +| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | +| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | +| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | +| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | +| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | +| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | +| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | +| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | +| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | +| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | +| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | +| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | +| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | +| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | +| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | +| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | ### Other Parameters @@ -495,119 +501,128 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics Parameters -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | -| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | -| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | -| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | -| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | -| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | -| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | -| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | -| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` | -| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | -| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | -| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | -| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | -| `metrics.service.ports.http` | Redis® exporter service port | `9121` | -| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | -| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | -| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | -| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | -| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | -| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | -| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | -| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | +| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | +| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.ports.http` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | +| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | +| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | +| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | ### Init Container Parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resources.limits` | The resources limits for the init container | `{}` | -| `sysctl.resources.requests` | The requested resources for the init container | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | +| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | +| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | +| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | +| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | +| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | +| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` | +| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### useExternalDNS Parameters @@ -643,6 +658,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis ## Configuration and installation details +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + ### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. diff --git a/charts/bitnami/airflow/charts/redis/charts/common/.helmignore b/charts/bitnami/airflow/charts/redis/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/.helmignore +++ b/charts/bitnami/airflow/charts/redis/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml b/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml index 9a6aa881f..f86ccd23a 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.14.1 +version: 2.19.0 diff --git a/charts/bitnami/airflow/charts/redis/charts/common/README.md b/charts/bitnami/airflow/charts/redis/charts/common/README.md index a76fa46a2..0d01a1e06 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/README.md +++ b/charts/bitnami/airflow/charts/redis/charts/common/README.md @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/airflow/charts/redis/charts/common/templates/_compatibility.tpl b/charts/bitnami/airflow/charts/redis/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/airflow/charts/redis/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/airflow/charts/redis/charts/common/templates/_resources.tpl b/charts/bitnami/airflow/charts/redis/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/bitnami/airflow/charts/redis/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/bitnami/airflow/charts/redis/charts/common/templates/_warnings.tpl b/charts/bitnami/airflow/charts/redis/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/templates/_warnings.tpl +++ b/charts/bitnami/airflow/charts/redis/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/bitnami/airflow/charts/redis/templates/NOTES.txt b/charts/bitnami/airflow/charts/redis/templates/NOTES.txt index cc191dee6..a5c679c92 100644 --- a/charts/bitnami/airflow/charts/redis/templates/NOTES.txt +++ b/charts/bitnami/airflow/charts/redis/templates/NOTES.txt @@ -53,6 +53,22 @@ For Redis Sentinel: {{- end }} {{- end }} +{{- if and .Values.auth.usePasswordFiles (not .Values.auth.usePasswordFileFromSecret) (or (empty .Values.master.initContainers) (empty .Values.replica.initContainers)) }} + +------------------------------------------------------------------------------- + WARNING + + By specifying ".Values.auth.usePasswordFiles=true" and ".Values.auth.usePasswordFileFromSecret=false" + Redis is expecting that the password is mounted as a file in each pod + (by default in /opt/bitnami/redis/secrets/redis-password) + + Ensure that you specify the respective initContainers in + both .Values.master.initContainers and .Values.replica.initContainers + in order to populate the contents of this file. + +------------------------------------------------------------------------------- +{{- end }} + {{- if eq .Values.architecture "replication" }} {{- if .Values.sentinel.enabled }} @@ -189,3 +205,4 @@ No need to upgrade, ports and nodeports have been set from values YOU NEED TO PERFORM AN UPGRADE FOR THE SERVICES AND WORKLOAD TO BE CREATED {{- end }} {{- end }} +{{- include "common.warnings.resources" (dict "sections" (list "master" "metrics" "replica" "sentinel" "sysctl" "volumePermissions") "context" $) }} diff --git a/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl b/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl index 9eb017f19..6857ec3f0 100644 --- a/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl +++ b/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl @@ -33,6 +33,13 @@ Return the proper image name (for the init container volume-permissions image) {{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} {{- end -}} +{{/* +Return kubectl image +*/}} +{{- define "redis.kubectl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }} +{{- end -}} + {{/* Return sysctl image */}} @@ -261,6 +268,7 @@ Compile all warnings into a single message, and call fail. {{- $messages := append $messages (include "redis.validateValues.architecture" .) -}} {{- $messages := append $messages (include "redis.validateValues.podSecurityPolicy.create" .) -}} {{- $messages := append $messages (include "redis.validateValues.tls" .) -}} +{{- $messages := append $messages (include "redis.validateValues.createMaster" .) -}} {{- $messages := without $messages "" -}} {{- $message := join "\n" $messages -}} @@ -312,6 +320,16 @@ redis: tls.enabled {{- end -}} {{- end -}} +{{/* Validate values of Redis® - master service enabled */}} +{{- define "redis.validateValues.createMaster" -}} +{{- if and .Values.sentinel.service.createMaster (or (not .Values.rbac.create) (not .Values.replica.automountServiceAccountToken) (not .Values.serviceAccount.create)) }} +redis: sentinel.service.createMaster + In order to redirect requests only to the master pod via the service, you also need to + create rbac and serviceAccount. In addition, you need to enable + replica.automountServiceAccountToken. +{{- end -}} +{{- end -}} + {{/* Define the suffix utilized for external-dns */}} {{- define "redis.externalDNS.suffix" -}} {{ printf "%s.%s" (include "common.names.fullname" .) .Values.useExternalDNS.suffix }} diff --git a/charts/bitnami/airflow/charts/redis/templates/configmap.yaml b/charts/bitnami/airflow/charts/redis/templates/configmap.yaml index 6c370a2aa..a8c60a6df 100644 --- a/charts/bitnami/airflow/charts/redis/templates/configmap.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/configmap.yaml @@ -52,6 +52,9 @@ data: sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} + {{- if .Values.sentinel.service.createMaster}} + sentinel client-reconfig-script {{ .Values.sentinel.masterSet }} /opt/bitnami/scripts/start-scripts/push-master-label.sh + {{- end }} # User-supplied sentinel configuration: {{- if .Values.sentinel.configuration }} {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.configuration "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml b/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml index e69329f82..ea914a8dd 100644 --- a/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml @@ -9,12 +9,14 @@ metadata: name: {{ printf "%s-headless" (include "common.names.fullname" .) }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations (include "redis.externalDNS.annotations" .) }} annotations: {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} {{- include "redis.externalDNS.annotations" . | nindent 4 }} + {{- end }} spec: type: ClusterIP clusterIP: None diff --git a/charts/bitnami/airflow/charts/redis/templates/master/application.yaml b/charts/bitnami/airflow/charts/redis/templates/master/application.yaml index b074aaae2..108ddea73 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/application.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/application.yaml @@ -62,7 +62,7 @@ spec: hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.master.podSecurityContext.enabled }} - securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.masterServiceAccountName" . }} automountServiceAccountToken: {{ .Values.master.automountServiceAccountToken }} @@ -108,7 +108,7 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.master.lifecycleHooks "context" $) | nindent 12 }} {{- end }} {{- if .Values.master.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -226,6 +226,8 @@ spec: {{- end }} {{- if .Values.master.resources }} resources: {{- toYaml .Values.master.resources | nindent 12 }} + {{- else if ne .Values.master.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.master.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: start-scripts @@ -245,10 +247,12 @@ spec: {{- end }} - name: config mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf + - name: empty-dir mountPath: /opt/bitnami/redis/etc/ - - name: tmp + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: redis-certificates mountPath: /opt/bitnami/redis/certs @@ -262,7 +266,7 @@ spec: image: {{ include "redis.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -341,8 +345,13 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: app-tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: redis-password mountPath: /secrets/ @@ -385,8 +394,13 @@ spec: {{- end }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: redis-data mountPath: {{ .Values.master.persistence.path }} {{- if .Values.master.persistence.subPath }} @@ -407,9 +421,14 @@ spec: {{- end }} {{- if .Values.sysctl.resources }} resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- else if ne .Values.sysctl.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }} {{- end }} {{- if .Values.sysctl.mountHostSys }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: host-sys mountPath: /host-sys {{- end }} @@ -426,11 +445,15 @@ spec: defaultMode: 0755 {{- if .Values.auth.usePasswordFiles }} - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} secret: secretName: {{ template "redis.secretName" . }} items: - key: {{ template "redis.secretPasswordKey" . }} path: redis-password + {{- else }} + emptyDir: {} + {{- end }} {{- end }} - name: config configMap: @@ -440,19 +463,7 @@ spec: hostPath: path: /sys {{- end }} - - name: redis-tmp-conf - {{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }} - emptyDir: - {{- if .Values.master.persistence.medium }} - medium: {{ .Values.master.persistence.medium | quote }} - {{- end }} - {{- if .Values.master.persistence.sizeLimit }} - sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - - name: tmp + - name: empty-dir {{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }} emptyDir: {{- if .Values.master.persistence.medium }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml index dde2726a3..96a351796 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml @@ -60,7 +60,7 @@ spec: hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.replica.podSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.replicaServiceAccountName" . }} automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} @@ -108,7 +108,7 @@ spec: {{- end }} {{- end }} {{- if .Values.replica.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -246,6 +246,8 @@ spec: {{- end }} {{- if .Values.replica.resources }} resources: {{- toYaml .Values.replica.resources | nindent 12 }} + {{- else if ne .Values.replica.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.replica.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: start-scripts @@ -265,8 +267,12 @@ spec: {{- end }} - name: config mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf + - name: empty-dir mountPath: /opt/bitnami/redis/etc + subPath: app-conf-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: redis-certificates mountPath: /opt/bitnami/redis/certs @@ -280,7 +286,7 @@ spec: image: {{ include "redis.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -359,8 +365,13 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: redis-password mountPath: /secrets/ @@ -403,8 +414,13 @@ spec: {{- end }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: redis-data mountPath: {{ .Values.replica.persistence.path }} {{- if .Values.replica.persistence.subPath }} @@ -425,9 +441,14 @@ spec: {{- end }} {{- if .Values.sysctl.resources }} resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- else if ne .Values.sysctl.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }} {{- end }} {{- if .Values.sysctl.mountHostSys }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: host-sys mountPath: /host-sys {{- end }} @@ -444,11 +465,15 @@ spec: defaultMode: 0755 {{- if .Values.auth.usePasswordFiles }} - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} secret: secretName: {{ template "redis.secretName" . }} items: - key: {{ template "redis.secretPasswordKey" . }} path: redis-password + {{- else }} + emptyDir: {} + {{- end }} {{- end }} - name: config configMap: @@ -458,7 +483,7 @@ spec: hostPath: path: /sys {{- end }} - - name: redis-tmp-conf + - name: empty-dir {{- if or .Values.replica.persistence.medium .Values.replica.persistence.sizeLimit }} emptyDir: {{- if .Values.replica.persistence.medium }} diff --git a/charts/bitnami/airflow/charts/redis/templates/role.yaml b/charts/bitnami/airflow/charts/redis/templates/role.yaml index 5bab3b7cc..710ac48d4 100644 --- a/charts/bitnami/airflow/charts/redis/templates/role.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/role.yaml @@ -23,6 +23,11 @@ rules: - 'use' resourceNames: [{{ printf "%s-master" (include "common.names.fullname" .) }}] {{- end }} + {{- if and .Values.sentinel.enabled .Values.sentinel.service.createMaster}} + - apiGroups: [""] + resources: ["pods"] + verbs: ["list", "patch"] + {{- end -}} {{- if .Values.rbac.rules }} {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml b/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml index f785faf34..082de6821 100644 --- a/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml @@ -366,6 +366,13 @@ data: REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} fi + {{- if .Values.sentinel.service.createMaster }} + if [[ "${REDIS_REPLICATION_MODE}" == "master" ]]; then + # Add isMaster label to master node for master service + echo "${REDIS_MASTER_HOST/.*}" > /etc/shared/current + fi + {{- end }} + if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST" REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}" @@ -481,7 +488,7 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi @@ -561,7 +568,7 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi @@ -596,6 +603,14 @@ data: exit 0 fi + {{- if .Values.sentinel.service.createMaster}} + push-master-label.sh: | + #!/bin/bash + # https://download.redis.io/redis-stable/sentinel.conf + + echo "${6/.*}" > /etc/shared/current + echo "${4/.*}" > /etc/shared/previous + {{- end }} {{- else }} start-master.sh: | #!/bin/bash @@ -755,3 +770,29 @@ data: {{- end }} {{- end }} {{- end }} +--- +{{- if .Values.sentinel.service.createMaster}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + update-master-label.sh: | + #!/bin/bash + while true; do + while [ ! -f "/etc/shared/current" ]; do + sleep 1 + done + echo "new master elected, updating label(s)..." + kubectl label pod --field-selector metadata.name="$(< "/etc/shared/current")" isMaster="true" --overwrite + if [ -f /etc/shared/previous ]; then + kubectl label pod --field-selector metadata.name="$(< "/etc/shared/previous")" isMaster="false" --overwrite + fi + rm "/etc/shared/current" "/etc/shared/previous" + done +{{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/secret.yaml b/charts/bitnami/airflow/charts/redis/templates/secret.yaml index 003a2768c..2b8b0bb8c 100644 --- a/charts/bitnami/airflow/charts/redis/templates/secret.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/secret.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) (or .Values.auth.usePasswordFileFromSecret (not .Values.auth.usePasswordFiles)) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml index f80e6442a..3211c3109 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml @@ -100,5 +100,62 @@ spec: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.podLabels .Values.commonLabels ) "context" . ) }} selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node + +{{- if and .Values.sentinel.enabled .Values.sentinel.service.createMaster}} +--- +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "common.names.fullname" . }}-master" + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: node + {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.sentinel.service.type }} + {{- if or (eq .Values.sentinel.service.type "LoadBalancer") (eq .Values.sentinel.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.sentinel.service.loadBalancerClass }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.sentinel.service.clusterIP (eq .Values.sentinel.service.type "ClusterIP") }} + clusterIP: {{ .Values.sentinel.service.clusterIP }} + {{- end }} + {{- if .Values.sentinel.service.sessionAffinity }} + sessionAffinity: {{ .Values.sentinel.service.sessionAffinity }} + {{- end }} + {{- if .Values.sentinel.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-redis + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + port: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "NodePort" }} + port: {{ $redisport }} + {{- else}} + port: {{ .Values.sentinel.service.ports.redis }} + {{- end }} + targetPort: {{ .Values.replica.containerPorts.redis }} + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + nodePort: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "ClusterIP" }} + nodePort: null + {{- else if eq .Values.sentinel.service.type "NodePort" }} + nodePort: {{ $redisport }} + {{- end }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + isMaster: "true" +{{- end }} {{- end }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml index 8557aee6f..dfb1352bf 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml @@ -59,7 +59,7 @@ spec: hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.replica.podSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.serviceAccountName" . }} {{- if .Values.replica.priorityClassName }} @@ -114,7 +114,7 @@ spec: {{- end }} {{- end }} {{- if .Values.replica.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -270,6 +270,8 @@ spec: {{- end }} {{- if .Values.replica.resources }} resources: {{- toYaml .Values.replica.resources | nindent 12 }} + {{- else if ne .Values.replica.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.replica.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: start-scripts @@ -293,10 +295,12 @@ spec: {{- end }} - name: config mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf + - name: empty-dir mountPath: /opt/bitnami/redis/etc - - name: tmp + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: redis-certificates mountPath: /opt/bitnami/redis/certs @@ -322,7 +326,7 @@ spec: {{- end }} {{- end }} {{- if .Values.sentinel.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.sentinel.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.sentinel.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -449,12 +453,21 @@ spec: {{- end }} {{- if .Values.sentinel.resources }} resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} + {{- else if ne .Values.sentinel.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.sentinel.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: start-scripts mountPath: /opt/bitnami/scripts/start-scripts - name: health mountPath: /health + {{- if .Values.sentinel.service.createMaster}} + - name: kubectl-shared + mountPath: /etc/shared + {{- end }} - name: sentinel-data mountPath: /opt/bitnami/redis-sentinel/etc {{- if .Values.auth.usePasswordFiles }} @@ -483,7 +496,7 @@ spec: image: {{ template "redis.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -560,8 +573,13 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: redis-password mountPath: /secrets/ @@ -575,6 +593,22 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} {{- end }} + {{- if .Values.sentinel.service.createMaster }} + - name: kubectl-shared + image: {{ template "redis.kubectl.image" . }} + imagePullPolicy: {{ .Values.kubectl.image.pullPolicy | quote }} + command: {{- toYaml .Values.kubectl.command | nindent 12 }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: kubectl-shared + mountPath: /etc/shared + - name: kubectl-scripts + mountPath: /opt/bitnami/scripts/kubectl-scripts + {{- if .Values.kubectl.resources }} + resources: {{- toYaml .Values.kubectl.resources | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.replica.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} {{- end }} @@ -604,8 +638,13 @@ spec: {{- end }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: redis-data mountPath: {{ .Values.replica.persistence.path }} {{- if .Values.replica.persistence.subPath }} @@ -626,9 +665,14 @@ spec: {{- end }} {{- if .Values.sysctl.resources }} resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- else if ne .Values.sysctl.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }} {{- end }} {{- if .Values.sysctl.mountHostSys }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: host-sys mountPath: /host-sys {{- end }} @@ -643,13 +687,25 @@ spec: configMap: name: {{ printf "%s-health" (include "common.names.fullname" .) }} defaultMode: 0755 + {{- if .Values.sentinel.service.createMaster}} + - name: kubectl-shared + emptyDir: {} + - name: kubectl-scripts + configMap: + name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- end }} {{- if .Values.auth.usePasswordFiles }} - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} secret: secretName: {{ template "redis.secretName" . }} items: - key: {{ template "redis.secretPasswordKey" . }} path: redis-password + {{- else }} + emptyDir: {} + {{- end }} {{- end }} - name: config configMap: @@ -673,19 +729,7 @@ spec: emptyDir: {} {{- end }} {{- end }} - - name: redis-tmp-conf - {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }} - emptyDir: - {{- if .Values.sentinel.persistence.medium }} - medium: {{ .Values.sentinel.persistence.medium | quote }} - {{- end }} - {{- if .Values.sentinel.persistence.sizeLimit }} - sizeLimit: {{ .Values.sentinel.persistence.sizeLimit | quote }} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - - name: tmp + - name: empty-dir {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }} emptyDir: {{- if .Values.sentinel.persistence.medium }} diff --git a/charts/bitnami/airflow/charts/redis/values.yaml b/charts/bitnami/airflow/charts/redis/values.yaml index d9af4ef69..a9517f047 100644 --- a/charts/bitnami/airflow/charts/redis/values.yaml +++ b/charts/bitnami/airflow/charts/redis/values.yaml @@ -22,7 +22,15 @@ global: storageClass: "" redis: password: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -62,7 +70,6 @@ nameResolutionThreshold: 5 ## @param nameResolutionTimeout Timeout seconds between probes for internal hostnames resolution ## nameResolutionTimeout: 5 - ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -77,7 +84,6 @@ diagnosticMode: ## args: - infinity - ## @section Redis® Image parameters ## @@ -94,7 +100,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.4-debian-11-r5 + tag: 7.2.4-debian-12-r9 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -112,7 +118,6 @@ image: ## Enable debug mode ## debug: false - ## @section Redis® common configuration parameters ## https://github.com/bitnami/containers/tree/main/bitnami/redis#configuration ## @@ -145,7 +150,9 @@ auth: ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable ## usePasswordFiles: false - + ## @param auth.usePasswordFileFromSecret Mount password file from secret + ## + usePasswordFileFromSecret: true ## @param commonConfiguration [string] Common configuration to be added into the ConfigMap ## ref: https://redis.io/topics/config ## @@ -157,10 +164,8 @@ commonConfiguration: |- ## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis® nodes ## existingConfigmap: "" - ## @section Redis® master configuration parameters ## - master: ## @param master.count Number of Redis® master instances to deploy (experimental, requires additional configuration) ## @@ -267,12 +272,21 @@ master: customReadinessProbe: {} ## Redis® master resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param master.resources.limits The resources limits for the Redis® master containers - ## @param master.resources.requests The requested resources for the Redis® master containers + ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.podSecurityContext.enabled Enabled Redis® master pods' Security Context @@ -295,6 +309,7 @@ master: ## @param master.containerSecurityContext.runAsGroup Set Redis® master containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set Redis® master containers' Security Context runAsNonRoot ## @param master.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Redis® pod(s) privileges + ## @param master.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param master.containerSecurityContext.seccompProfile.type Set Redis® master containers' Security Context seccompProfile ## @param master.containerSecurityContext.capabilities.drop Set Redis® master containers' Security Context capabilities to drop ## @@ -305,11 +320,11 @@ master: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param master.kind Use either Deployment, StatefulSet (default) or DaemonSet ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ ## @@ -599,10 +614,8 @@ master: ## @param master.serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} - ## @section Redis® replicas configuration parameters ## - replica: ## @param replica.kind Use either DaemonSet or StatefulSet (default) ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ @@ -721,20 +734,21 @@ replica: customReadinessProbe: {} ## Redis® replicas resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param replica.resources.limits The resources limits for the Redis® replicas containers - ## @param replica.resources.requests The requested resources for the Redis® replicas containers + ## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 250m - # memory: 256Mi - requests: {} - # cpu: 250m - # memory: 256Mi + resourcesPreset: "none" + ## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.podSecurityContext.enabled Enabled Redis® replicas pods' Security Context @@ -757,6 +771,7 @@ replica: ## @param replica.containerSecurityContext.runAsGroup Set Redis® replicas containers' Security Context runAsGroup ## @param replica.containerSecurityContext.runAsNonRoot Set Redis® replicas containers' Security Context runAsNonRoot ## @param replica.containerSecurityContext.allowPrivilegeEscalation Set Redis® replicas pod's Security Context allowPrivilegeEscalation + ## @param replica.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param replica.containerSecurityContext.seccompProfile.type Set Redis® replicas containers' Security Context seccompProfile ## @param replica.containerSecurityContext.capabilities.drop Set Redis® replicas containers' Security Context capabilities to drop ## @@ -767,11 +782,11 @@ replica: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param replica.schedulerName Alternate scheduler for Redis® replicas pods ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -1093,7 +1108,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.4-debian-11-r6 + tag: 7.2.4-debian-12-r7 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1288,12 +1303,21 @@ sentinel: whenDeleted: Retain ## Redis® Sentinel resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param sentinel.resources.limits The resources limits for the Redis® Sentinel containers - ## @param sentinel.resources.requests The requested resources for the Redis® Sentinel containers + ## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context @@ -1301,6 +1325,7 @@ sentinel: ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser ## @param sentinel.containerSecurityContext.runAsGroup Set Redis® Sentinel containers' Security Context runAsGroup ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis® Sentinel containers' Security Context runAsNonRoot + ## @param sentinel.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param sentinel.containerSecurityContext.allowPrivilegeEscalation Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation ## @param sentinel.containerSecurityContext.seccompProfile.type Set Redis® Sentinel containers' Security Context seccompProfile ## @param sentinel.containerSecurityContext.capabilities.drop Set Redis® Sentinel containers' Security Context capabilities to drop @@ -1312,11 +1337,11 @@ sentinel: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param sentinel.lifecycleHooks for the Redis® sentinel container(s) to automate configuration before or after startup ## lifecycleHooks: {} @@ -1358,6 +1383,12 @@ sentinel: ## @param sentinel.service.clusterIP Redis® Sentinel service Cluster IP ## clusterIP: "" + + ## @param sentinel.service.createMaster Enable master service pointing to the current master (experimental) + ## NOTE: rbac.create need to be set to true + ## + createMaster: false + ## @param sentinel.service.loadBalancerIP Redis® Sentinel service Load Balancer IP ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## @@ -1396,7 +1427,6 @@ sentinel: ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods ## terminationGracePeriodSeconds: 30 - ## @section Other Parameters ## @@ -1405,7 +1435,6 @@ sentinel: ## serviceBindings: enabled: false - ## Network Policy configuration ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## @@ -1461,7 +1490,6 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - metrics: ## @param networkPolicy.metrics.allowExternal Don't require client label for connections for metrics endpoint ## When set to false, only pods with the correct client label will have network access to the metrics port @@ -1472,7 +1500,6 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - ## PodSecurityPolicy configuration ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ ## @@ -1561,10 +1588,8 @@ tls: ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) ## dhParamsFilename: "" - ## @section Metrics Parameters ## - metrics: ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis® metrics ## @@ -1581,7 +1606,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.57.0-debian-11-r2 + tag: 1.58.0-debian-12-r4 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1592,7 +1617,6 @@ metrics: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param metrics.containerPorts.http Metrics HTTP container port ## containerPorts: @@ -1678,6 +1702,7 @@ metrics: ## @param metrics.containerSecurityContext.runAsGroup Set Redis® exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis® exporter containers' Security Context runAsNonRoot ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set Redis® exporter containers' Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param metrics.containerSecurityContext.seccompProfile.type Set Redis® exporter containers' Security Context seccompProfile ## @param metrics.containerSecurityContext.capabilities.drop Set Redis® exporter containers' Security Context capabilities to drop ## @@ -1688,11 +1713,11 @@ metrics: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis® metrics sidecar ## extraVolumes: [] @@ -1701,12 +1726,21 @@ metrics: extraVolumeMounts: [] ## Redis® exporter resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param metrics.resources.limits The resources limits for the Redis® exporter container - ## @param metrics.resources.requests The requested resources for the Redis® exporter container + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @param metrics.podLabels Extra labels for Redis® exporter pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## @@ -1802,16 +1836,16 @@ metrics: ## @param metrics.serviceMonitor.additionalEndpoints Additional endpoints to scrape (e.g sentinel) ## additionalEndpoints: [] - # uncomment in order to scrape sentinel metrics, also to in order distinguish between Sentinel and Redis container metrics - # add metricRelabelings with label like app=redis to main redis pod-monitor port - # - interval: "30s" - # path: "/scrape" - # port: "metrics" - # params: - # target: ["localhost:26379"] - # metricRelabelings: - # - targetLabel: "app" - # replacement: "sentinel" + # uncomment in order to scrape sentinel metrics, also to in order distinguish between Sentinel and Redis container metrics + # add metricRelabelings with label like app=redis to main redis pod-monitor port + # - interval: "30s" + # path: "/scrape" + # port: "metrics" + # params: + # target: ["localhost:26379"] + # metricRelabelings: + # - targetLabel: "app" + # replacement: "sentinel" ## Prometheus Pod Monitor ## ref: https://github.com/coreos/prometheus-operator ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#podmonitor @@ -1838,8 +1872,8 @@ metrics: ## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. ## metricRelabelings: [] - # - targetLabel: "app" - # replacement: "redis" + # - targetLabel: "app" + # replacement: "redis" ## @param metrics.podMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint ## honorLabels: false @@ -1858,15 +1892,14 @@ metrics: ## @param metrics.podMonitor.additionalEndpoints Additional endpoints to scrape (e.g sentinel) ## additionalEndpoints: [] - # - interval: "30s" - # path: "/scrape" - # port: "metrics" - # params: - # target: ["localhost:26379"] - # metricRelabelings: - # - targetLabel: "app" - # replacement: "sentinel" - + # - interval: "30s" + # path: "/scrape" + # port: "metrics" + # params: + # target: ["localhost:26379"] + # metricRelabelings: + # - targetLabel: "app" + # replacement: "sentinel" ## Custom PrometheusRule to be defined ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions ## @@ -1916,7 +1949,6 @@ metrics: ## Redis® instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. ## rules: [] - ## @section Init Container Parameters ## @@ -1940,7 +1972,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1953,12 +1985,21 @@ volumePermissions: pullSecrets: [] ## Init container's resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container @@ -1971,6 +2012,49 @@ volumePermissions: seLinuxOptions: null runAsUser: 0 +## Kubectl InitContainer +## used by Sentinel to update the isMaster label on the Redis(TM) pods +## +kubectl: + ## Bitnami Kubectl image version + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param kubectl.image.registry [default: REGISTRY_NAME] Kubectl image registry + ## @param kubectl.image.repository [default: REPOSITORY_NAME/kubectl] Kubectl image repository + ## @skip kubectl.image.tag Kubectl image tag (immutable tags are recommended), by default, using the current version + ## @param kubectl.image.digest Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param kubectl.image.pullPolicy Kubectl image pull policy + ## @param kubectl.image.pullSecrets Kubectl pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.29.2-debian-12-r3 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param kubectl.command kubectl command to execute + ## + command: ["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"] + ## Bitnami Kubectl resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param kubectl.resources.limits The resources limits for the kubectl containers + ## @param kubectl.resources.requests The requested resources for the kubectl containers + ## + resources: + limits: {} + requests: {} + ## init-sysctl container parameters ## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) ## @@ -1990,7 +2074,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -2009,13 +2093,21 @@ sysctl: mountHostSys: false ## Init container's resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param sysctl.resources.limits The resources limits for the init container - ## @param sysctl.resources.requests The requested resources for the init container + ## @param sysctl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} - + resourcesPreset: "none" + ## @param sysctl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @section useExternalDNS Parameters ## ## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. diff --git a/charts/bitnami/airflow/templates/_git_helpers.tpl b/charts/bitnami/airflow/templates/_git_helpers.tpl index 7b1c94897..3ba616ef9 100644 --- a/charts/bitnami/airflow/templates/_git_helpers.tpl +++ b/charts/bitnami/airflow/templates/_git_helpers.tpl @@ -18,12 +18,14 @@ Returns the volume mounts that will be used by git containers (clone and sync) */}} {{- define "airflow.git.volumeMounts" -}} {{- if .Values.git.dags.enabled }} -- name: git-cloned-dags +- name: empty-dir mountPath: /dags + subPath: app-git-dags-dir {{- end }} {{- if .Values.git.plugins.enabled }} -- name: git-cloned-plugins +- name: empty-dir mountPath: /plugins + subPath: app-git-plugins-dir {{- end }} {{- end -}} @@ -33,42 +35,28 @@ Returns the volume mounts that will be used by the main container {{- define "airflow.git.maincontainer.volumeMounts" -}} {{- if .Values.git.dags.enabled }} {{- range .Values.git.dags.repositories }} -- name: git-cloned-dags +- name: empty-dir mountPath: /opt/bitnami/airflow/dags/git_{{ include "airflow.git.repository.name" . }} {{- if .path }} - subPath: {{ include "airflow.git.repository.name" . }}/{{ .path }} + subPath: app-git-dags-dir/{{ include "airflow.git.repository.name" . }}/{{ .path }} {{- else }} - subPath: {{ include "airflow.git.repository.name" . }} + subPath: app-git-dags-dir/{{ include "airflow.git.repository.name" . }} {{- end }} {{- end }} {{- end }} {{- if .Values.git.plugins.enabled }} {{- range .Values.git.plugins.repositories }} -- name: git-cloned-plugins +- name: empty-dir mountPath: /opt/bitnami/airflow/plugins/git_{{ include "airflow.git.repository.name" . }} {{- if .path }} - subPath: {{ include "airflow.git.repository.name" . }}/{{ .path }} + subPath: app-git-plugins-dir/{{ include "airflow.git.repository.name" . }}/{{ .path }} {{- else }} - subPath: {{ include "airflow.git.repository.name" . }} + subPath: app-git-plugins-dir/{{ include "airflow.git.repository.name" . }} {{- end }} {{- end }} {{- end }} {{- end -}} -{{/* -Returns the volumes that will be attached to the workload resources (deployment, statefulset, etc) -*/}} -{{- define "airflow.git.volumes" -}} -{{- if .Values.git.dags.enabled }} -- name: git-cloned-dags - emptyDir: {} -{{- end }} -{{- if .Values.git.plugins.enabled }} -- name: git-cloned-plugins - emptyDir: {} -{{- end }} -{{- end -}} - {{/* Returns the init container that will clone repositories files from a given list of git repositories Usage: @@ -80,7 +68,7 @@ Usage: image: {{ include "git.image" .context | quote }} imagePullPolicy: {{ .context.Values.git.image.pullPolicy | quote }} {{- if .securityContext.enabled }} - securityContext: {{- omit .securityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .securityContext "context" .context) | nindent 4 }} {{- end }} {{- if .context.Values.git.clone.resources }} resources: {{- toYaml .context.Values.git.clone.resources | nindent 4 }} @@ -113,6 +101,9 @@ Usage: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- include "airflow.git.volumeMounts" .context | trim | nindent 4 }} {{- if .context.Values.git.clone.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .context.Values.git.clone.extraVolumeMounts "context" .context) | nindent 4 }} @@ -145,7 +136,7 @@ Usage: image: {{ include "git.image" .context | quote }} imagePullPolicy: {{ .context.Values.git.image.pullPolicy | quote }} {{- if .securityContext.enabled }} - securityContext: {{- omit .securityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .securityContext "context" .context) | nindent 4 }} {{- end }} {{- if .context.Values.git.sync.resources }} resources: {{- toYaml .context.Values.git.sync.resources | nindent 4 }} diff --git a/charts/bitnami/airflow/templates/_helpers.tpl b/charts/bitnami/airflow/templates/_helpers.tpl index 8dfa5bc73..8fda74713 100644 --- a/charts/bitnami/airflow/templates/_helpers.tpl +++ b/charts/bitnami/airflow/templates/_helpers.tpl @@ -204,7 +204,7 @@ Load DAGs init-container image: {{ include "airflow.dags.image" .context }} imagePullPolicy: {{ .context.Values.dags.image.pullPolicy }} {{- if $compDefinition.containerSecurityContext.enabled }} - securityContext: {{- omit $compDefinition.containerSecurityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $compDefinition.containerSecurityContext "context" $) | nindent 4 }} {{- end }} command: - /bin/bash @@ -213,10 +213,14 @@ Load DAGs init-container - | cp /configmap/* /dags volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: load-external-dag-files mountPath: /configmap - - name: external-dag-files + - name: empty-dir mountPath: /dags + subPath: app-external-dag-dir {{- end -}} {{/* @@ -381,6 +385,10 @@ Add environment variables to configure airflow common values key: airflow-secret-key - name: AIRFLOW_LOAD_EXAMPLES value: {{ ternary "yes" "no" .Values.loadExamples | quote }} +{{- if not (or .Values.configuration .Values.existingConfigmap) }} +- name: AIRFLOW_FORCE_OVERWRITE_CONF_FILE + value: "yes" +{{- end }} {{- if .Values.web.image.debug }} - name: BASH_DEBUG value: "1" diff --git a/charts/bitnami/airflow/templates/config/configmap.yaml b/charts/bitnami/airflow/templates/config/configmap.yaml index 4d4ccfff4..e5d6ab7fd 100644 --- a/charts/bitnami/airflow/templates/config/configmap.yaml +++ b/charts/bitnami/airflow/templates/config/configmap.yaml @@ -66,14 +66,14 @@ data: {{- end }} serviceAccountName: {{ include "airflow.serviceAccountName" . }} {{- if .Values.worker.podSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.podSecurityContext "context" $) | nindent 8 }} {{- end }} initContainers: {{- include "airflow.git.containers.clone" (dict "securityContext" .Values.worker.containerSecurityContext "context" $) | trim | nindent 8 }} - name: k8s-executor-init-config image: {{ include "airflow.workerImage" . }} imagePullPolicy: {{ .Values.worker.image.pullPolicy }} {{- if .Values.worker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/bash @@ -102,8 +102,9 @@ data: resources: {{- include "common.resources.preset" (dict "type" .Values.worker.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: k8s-executor-config + - name: empty-dir mountPath: /opt/bitnami/airflow/k8s-executor-config + subPath: app-k8s-executor-conf-dir {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | trim | nindent 8 }} {{- end }} @@ -115,7 +116,7 @@ data: image: {{ include "airflow.workerImage" . }} imagePullPolicy: {{ .Values.worker.image.pullPolicy }} {{- if .Values.worker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -208,6 +209,9 @@ data: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Files.Glob "files/dags/*.py" }} - name: local-dag-files mountPath: /opt/bitnami/airflow/dags/local @@ -221,9 +225,9 @@ data: mountPath: /opt/bitnami/airflow/airflow.cfg subPath: airflow.cfg {{- else }} - - name: k8s-executor-config + - name: empty-dir mountPath: /opt/bitnami/airflow/airflow.cfg - subPath: airflow.cfg + subPath: app-k8s-executor-conf-dir/airflow.cfg {{- end }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} @@ -239,7 +243,7 @@ data: {{- include "common.tplvalues.render" (dict "value" .Values.worker.sidecars "context" $) | trim | nindent 8 }} {{- end }} volumes: - - name: k8s-executor-config + - name: empty-dir emptyDir: {} {{- if .Values.dags.existingConfigmap }} - name: external-dag-files @@ -257,7 +261,6 @@ data: {{- if .Values.worker.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraVolumes "context" $) | nindent 8 }} {{- end }} - {{- include "airflow.git.volumes" . | trim | nindent 8 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/bitnami/airflow/templates/metrics/deployment.yaml b/charts/bitnami/airflow/templates/metrics/deployment.yaml index 513c4693c..adce1e15a 100644 --- a/charts/bitnami/airflow/templates/metrics/deployment.yaml +++ b/charts/bitnami/airflow/templates/metrics/deployment.yaml @@ -60,13 +60,13 @@ spec: schedulerName: {{ .Values.metrics.schedulerName }} {{- end }} {{- if .Values.metrics.podSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.podSecurityContext "context" $) | nindent 8 }} {{- end }} containers: - image: {{ include "airflow.metrics.image" . | quote }} name: airflow-exporter {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -118,4 +118,17 @@ spec: {{- else if ne .Values.metrics.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if .Values.metrics.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumes "context" $) | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/bitnami/airflow/templates/scheduler/deployment.yaml b/charts/bitnami/airflow/templates/scheduler/deployment.yaml index ea99c7615..418577675 100644 --- a/charts/bitnami/airflow/templates/scheduler/deployment.yaml +++ b/charts/bitnami/airflow/templates/scheduler/deployment.yaml @@ -52,7 +52,7 @@ spec: nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.nodeSelector "context" $) | nindent 8 }} {{- end }} {{- if .Values.scheduler.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.scheduler.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.scheduler.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.scheduler.tolerations }} tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.tolerations "context" $) | nindent 8 }} @@ -68,9 +68,38 @@ spec: {{- end }} serviceAccountName: {{ include "airflow.serviceAccountName" . }} {{- if .Values.scheduler.podSecurityContext.enabled }} - securityContext: {{- omit .Values.scheduler.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.scheduler.podSecurityContext "context" $) | nindent 8 }} {{- end }} initContainers: + - name: create-default-config + image: {{ include "airflow.schedulerImage" . }} + imagePullPolicy: {{ .Values.scheduler.image.pullPolicy | quote }} + {{- if .Values.scheduler.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.scheduler.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + cp "$(find /opt/bitnami/airflow -name default_airflow.cfg)" /default-conf/airflow.cfg + # HACK: When testing the connection it creates an empty airflow.db file at the + # application root + touch /default-conf/airflow.db + {{- if .Values.scheduler.resources }} + resources: {{- toYaml .Values.scheduler.resources | nindent 12 }} + {{- else if ne .Values.scheduler.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.scheduler.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /default-conf + subPath: app-default-conf-dir {{- include "airflow.git.containers.clone" (dict "securityContext" .Values.scheduler.containerSecurityContext "context" $) | trim | nindent 8 }} {{- if .Values.dags.existingConfigmap }} {{- include "airflow.loadDAGsInitContainer" (dict "component" "scheduler" "context" . ) | trim | nindent 8 }} @@ -87,7 +116,7 @@ spec: image: {{ include "airflow.schedulerImage" . | quote }} imagePullPolicy: {{ .Values.scheduler.image.pullPolicy | quote }} {{- if .Values.scheduler.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.scheduler.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.scheduler.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -183,18 +212,38 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.scheduler.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/airflow/nss-wrapper + subPath: app-nss-wrapper-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/airflow.db + subPath: app-default-conf-dir/airflow.db + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Files.Glob "files/dags/*.py" }} - name: local-dag-files mountPath: /opt/bitnami/airflow/dags/local {{- end }} {{- if .Values.dags.existingConfigmap }} - - name: external-dag-files + - name: empty-dir mountPath: /opt/bitnami/airflow/dags/external + subPath: app-external-dag-dir {{- end }} {{- if or .Values.configuration .Values.existingConfigmap }} - name: custom-configuration-file mountPath: /opt/bitnami/airflow/airflow.cfg subPath: airflow.cfg + {{- else }} + - name: empty-dir + mountPath: /opt/bitnami/airflow/airflow.cfg + subPath: app-default-conf-dir/airflow.cfg {{- end }} {{- if $kube }} - name: custom-configuration-file @@ -215,12 +264,12 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.sidecars "context" $) | trim | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.dags.existingConfigmap }} - name: load-external-dag-files configMap: name: {{ tpl .Values.dags.existingConfigmap $ }} - - name: external-dag-files - emptyDir: {} {{- end }} {{- if or .Values.configuration .Values.existingConfigmap $kube }} - name: custom-configuration-file @@ -233,4 +282,3 @@ spec: {{- if .Values.scheduler.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.extraVolumes "context" $) | nindent 8 }} {{- end }} - {{- include "airflow.git.volumes" . | trim | nindent 8 }} diff --git a/charts/bitnami/airflow/templates/web/deployment.yaml b/charts/bitnami/airflow/templates/web/deployment.yaml index 12a43bbcb..4f24ce6cc 100644 --- a/charts/bitnami/airflow/templates/web/deployment.yaml +++ b/charts/bitnami/airflow/templates/web/deployment.yaml @@ -51,7 +51,7 @@ spec: nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.web.nodeSelector "context" $) | nindent 8 }} {{- end }} {{- if .Values.web.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.web.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.web.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.web.tolerations }} tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.web.tolerations "context" $) | nindent 8 }} @@ -67,9 +67,39 @@ spec: {{- end }} serviceAccountName: {{ include "airflow.serviceAccountName" . }} {{- if .Values.web.podSecurityContext.enabled }} - securityContext: {{- omit .Values.web.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.web.podSecurityContext "context" $) | nindent 8 }} {{- end }} initContainers: + - name: create-default-config + image: {{ include "airflow.image" . }} + imagePullPolicy: {{ .Values.web.image.pullPolicy | quote }} + {{- if .Values.web.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.web.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + cp "$(find /opt/bitnami/airflow -name default_airflow.cfg)" /default-conf/airflow.cfg + cp "$(find /opt/bitnami/airflow -name default_webserver_config.py)" /default-conf/webserver_config.py + # HACK: When testing the connection it creates an empty airflow.db file at the + # application root + touch /default-conf/airflow.db + {{- if .Values.web.resources }} + resources: {{- toYaml .Values.web.resources | nindent 12 }} + {{- else if ne .Values.web.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.web.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /default-conf + subPath: app-default-conf-dir {{- include "airflow.git.containers.clone" (dict "securityContext" .Values.web.containerSecurityContext "context" $) | trim | nindent 8 }} {{- if .Values.dags.existingConfigmap }} {{- include "airflow.loadDAGsInitContainer" (dict "component" "web" "context" . ) | trim | nindent 8 }} @@ -86,7 +116,7 @@ spec: image: {{ include "airflow.image" . }} imagePullPolicy: {{ .Values.web.image.pullPolicy | quote }} {{- if .Values.web.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.web.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.web.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -237,23 +267,47 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.web.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/nss-wrapper + subPath: app-nss-wrapper-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/airflow.db + subPath: app-default-conf-dir/airflow.db + - name: empty-dir + mountPath: /opt/bitnami/airflow/tmp + subPath: app-tmp-dir {{- if .Files.Glob "files/dags/*.py" }} - name: local-dag-files mountPath: /opt/bitnami/airflow/dags/local {{- end }} {{- if .Values.dags.existingConfigmap }} - - name: external-dag-files + - name: empty-dir mountPath: /opt/bitnami/airflow/dags/external + subPath: app-external-dag-dir {{- end }} {{- if or .Values.configuration .Values.existingConfigmap }} - name: custom-configuration-file mountPath: /opt/bitnami/airflow/airflow.cfg subPath: airflow.cfg + {{- else }} + - name: empty-dir + mountPath: /opt/bitnami/airflow/airflow.cfg + subPath: app-default-conf-dir/airflow.cfg {{- end }} {{- if .Values.web.existingConfigmap }} - name: custom-webserver-configuration-file mountPath: /opt/bitnami/airflow/webserver_config.py subPath: webserver_config.py + {{- else }} + - name: empty-dir + mountPath: /opt/bitnami/airflow/webserver_config.py + subPath: app-default-conf-dir/webserver_config.py {{- end }} {{- if .Values.ldap.tls.enabled }} - name: airflow-ldap-ca-certificate @@ -274,12 +328,12 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.web.sidecars "context" $) | trim | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.dags.existingConfigmap }} - name: load-external-dag-files configMap: name: {{ tpl .Values.dags.existingConfigmap $ }} - - name: external-dag-files - emptyDir: {} {{- end }} {{- if or .Values.configuration .Values.existingConfigmap }} - name: custom-configuration-file @@ -303,4 +357,3 @@ spec: {{- if .Values.web.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.web.extraVolumes "context" $) | nindent 8 }} {{- end }} - {{- include "airflow.git.volumes" . | trim | nindent 8 }} diff --git a/charts/bitnami/airflow/templates/worker/statefulset.yaml b/charts/bitnami/airflow/templates/worker/statefulset.yaml index ffed29975..b9bb413bc 100644 --- a/charts/bitnami/airflow/templates/worker/statefulset.yaml +++ b/charts/bitnami/airflow/templates/worker/statefulset.yaml @@ -56,7 +56,7 @@ spec: nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.worker.nodeSelector "context" $) | nindent 8 }} {{- end }} {{- if .Values.worker.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.worker.tolerations }} tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.worker.tolerations "context" $) | nindent 8 }} @@ -72,9 +72,39 @@ spec: {{- end }} serviceAccountName: {{ include "airflow.serviceAccountName" . }} {{- if .Values.worker.podSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.podSecurityContext "context" $) | nindent 8 }} {{- end }} initContainers: + - name: create-default-config + image: {{ include "airflow.workerImage" . }} + imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} + {{- if .Values.worker.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + cp "$(find /opt/bitnami/airflow -name default_airflow.cfg)" /default-conf/airflow.cfg + cp "$(find /opt/bitnami/airflow -name default_webserver_config.py)" /default-conf/webserver_config.py + # HACK: When testing the connection it creates an empty airflow.db file at the + # application root + touch /default-conf/airflow.db + {{- if .Values.worker.resources }} + resources: {{- toYaml .Values.worker.resources | nindent 12 }} + {{- else if ne .Values.worker.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.worker.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /default-conf + subPath: app-default-conf-dir {{- include "airflow.git.containers.clone" (dict "securityContext" .Values.worker.containerSecurityContext "context" $) | trim | nindent 8 }} {{- if .Values.dags.existingConfigmap }} {{- include "airflow.loadDAGsInitContainer" (dict "component" "worker" "context" . ) | trim | nindent 8 }} @@ -91,7 +121,7 @@ spec: image: {{ include "airflow.workerImage" . }} imagePullPolicy: {{ .Values.worker.image.pullPolicy | quote }} {{- if .Values.worker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -185,19 +215,42 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.worker.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/airflow/nss-wrapper + subPath: app-nss-wrapper-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/airflow.db + subPath: app-default-conf-dir/airflow.db + - name: empty-dir + mountPath: /opt/bitnami/airflow/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/airflow/tmp + subPath: app-tmp-dir {{- if .Files.Glob "files/dags/*.py" }} - name: local-dag-files mountPath: /opt/bitnami/airflow/dags/local {{- end }} {{- if .Values.dags.existingConfigmap }} - - name: external-dag-files + - name: empty-dir mountPath: /opt/bitnami/airflow/dags/external + subPath: app-external-dag-dir {{- end }} {{- if or .Values.configuration .Values.existingConfigmap }} - name: custom-configuration-file mountPath: /opt/bitnami/airflow/airflow.cfg subPath: airflow.cfg + {{- else }} + - name: empty-dir + mountPath: /opt/bitnami/airflow/airflow.cfg + subPath: app-default-conf-dir/airflow.cfg {{- end }} + - name: empty-dir + mountPath: /opt/bitnami/airflow/webserver_config.py + subPath: app-default-conf-dir/webserver_config.py {{- include "airflow.git.maincontainer.volumeMounts" . | trim | nindent 12 }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} @@ -212,12 +265,12 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.worker.sidecars "context" $) | trim | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.dags.existingConfigmap }} - name: load-external-dag-files configMap: name: {{ tpl .Values.dags.existingConfigmap $ }} - - name: external-dag-files - emptyDir: {} {{- end }} {{- if or .Values.configuration .Values.existingConfigmap }} - name: custom-configuration-file @@ -230,7 +283,6 @@ spec: {{- if .Values.worker.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraVolumes "context" $) | nindent 8 }} {{- end }} - {{- include "airflow.git.volumes" . | trim | nindent 8 }} {{- if .Values.worker.extraVolumeClaimTemplates }} volumeClaimTemplates: {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraVolumeClaimTemplates "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/values.yaml b/charts/bitnami/airflow/values.yaml index 6f624b404..eb2743f77 100644 --- a/charts/bitnami/airflow/values.yaml +++ b/charts/bitnami/airflow/values.yaml @@ -18,6 +18,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -119,7 +128,7 @@ dags: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -184,7 +193,7 @@ web: image: registry: docker.io repository: bitnami/airflow - tag: 2.8.1-debian-11-r4 + tag: 2.8.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -322,9 +331,11 @@ web: ## @param web.containerSecurityContext.enabled Enabled Airflow web containers' Security Context ## @param web.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param web.containerSecurityContext.runAsUser Set Airflow web containers' Security Context runAsUser + ## @param web.containerSecurityContext.runAsGroup Set Airflow web containers' Security Context runAsGroup ## @param web.containerSecurityContext.runAsNonRoot Set Airflow web containers' Security Context runAsNonRoot ## @param web.containerSecurityContext.privileged Set web container's Security Context privileged ## @param web.containerSecurityContext.allowPrivilegeEscalation Set web container's Security Context allowPrivilegeEscalation + ## @param web.containerSecurityContext.readOnlyRootFilesystem Set web container's Security Context readOnlyRootFilesystem ## @param web.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param web.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## @@ -332,9 +343,11 @@ web: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: false capabilities: drop: ["ALL"] seccompProfile: @@ -525,7 +538,7 @@ scheduler: image: registry: docker.io repository: bitnami/airflow-scheduler - tag: 2.8.1-debian-11-r4 + tag: 2.8.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -639,9 +652,11 @@ scheduler: ## @param scheduler.containerSecurityContext.enabled Enabled Airflow scheduler containers' Security Context ## @param scheduler.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param scheduler.containerSecurityContext.runAsUser Set Airflow scheduler containers' Security Context runAsUser + ## @param scheduler.containerSecurityContext.runAsGroup Set Airflow scheduler containers' Security Context runAsGroup ## @param scheduler.containerSecurityContext.runAsNonRoot Set Airflow scheduler containers' Security Context runAsNonRoot ## @param scheduler.containerSecurityContext.privileged Set scheduler container's Security Context privileged ## @param scheduler.containerSecurityContext.allowPrivilegeEscalation Set scheduler container's Security Context allowPrivilegeEscalation + ## @param scheduler.containerSecurityContext.readOnlyRootFilesystem Set scheduler container's Security Context readOnlyRootFilesystem ## @param scheduler.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param scheduler.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## @@ -649,9 +664,11 @@ scheduler: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: false capabilities: drop: ["ALL"] seccompProfile: @@ -842,7 +859,7 @@ worker: image: registry: docker.io repository: bitnami/airflow-worker - tag: 2.8.1-debian-11-r4 + tag: 2.8.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -974,9 +991,11 @@ worker: ## @param worker.containerSecurityContext.enabled Enabled Airflow worker containers' Security Context ## @param worker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param worker.containerSecurityContext.runAsUser Set Airflow worker containers' Security Context runAsUser + ## @param worker.containerSecurityContext.runAsGroup Set Airflow worker containers' Security Context runAsGroup ## @param worker.containerSecurityContext.runAsNonRoot Set Airflow worker containers' Security Context runAsNonRoot ## @param worker.containerSecurityContext.privileged Set worker container's Security Context privileged ## @param worker.containerSecurityContext.allowPrivilegeEscalation Set worker container's Security Context allowPrivilegeEscalation + ## @param worker.containerSecurityContext.readOnlyRootFilesystem Set worker container's Security Context readOnlyRootFilesystem ## @param worker.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param worker.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## @@ -984,9 +1003,11 @@ worker: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: false capabilities: drop: ["ALL"] seccompProfile: @@ -1199,7 +1220,7 @@ git: image: registry: docker.io repository: bitnami/git - tag: 2.43.0-debian-11-r9 + tag: 2.44.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1579,7 +1600,7 @@ metrics: image: registry: docker.io repository: bitnami/airflow-exporter - tag: 0.20220314.0-debian-11-r448 + tag: 0.20220314.0-debian-12-r27 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1639,9 +1660,11 @@ metrics: ## @param metrics.containerSecurityContext.enabled Enable Airflow exporter containers' Security Context ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Airflow exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set Airflow exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Airflow exporter containers' Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set metrics container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set metrics container's Security Context readOnlyRootFilesystem ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## e.g: @@ -1649,15 +1672,17 @@ metrics: ## enabled: true ## capabilities: ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: true + ## readOnlyRootFilesystem: false ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: false capabilities: drop: ["ALL"] seccompProfile: diff --git a/charts/bitnami/cassandra/Chart.lock b/charts/bitnami/cassandra/Chart.lock index c65fe2010..eaf627aca 100644 --- a/charts/bitnami/cassandra/Chart.lock +++ b/charts/bitnami/cassandra/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T14:38:18.303780391+01:00" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T13:26:26.829438105+01:00" diff --git a/charts/bitnami/cassandra/Chart.yaml b/charts/bitnami/cassandra/Chart.yaml index 5f9207558..afa43d479 100644 --- a/charts/bitnami/cassandra/Chart.yaml +++ b/charts/bitnami/cassandra/Chart.yaml @@ -5,12 +5,12 @@ annotations: catalog.cattle.io/release-name: cassandra category: Database images: | - - name: cassandra-exporter - image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r448 - name: cassandra - image: docker.io/bitnami/cassandra:4.1.4-debian-11-r0 + image: docker.io/bitnami/cassandra:4.1.4-debian-12-r4 + - name: cassandra-exporter + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-12-r17 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r107 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 appVersion: 4.1.4 @@ -35,4 +35,4 @@ maintainers: name: cassandra sources: - https://github.com/bitnami/charts/tree/main/bitnami/cassandra -version: 10.10.0 +version: 10.12.1 diff --git a/charts/bitnami/cassandra/README.md b/charts/bitnami/cassandra/README.md index b6c35d2b1..d4e260654 100644 --- a/charts/bitnami/cassandra/README.md +++ b/charts/bitnami/cassandra/README.md @@ -56,11 +56,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -142,6 +143,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.enabled` | Enabled Cassandra containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set Cassandra containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set Cassandra containers' Security Context runAsGroup | `0` | | `containerSecurityContext.allowPrivilegeEscalation` | Set Cassandra containers' Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | Set Cassandra containers' Security Context capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.readOnlyRootFilesystem` | Set Cassandra containers' Security Context readOnlyRootFilesystem | `false` | diff --git a/charts/bitnami/cassandra/charts/common/Chart.yaml b/charts/bitnami/cassandra/charts/common/Chart.yaml index 3046b5910..2acf0cd40 100644 --- a/charts/bitnami/cassandra/charts/common/Chart.yaml +++ b/charts/bitnami/cassandra/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.18.0 diff --git a/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl b/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/cassandra/charts/common/templates/_resources.tpl b/charts/bitnami/cassandra/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/cassandra/charts/common/templates/_resources.tpl +++ b/charts/bitnami/cassandra/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/cassandra/templates/statefulset.yaml b/charts/bitnami/cassandra/templates/statefulset.yaml index b3b7a4759..c8f1e204d 100644 --- a/charts/bitnami/cassandra/templates/statefulset.yaml +++ b/charts/bitnami/cassandra/templates/statefulset.yaml @@ -60,7 +60,7 @@ spec: priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} @@ -130,6 +130,9 @@ spec: volumeMounts: - name: data mountPath: {{ .Values.persistence.mountPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.persistence.commitLogMountPath }} - name: commitlog mountPath: {{ .Values.persistence.commitLogMountPath }} @@ -140,7 +143,7 @@ spec: image: {{ include "cassandra.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/bash @@ -202,10 +205,13 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: certs - mountPath: /certs - - name: certs-shared - mountPath: /opt/bitnami/cassandra/certs + - name: certs + mountPath: /certs + - name: certs-shared + mountPath: /opt/bitnami/cassandra/certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -242,7 +248,7 @@ spec: image: {{ include "cassandra.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: BITNAMI_DEBUG @@ -464,6 +470,18 @@ spec: - name: configurations mountPath: {{ .Values.persistence.mountPath }}/conf {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/cassandra/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/cassandra/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/cassandra/logs + subPath: app-logs-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -514,6 +532,9 @@ spec: - name: metrics-conf mountPath: /opt/bitnami/cassandra-exporter/config.yml subPath: config.yml + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.metrics.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -539,6 +560,8 @@ spec: configMap: name: {{ tpl .Values.existingConfiguration $ }} {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.initDBConfigMap }} - name: init-db-cm configMap: diff --git a/charts/bitnami/cassandra/values.yaml b/charts/bitnami/cassandra/values.yaml index 7a011f7a2..82005df4d 100644 --- a/charts/bitnami/cassandra/values.yaml +++ b/charts/bitnami/cassandra/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -73,7 +82,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/cassandra - tag: 4.1.4-debian-11-r0 + tag: 4.1.4-debian-12-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -291,6 +300,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled Cassandra containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set Cassandra containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set Cassandra containers' Security Context runAsGroup ## @param containerSecurityContext.allowPrivilegeEscalation Set Cassandra containers' Security Context allowPrivilegeEscalation ## @param containerSecurityContext.capabilities.drop Set Cassandra containers' Security Context capabilities to be dropped ## @param containerSecurityContext.readOnlyRootFilesystem Set Cassandra containers' Security Context readOnlyRootFilesystem @@ -302,6 +312,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -667,7 +678,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r107 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -735,7 +746,7 @@ metrics: image: registry: docker.io repository: bitnami/cassandra-exporter - tag: 2.3.8-debian-11-r448 + tag: 2.3.8-debian-12-r17 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/kafka/Chart.lock b/charts/bitnami/kafka/Chart.lock index 403168201..bd5bc6dad 100644 --- a/charts/bitnami/kafka/Chart.lock +++ b/charts/bitnami/kafka/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: zookeeper repository: oci://registry-1.docker.io/bitnamicharts - version: 12.8.1 + version: 12.11.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:cccdc01ead6a556674360977d9ace475423c17f7c3875ed7e7df58edf727befa -generated: "2024-02-14T15:09:53.93192995+01:00" + version: 2.18.0 +digest: sha256:45e9e003da296d6f4d54e86584f77c90f91744427321717b4b7cb3873dd89ea0 +generated: "2024-03-05T14:17:52.910919633+01:00" diff --git a/charts/bitnami/kafka/Chart.yaml b/charts/bitnami/kafka/Chart.yaml index 2d61c8399..53b36b18c 100644 --- a/charts/bitnami/kafka/Chart.yaml +++ b/charts/bitnami/kafka/Chart.yaml @@ -6,18 +6,18 @@ annotations: category: Infrastructure images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r6 - - name: kafka-exporter - image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r140 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-12-r11 - name: kafka - image: docker.io/bitnami/kafka:3.6.1-debian-11-r6 + image: docker.io/bitnami/kafka:3.7.0-debian-12-r0 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-12-r19 - name: kubectl - image: docker.io/bitnami/kubectl:1.29.1-debian-11-r3 + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 -appVersion: 3.6.1 +appVersion: 3.7.0 dependencies: - condition: zookeeper.enabled name: zookeeper @@ -45,4 +45,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 26.10.0 +version: 27.1.2 diff --git a/charts/bitnami/kafka/README.md b/charts/bitnami/kafka/README.md index eafbe40cd..5d39aa298 100644 --- a/charts/bitnami/kafka/README.md +++ b/charts/bitnami/kafka/README.md @@ -56,11 +56,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters diff --git a/charts/bitnami/kafka/charts/common/Chart.yaml b/charts/bitnami/kafka/charts/common/Chart.yaml index 3046b5910..2acf0cd40 100644 --- a/charts/bitnami/kafka/charts/common/Chart.yaml +++ b/charts/bitnami/kafka/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.18.0 diff --git a/charts/bitnami/kafka/charts/common/templates/_compatibility.tpl b/charts/bitnami/kafka/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/kafka/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/kafka/charts/common/templates/_resources.tpl b/charts/bitnami/kafka/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/kafka/charts/common/templates/_resources.tpl +++ b/charts/bitnami/kafka/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.lock b/charts/bitnami/kafka/charts/zookeeper/Chart.lock index b17a2237d..7bac6e407 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.lock +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.14.1 -digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 -generated: "2024-01-01T00:08:42.872982603Z" + version: 2.16.1 +digest: sha256:f808a6fdc9c374d158ad7ff2f2c53a6c409e41da778d768b232dd20f86ef8b47 +generated: "2024-02-21T11:56:37.618424604Z" diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml index 6119b51bb..8e55009f6 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml @@ -2,9 +2,9 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: zookeeper - image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r8 + image: docker.io/bitnami/zookeeper:3.9.1-debian-12-r15 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.9.1 @@ -26,4 +26,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.8.1 +version: 12.11.1 diff --git a/charts/bitnami/kafka/charts/zookeeper/README.md b/charts/bitnami/kafka/charts/zookeeper/README.md index 7879d6824..fbc3d2e12 100644 --- a/charts/bitnami/kafka/charts/zookeeper/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/README.md @@ -126,82 +126,82 @@ The command removes all the Kubernetes components associated with the chart and ### Statefulset parameters -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| `replicaCount` | Number of ZooKeeper nodes | `1` | -| `containerPorts.client` | ZooKeeper client container port | `2181` | -| `containerPorts.tls` | ZooKeeper TLS container port | `3181` | -| `containerPorts.follower` | ZooKeeper follower container port | `2888` | -| `containerPorts.election` | ZooKeeper election container port | `3888` | -| `livenessProbe.enabled` | Enable livenessProbe on ZooKeeper containers | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `livenessProbe.probeCommandTimeout` | Probe command timeout for livenessProbe | `2` | -| `readinessProbe.enabled` | Enable readinessProbe on ZooKeeper containers | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `readinessProbe.probeCommandTimeout` | Probe command timeout for readinessProbe | `2` | -| `startupProbe.enabled` | Enable startupProbe on ZooKeeper containers | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `lifecycleHooks` | for the ZooKeeper container(s) to automate configuration before or after startup | `{}` | -| `resources.limits` | The resources limits for the ZooKeeper containers | `{}` | -| `resources.requests.memory` | The requested memory for the ZooKeeper containers | `256Mi` | -| `resources.requests.cpu` | The requested cpu for the ZooKeeper containers | `250m` | -| `podSecurityContext.enabled` | Enabled ZooKeeper pods' Security Context | `true` | -| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | -| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `hostAliases` | ZooKeeper pods host aliases | `[]` | -| `podLabels` | Extra labels for ZooKeeper pods | `{}` | -| `podAnnotations` | Annotations for ZooKeeper pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` | -| `priorityClassName` | Name of the existing priority class to be used by ZooKeeper pods, priority class needs to be created beforehand | `""` | -| `schedulerName` | Kubernetes pod scheduler registry | `""` | -| `updateStrategy.type` | ZooKeeper statefulset strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | ZooKeeper statefulset rolling update configuration parameters | `{}` | -| `extraVolumes` | Optionally specify extra list of additional volumes for the ZooKeeper pod(s) | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the ZooKeeper container(s) | `[]` | -| `sidecars` | Add additional sidecar containers to the ZooKeeper pod(s) | `[]` | -| `initContainers` | Add additional init containers to the ZooKeeper pod(s) | `[]` | -| `pdb.create` | Deploy a pdb object for the ZooKeeper pod | `false` | -| `pdb.minAvailable` | Minimum available ZooKeeper replicas | `""` | -| `pdb.maxUnavailable` | Maximum unavailable ZooKeeper replicas | `1` | -| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `dnsPolicy` | Specifies the DNS policy for the zookeeper pods | `""` | -| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | +| Name | Description | Value | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of ZooKeeper nodes | `1` | +| `containerPorts.client` | ZooKeeper client container port | `2181` | +| `containerPorts.tls` | ZooKeeper TLS container port | `3181` | +| `containerPorts.follower` | ZooKeeper follower container port | `2888` | +| `containerPorts.election` | ZooKeeper election container port | `3888` | +| `livenessProbe.enabled` | Enable livenessProbe on ZooKeeper containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `livenessProbe.probeCommandTimeout` | Probe command timeout for livenessProbe | `2` | +| `readinessProbe.enabled` | Enable readinessProbe on ZooKeeper containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `readinessProbe.probeCommandTimeout` | Probe command timeout for readinessProbe | `2` | +| `startupProbe.enabled` | Enable startupProbe on ZooKeeper containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `lifecycleHooks` | for the ZooKeeper container(s) to automate configuration before or after startup | `{}` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `podSecurityContext.enabled` | Enabled ZooKeeper pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | ZooKeeper pods host aliases | `[]` | +| `podLabels` | Extra labels for ZooKeeper pods | `{}` | +| `podAnnotations` | Annotations for ZooKeeper pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` | +| `priorityClassName` | Name of the existing priority class to be used by ZooKeeper pods, priority class needs to be created beforehand | `""` | +| `schedulerName` | Kubernetes pod scheduler registry | `""` | +| `updateStrategy.type` | ZooKeeper statefulset strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | ZooKeeper statefulset rolling update configuration parameters | `{}` | +| `extraVolumes` | Optionally specify extra list of additional volumes for the ZooKeeper pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the ZooKeeper container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the ZooKeeper pod(s) | `[]` | +| `initContainers` | Add additional init containers to the ZooKeeper pod(s) | `[]` | +| `pdb.create` | Deploy a pdb object for the ZooKeeper pod | `false` | +| `pdb.minAvailable` | Minimum available ZooKeeper replicas | `""` | +| `pdb.maxUnavailable` | Maximum unavailable ZooKeeper replicas | `1` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `dnsPolicy` | Specifies the DNS policy for the zookeeper pods | `""` | +| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | ### Traffic Exposure parameters @@ -261,19 +261,19 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -301,36 +301,36 @@ The command removes all the Kubernetes components associated with the chart and ### TLS/SSL parameters -| Name | Description | Value | -| ----------------------------------------- | -------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | -| `tls.client.enabled` | Enable TLS for client connections | `false` | -| `tls.client.auth` | SSL Client auth. Can be "none", "want" or "need". | `none` | -| `tls.client.autoGenerated` | Generate automatically self-signed TLS certificates for ZooKeeper client communications | `false` | -| `tls.client.existingSecret` | Name of the existing secret containing the TLS certificates for ZooKeeper client communications | `""` | -| `tls.client.existingSecretKeystoreKey` | The secret key from the tls.client.existingSecret containing the Keystore. | `""` | -| `tls.client.existingSecretTruststoreKey` | The secret key from the tls.client.existingSecret containing the Truststore. | `""` | -| `tls.client.keystorePath` | Location of the KeyStore file used for Client connections | `/opt/bitnami/zookeeper/config/certs/client/zookeeper.keystore.jks` | -| `tls.client.truststorePath` | Location of the TrustStore file used for Client connections | `/opt/bitnami/zookeeper/config/certs/client/zookeeper.truststore.jks` | -| `tls.client.passwordsSecretName` | Existing secret containing Keystore and truststore passwords | `""` | -| `tls.client.passwordsSecretKeystoreKey` | The secret key from the tls.client.passwordsSecretName containing the password for the Keystore. | `""` | -| `tls.client.passwordsSecretTruststoreKey` | The secret key from the tls.client.passwordsSecretName containing the password for the Truststore. | `""` | -| `tls.client.keystorePassword` | Password to access KeyStore if needed | `""` | -| `tls.client.truststorePassword` | Password to access TrustStore if needed | `""` | -| `tls.quorum.enabled` | Enable TLS for quorum protocol | `false` | -| `tls.quorum.auth` | SSL Quorum Client auth. Can be "none", "want" or "need". | `none` | -| `tls.quorum.autoGenerated` | Create self-signed TLS certificates. Currently only supports PEM certificates. | `false` | -| `tls.quorum.existingSecret` | Name of the existing secret containing the TLS certificates for ZooKeeper quorum protocol | `""` | -| `tls.quorum.existingSecretKeystoreKey` | The secret key from the tls.quorum.existingSecret containing the Keystore. | `""` | -| `tls.quorum.existingSecretTruststoreKey` | The secret key from the tls.quorum.existingSecret containing the Truststore. | `""` | -| `tls.quorum.keystorePath` | Location of the KeyStore file used for Quorum protocol | `/opt/bitnami/zookeeper/config/certs/quorum/zookeeper.keystore.jks` | -| `tls.quorum.truststorePath` | Location of the TrustStore file used for Quorum protocol | `/opt/bitnami/zookeeper/config/certs/quorum/zookeeper.truststore.jks` | -| `tls.quorum.passwordsSecretName` | Existing secret containing Keystore and truststore passwords | `""` | -| `tls.quorum.passwordsSecretKeystoreKey` | The secret key from the tls.quorum.passwordsSecretName containing the password for the Keystore. | `""` | -| `tls.quorum.passwordsSecretTruststoreKey` | The secret key from the tls.quorum.passwordsSecretName containing the password for the Truststore. | `""` | -| `tls.quorum.keystorePassword` | Password to access KeyStore if needed | `""` | -| `tls.quorum.truststorePassword` | Password to access TrustStore if needed | `""` | -| `tls.resources.limits` | The resources limits for the TLS init container | `{}` | -| `tls.resources.requests` | The requested resources for the TLS init container | `{}` | +| Name | Description | Value | +| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------- | +| `tls.client.enabled` | Enable TLS for client connections | `false` | +| `tls.client.auth` | SSL Client auth. Can be "none", "want" or "need". | `none` | +| `tls.client.autoGenerated` | Generate automatically self-signed TLS certificates for ZooKeeper client communications | `false` | +| `tls.client.existingSecret` | Name of the existing secret containing the TLS certificates for ZooKeeper client communications | `""` | +| `tls.client.existingSecretKeystoreKey` | The secret key from the tls.client.existingSecret containing the Keystore. | `""` | +| `tls.client.existingSecretTruststoreKey` | The secret key from the tls.client.existingSecret containing the Truststore. | `""` | +| `tls.client.keystorePath` | Location of the KeyStore file used for Client connections | `/opt/bitnami/zookeeper/config/certs/client/zookeeper.keystore.jks` | +| `tls.client.truststorePath` | Location of the TrustStore file used for Client connections | `/opt/bitnami/zookeeper/config/certs/client/zookeeper.truststore.jks` | +| `tls.client.passwordsSecretName` | Existing secret containing Keystore and truststore passwords | `""` | +| `tls.client.passwordsSecretKeystoreKey` | The secret key from the tls.client.passwordsSecretName containing the password for the Keystore. | `""` | +| `tls.client.passwordsSecretTruststoreKey` | The secret key from the tls.client.passwordsSecretName containing the password for the Truststore. | `""` | +| `tls.client.keystorePassword` | Password to access KeyStore if needed | `""` | +| `tls.client.truststorePassword` | Password to access TrustStore if needed | `""` | +| `tls.quorum.enabled` | Enable TLS for quorum protocol | `false` | +| `tls.quorum.auth` | SSL Quorum Client auth. Can be "none", "want" or "need". | `none` | +| `tls.quorum.autoGenerated` | Create self-signed TLS certificates. Currently only supports PEM certificates. | `false` | +| `tls.quorum.existingSecret` | Name of the existing secret containing the TLS certificates for ZooKeeper quorum protocol | `""` | +| `tls.quorum.existingSecretKeystoreKey` | The secret key from the tls.quorum.existingSecret containing the Keystore. | `""` | +| `tls.quorum.existingSecretTruststoreKey` | The secret key from the tls.quorum.existingSecret containing the Truststore. | `""` | +| `tls.quorum.keystorePath` | Location of the KeyStore file used for Quorum protocol | `/opt/bitnami/zookeeper/config/certs/quorum/zookeeper.keystore.jks` | +| `tls.quorum.truststorePath` | Location of the TrustStore file used for Quorum protocol | `/opt/bitnami/zookeeper/config/certs/quorum/zookeeper.truststore.jks` | +| `tls.quorum.passwordsSecretName` | Existing secret containing Keystore and truststore passwords | `""` | +| `tls.quorum.passwordsSecretKeystoreKey` | The secret key from the tls.quorum.passwordsSecretName containing the password for the Keystore. | `""` | +| `tls.quorum.passwordsSecretTruststoreKey` | The secret key from the tls.quorum.passwordsSecretName containing the password for the Truststore. | `""` | +| `tls.quorum.keystorePassword` | Password to access KeyStore if needed | `""` | +| `tls.quorum.truststorePassword` | Password to access TrustStore if needed | `""` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `none` | +| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -357,6 +357,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/zooke ## Configuration and installation details +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + ### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/.helmignore b/charts/bitnami/kafka/charts/zookeeper/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/.helmignore +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml index 9a6aa881f..33799499e 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.16.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.14.1 +version: 2.16.1 diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md b/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md index a76fa46a2..0d01a1e06 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_resources.tpl b/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_warnings.tpl b/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_warnings.tpl +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/bitnami/kafka/charts/zookeeper/templates/NOTES.txt b/charts/bitnami/kafka/charts/zookeeper/templates/NOTES.txt index c287e1e56..714b4f50c 100644 --- a/charts/bitnami/kafka/charts/zookeeper/templates/NOTES.txt +++ b/charts/bitnami/kafka/charts/zookeeper/templates/NOTES.txt @@ -74,3 +74,4 @@ To connect to your ZooKeeper server from outside the cluster execute the followi {{- include "zookeeper.validateValues" . }} {{- include "zookeeper.checkRollingTags" . }} +{{- include "common.warnings.resources" (dict "sections" (list "" "tls" "volumePermissions") "context" $) }} diff --git a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml index c09849a4d..56ac08459 100644 --- a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml @@ -105,8 +105,13 @@ spec: {{- end }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: /bitnami/zookeeper {{- if .Values.dataLogDir }} @@ -155,8 +160,13 @@ spec: {{- end }} {{- if .Values.tls.resources }} resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: scripts mountPath: /scripts/init-certs.sh subPath: init-certs.sh @@ -195,6 +205,8 @@ spec: {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} env: - name: BITNAMI_DEBUG @@ -410,6 +422,15 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/zookeeper/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/zookeeper/logs + subPath: app-logs-dir - name: scripts mountPath: /scripts/setup.sh subPath: setup.sh @@ -441,6 +462,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: scripts configMap: name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} diff --git a/charts/bitnami/kafka/charts/zookeeper/values.yaml b/charts/bitnami/kafka/charts/zookeeper/values.yaml index 8cbbc0c7d..6424f6517 100644 --- a/charts/bitnami/kafka/charts/zookeeper/values.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/values.yaml @@ -19,7 +19,6 @@ global: ## imagePullSecrets: [] storageClass: "" - ## @section Common parameters ## @@ -48,7 +47,6 @@ commonAnnotations: {} ## Useful when including ZooKeeper as a chart dependency, so it can be released into a different namespace than the parent ## namespaceOverride: "" - ## Enable diagnostic mode in the statefulset ## diagnosticMode: @@ -63,7 +61,6 @@ diagnosticMode: ## args: - infinity - ## @section ZooKeeper chart parameters ## Bitnami ZooKeeper image version @@ -79,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.9.1-debian-11-r8 + tag: 3.9.1-debian-12-r15 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -235,7 +232,6 @@ command: ## @param args Override default container args (useful when using custom images) ## args: [] - ## @section Statefulset parameters ## @param replicaCount Number of ZooKeeper nodes @@ -313,15 +309,21 @@ customStartupProbe: {} lifecycleHooks: {} ## ZooKeeper resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resources.limits The resources limits for the ZooKeeper containers -## @param resources.requests.memory The requested memory for the ZooKeeper containers -## @param resources.requests.cpu The requested cpu for the ZooKeeper containers +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m +resourcesPreset: "none" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled ZooKeeper pods' Security Context @@ -341,6 +343,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -352,6 +355,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -523,9 +527,7 @@ dnsPolicy: "" ## value: "2" ## - name: edns0 dnsConfig: {} - ## @section Traffic Exposure parameters - service: ## @param service.type Kubernetes Service type ## @@ -649,7 +651,6 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - ## @section Other Parameters ## Service account for ZooKeeper to use. @@ -670,7 +671,6 @@ serviceAccount: ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} - ## @section Persistence parameters ## Enable persistence using Persistent Volume Claims @@ -731,7 +731,6 @@ persistence: ## app: my-app ## selector: {} - ## @section Volume Permissions parameters ## @@ -752,7 +751,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -765,12 +764,21 @@ volumePermissions: pullSecrets: [] ## Init container resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser @@ -782,7 +790,6 @@ volumePermissions: enabled: true seLinuxOptions: null runAsUser: 0 - ## @section Metrics parameters ## @@ -875,7 +882,6 @@ metrics: ## severity: critical ## rules: [] - ## @section TLS/SSL parameters ## @@ -965,9 +971,18 @@ tls: truststorePassword: "" ## Init container resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param tls.resources.limits The resources limits for the TLS init container - ## @param tls.resources.requests The requested resources for the TLS init container + ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} diff --git a/charts/bitnami/kafka/templates/_helpers.tpl b/charts/bitnami/kafka/templates/_helpers.tpl index 12fedaf79..01314347b 100644 --- a/charts/bitnami/kafka/templates/_helpers.tpl +++ b/charts/bitnami/kafka/templates/_helpers.tpl @@ -676,11 +676,6 @@ Zookeeper connection section of the server.properties {{- define "kafka.zookeeperConfig" -}} zookeeper.connect={{ include "kafka.zookeeperConnect" . }} #broker.id= -{{- if .Values.sasl.zookeeper.user }} -sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ - username="{{ .Values.sasl.zookeeper.user }}" \ - password="zookeeper-password-placeholder"; -{{- end }} {{- if and .Values.tls.zookeeper.enabled .Values.tls.zookeeper.existingSecret }} zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty zookeeper.ssl.client.enable=true @@ -739,7 +734,7 @@ Init container definition for Kafka initialization image: {{ include "kafka.image" .context }} imagePullPolicy: {{ .context.Values.image.pullPolicy }} {{- if $roleSettings.containerSecurityContext.enabled }} - securityContext: {{- omit $roleSettings.containerSecurityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $roleSettings.containerSecurityContext "context" .context) | nindent 4 }} {{- end }} {{- if $roleSettings.initContainerResources }} resources: {{- toYaml $roleSettings.initContainerResources | nindent 4 }} @@ -965,7 +960,7 @@ Init container definition for waiting for Kubernetes autodiscovery - name: AUTODISCOVERY_SERVICE_TYPE value: {{ $externalAccessService.service.type | quote }} {{- if .context.Values.externalAccess.autoDiscovery.containerSecurityContext.enabled }} - securityContext: {{- omit .context.Values.externalAccess.autoDiscovery.containerSecurityContext "enabled" | toYaml | nindent 4 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .context.Values.externalAccess.autoDiscovery.containerSecurityContext "context" .context) | nindent 4 }} {{- end }} {{- if .context.Values.externalAccess.autoDiscovery.resources }} resources: {{- toYaml .context.Values.externalAccess.autoDiscovery.resources | nindent 12 }} diff --git a/charts/bitnami/kafka/templates/broker/statefulset.yaml b/charts/bitnami/kafka/templates/broker/statefulset.yaml index c9cd459c9..fc815ff9a 100644 --- a/charts/bitnami/kafka/templates/broker/statefulset.yaml +++ b/charts/bitnami/kafka/templates/broker/statefulset.yaml @@ -88,7 +88,7 @@ spec: runtimeClassName: {{ .Values.controller.runtimeClassName }} {{- end }} {{- if .Values.broker.podSecurityContext.enabled }} - securityContext: {{- omit .Values.broker.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.broker.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ include "kafka.serviceAccountName" . }} enableServiceLinks: {{ .Values.broker.enableServiceLinks }} @@ -137,7 +137,7 @@ spec: image: {{ include "kafka.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.broker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.broker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.broker.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -306,6 +306,11 @@ spec: - name: kafka-config mountPath: /opt/bitnami/kafka/config/server.properties subPath: server.properties + {{- if .Values.sasl.zookeeper.user }} + - name: kafka-config + mountPath: /opt/bitnami/kafka/config/kafka_jaas.conf + subPath: kafka_jaas.conf + {{- end }} - name: tmp mountPath: /tmp {{- if or .Values.log4j .Values.existingLog4jConfigMap }} @@ -329,7 +334,7 @@ spec: image: {{ include "kafka.metrics.jmx.image" . }} imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }} {{- if .Values.metrics.jmx.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.jmx.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -342,7 +347,7 @@ spec: - -XshowSettings:vm - -jar - jmx_prometheus_httpserver.jar - - "5556" + - {{ .Values.metrics.jmx.containerPorts.metrics | quote }} - /etc/jmx-kafka/jmx-kafka-prometheus.yml {{- end }} ports: diff --git a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml index c9b75a9ff..42f4dfe1a 100644 --- a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml +++ b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml @@ -88,7 +88,7 @@ spec: runtimeClassName: {{ .Values.controller.runtimeClassName }} {{- end }} {{- if .Values.controller.podSecurityContext.enabled }} - securityContext: {{- omit .Values.controller.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controller.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ include "kafka.serviceAccountName" . }} enableServiceLinks: {{ .Values.controller.enableServiceLinks }} @@ -143,7 +143,7 @@ spec: image: {{ include "kafka.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.controller.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.controller.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controller.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -328,7 +328,7 @@ spec: image: {{ include "kafka.metrics.jmx.image" . }} imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }} {{- if .Values.metrics.jmx.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.jmx.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -341,7 +341,7 @@ spec: - -XshowSettings:vm - -jar - jmx_prometheus_httpserver.jar - - "5556" + - {{ .Values.metrics.jmx.containerPorts.metrics | quote }} - /etc/jmx-kafka/jmx-kafka-prometheus.yml {{- end }} ports: diff --git a/charts/bitnami/kafka/templates/metrics/deployment.yaml b/charts/bitnami/kafka/templates/metrics/deployment.yaml index e22b2f801..cc081499b 100644 --- a/charts/bitnami/kafka/templates/metrics/deployment.yaml +++ b/charts/bitnami/kafka/templates/metrics/deployment.yaml @@ -63,7 +63,7 @@ spec: schedulerName: {{ .Values.metrics.kafka.schedulerName }} {{- end }} {{- if .Values.metrics.kafka.podSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.kafka.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.kafka.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "kafka.metrics.kafka.serviceAccountName" . }} enableServiceLinks: {{ .Values.metrics.kafka.enableServiceLinks }} @@ -75,7 +75,7 @@ spec: image: {{ include "kafka.metrics.kafka.image" . }} imagePullPolicy: {{ .Values.metrics.kafka.image.pullPolicy | quote }} {{- if .Values.metrics.kafka.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.kafka.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.kafka.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} diff --git a/charts/bitnami/kafka/templates/provisioning/job.yaml b/charts/bitnami/kafka/templates/provisioning/job.yaml index 2dd27ca8d..6b1200977 100644 --- a/charts/bitnami/kafka/templates/provisioning/job.yaml +++ b/charts/bitnami/kafka/templates/provisioning/job.yaml @@ -37,7 +37,7 @@ spec: schedulerName: {{ .Values.provisioning.schedulerName | quote }} {{- end }} {{- if .Values.provisioning.podSecurityContext.enabled }} - securityContext: {{- omit .Values.provisioning.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.provisioning.podSecurityContext "context" $) | nindent 8 }} {{- end }} restartPolicy: OnFailure terminationGracePeriodSeconds: 0 @@ -54,7 +54,7 @@ spec: image: {{ include "kafka.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.provisioning.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.provisioning.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.provisioning.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/bash @@ -82,7 +82,7 @@ spec: image: {{ include "kafka.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.provisioning.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.provisioning.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.provisioning.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} diff --git a/charts/bitnami/kafka/templates/scripts-configmap.yaml b/charts/bitnami/kafka/templates/scripts-configmap.yaml index bc9157e72..5df18b276 100644 --- a/charts/bitnami/kafka/templates/scripts-configmap.yaml +++ b/charts/bitnami/kafka/templates/scripts-configmap.yaml @@ -322,6 +322,18 @@ data: fi {{- end }} + {{- if .Values.sasl.zookeeper.user }} + export KAFKA_CONFIG_FILE=/config/kafka_jaas.conf + cat << EOF > /config/kafka_jaas.conf + Client { + org.apache.kafka.common.security.plain.PlainLoginModule required + username="{{ .Values.sasl.zookeeper.user }}" + password="zookeeper-password-placeholder"; + }; + EOF + replace_placeholder "zookeeper-password-placeholder" "$KAFKA_ZOOKEEPER_PASSWORD" + {{- end }} + export KAFKA_CONFIG_FILE=/config/server.properties cp /configmaps/server.properties $KAFKA_CONFIG_FILE diff --git a/charts/bitnami/kafka/templates/secrets.yaml b/charts/bitnami/kafka/templates/secrets.yaml index 7243ee417..0c27c0048 100644 --- a/charts/bitnami/kafka/templates/secrets.yaml +++ b/charts/bitnami/kafka/templates/secrets.yaml @@ -66,13 +66,13 @@ data: {{- range $i, $e := until (int .Values.controller.replicaCount) }} {{- $controller := printf "%s-controller-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }} {{- $host = append $host $controller }} - {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $controller .Values.service.ports.client) }} + {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $controller $.Values.service.ports.client) }} {{- end }} {{- end }} {{- range $i, $e := until (int .Values.broker.replicaCount) }} {{- $broker := printf "%s-broker-%s.%s-headless.%s.svc.%s" (include "common.names.fullname" $) (print $i) (include "common.names.fullname" $) $.Release.Namespace $.Values.clusterDomain }} {{- $host = append $host $broker }} - {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $broker .Values.service.ports.client) }} + {{- $bootstrapServers = append $bootstrapServers (printf "%s:%s" $broker $.Values.service.ports.client) }} {{- end }} {{- range $i, $e := until (len .Values.sasl.client.users) }} --- @@ -89,8 +89,8 @@ type: servicebinding.io/kafka data: provider: {{ print "bitnami" | b64enc | quote }} type: {{ print "kafka" | b64enc | quote }} - username: {{ index .Values.sasl.client.users $i | b64enc | quote }} - password: {{ index .Values.sasl.client.passwords $i | b64enc | quote }} + username: {{ index $.Values.sasl.client.users $i | b64enc | quote }} + password: {{ index $.Values.sasl.client.passwords $i | b64enc | quote }} host: {{ join "," $host | b64enc | quote }} port: {{ print $port | b64enc | quote }} bootstrap-servers: {{ join "," $bootstrapServers | b64enc | quote }} diff --git a/charts/bitnami/kafka/values.yaml b/charts/bitnami/kafka/values.yaml index 9c557a137..fe7081cc6 100644 --- a/charts/bitnami/kafka/values.yaml +++ b/charts/bitnami/kafka/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -78,7 +87,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/kafka - tag: 3.6.1-debian-11-r6 + tag: 3.7.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1385,7 +1394,7 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.29.1-debian-11-r3 + tag: 1.29.2-debian-12-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1679,7 +1688,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1770,7 +1779,7 @@ metrics: image: registry: docker.io repository: bitnami/kafka-exporter - tag: 1.7.0-debian-11-r140 + tag: 1.7.0-debian-12-r19 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -2097,7 +2106,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r6 + tag: 0.20.0-debian-12-r11 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -2535,7 +2544,6 @@ provisioning: waitForKafka: true ## @param provisioning.useHelmHooks Flag to indicate usage of helm hooks useHelmHooks: true - ## @section KRaft chart parameters ## KRaft configuration diff --git a/charts/bitnami/mariadb/Chart.lock b/charts/bitnami/mariadb/Chart.lock index 1aadc394f..d63e6bfcf 100644 --- a/charts/bitnami/mariadb/Chart.lock +++ b/charts/bitnami/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T15:22:44.699424301+01:00" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T14:35:54.482130622+01:00" diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index 74d10b223..3adf9251c 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.2.3-debian-11-r1 + image: docker.io/bitnami/mariadb:11.2.3-debian-12-r4 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r6 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 appVersion: 11.2.3 @@ -37,4 +37,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 16.2.0 +version: 16.5.0 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index 3354bf7cf..e8f307c60 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -58,11 +58,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker Image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker Image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters diff --git a/charts/bitnami/mariadb/charts/common/Chart.yaml b/charts/bitnami/mariadb/charts/common/Chart.yaml index 3046b5910..2acf0cd40 100644 --- a/charts/bitnami/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.18.0 diff --git a/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl b/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/mariadb/charts/common/templates/_resources.tpl b/charts/bitnami/mariadb/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/mariadb/charts/common/templates/_resources.tpl +++ b/charts/bitnami/mariadb/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/mariadb/templates/primary/statefulset.yaml index 3b41b3a3e..f7a79decb 100644 --- a/charts/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/primary/statefulset.yaml @@ -76,7 +76,7 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if or .Values.primary.initContainers (and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled) }} initContainers: @@ -105,8 +105,9 @@ spec: {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} - - name: tmp-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- end }} {{- end }} containers: @@ -114,7 +115,7 @@ spec: image: {{ include "mariadb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -270,14 +271,18 @@ spec: - name: mariadb-credentials mountPath: /opt/bitnami/mariadb/secrets/ {{- end }} - - name: tmp-dir + - name: empty-dir mountPath: /tmp - - name: app-conf-dir + subPath: tmp-dir + - name: empty-dir mountPath: /opt/bitnami/mariadb/conf - - name: app-tmp-dir + subPath: app-conf-dir + - name: empty-dir mountPath: /opt/bitnami/mariadb/tmp - - name: app-logs-dir + subPath: app-tmp-dir + - name: empty-dir mountPath: /opt/bitnami/mariadb/logs + subPath: app-logs-dir {{- if .Values.primary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -286,7 +291,7 @@ spec: image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -336,8 +341,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: tmp-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ @@ -350,13 +356,7 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - - name: app-conf-dir - emptyDir: {} - - name: app-tmp-dir - emptyDir: {} - - name: app-logs-dir - emptyDir: {} - - name: tmp-dir + - name: empty-dir emptyDir: {} {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} - name: config diff --git a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml index d1395c7a9..c9f330344 100644 --- a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -75,7 +75,7 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} {{- if .Values.secondary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if or .Values.secondary.initContainers (and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled) }} initContainers: @@ -104,8 +104,9 @@ spec: {{- if .Values.secondary.persistence.subPath }} subPath: {{ .Values.secondary.persistence.subPath }} {{- end }} - - name: tmp-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- end }} {{- end }} containers: @@ -113,7 +114,7 @@ spec: image: {{ include "mariadb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.secondary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -256,20 +257,24 @@ spec: {{- if .Values.secondary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} - - name: tmp-dir + - name: empty-dir mountPath: /tmp - - name: app-conf-dir + subPath: tmp-dir + - name: empty-dir mountPath: /opt/bitnami/mariadb/conf - - name: app-tmp-dir + subPath: app-conf-dir + - name: empty-dir mountPath: /opt/bitnami/mariadb/tmp - - name: app-logs-dir + subPath: app-tmp-dir + - name: empty-dir mountPath: /opt/bitnami/mariadb/logs + subPath: app-logs-dir {{- if .Values.metrics.enabled }} - name: metrics image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -323,8 +328,9 @@ spec: - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ {{- end }} - - name: tmp-dir + - name: empty-dir mountPath: /tmp + subPath: app-tmp-dir {{- if .Values.metrics.extraVolumeMounts.secondary }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts.secondary "context" $) | nindent 12 }} {{- end }} @@ -348,13 +354,7 @@ spec: - key: mariadb-replication-password path: mariadb-replication-password {{- end }} - - name: app-conf-dir - emptyDir: {} - - name: app-tmp-dir - emptyDir: {} - - name: app-logs-dir - emptyDir: {} - - name: tmp-dir + - name: empty-dir emptyDir: {} {{- if .Values.secondary.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumes "context" $) | nindent 8 }} diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index 59f69ddc8..b8f6c04d6 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -86,7 +95,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.2.3-debian-11-r15 + tag: 11.2.3-debian-12-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1044,7 +1053,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1088,7 +1097,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r6 + tag: 0.15.1-debian-12-r8 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) diff --git a/charts/bitnami/mysql/Chart.lock b/charts/bitnami/mysql/Chart.lock index b8bc83494..96af43d17 100644 --- a/charts/bitnami/mysql/Chart.lock +++ b/charts/bitnami/mysql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.14.1 -digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 -generated: "2023-12-31T18:34:25.710573192Z" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T15:00:17.224052059+01:00" diff --git a/charts/bitnami/mysql/Chart.yaml b/charts/bitnami/mysql/Chart.yaml index 9e3dc0050..ace0ef271 100644 --- a/charts/bitnami/mysql/Chart.yaml +++ b/charts/bitnami/mysql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: mysql - image: docker.io/bitnami/mysql:8.0.36-debian-11-r4 + image: docker.io/bitnami/mysql:8.0.36-debian-12-r8 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r5 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 appVersion: 8.0.36 @@ -36,4 +36,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 9.19.1 +version: 9.23.0 diff --git a/charts/bitnami/mysql/README.md b/charts/bitnami/mysql/README.md index 93b26870c..a02582d6d 100644 --- a/charts/bitnami/mysql/README.md +++ b/charts/bitnami/mysql/README.md @@ -56,11 +56,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -108,208 +109,212 @@ The command removes all the Kubernetes components associated with the chart and ### MySQL Primary parameters -| Name | Description | Value | -| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.command` | Override default container command on MySQL Primary container(s) (useful when using custom images) | `[]` | -| `primary.args` | Override default container args on MySQL Primary container(s) (useful when using custom images) | `[]` | -| `primary.lifecycleHooks` | for the MySQL Primary container(s) to automate configuration before or after startup | `{}` | -| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `primary.hostAliases` | Deployment pod host aliases | `[]` | -| `primary.configuration` | Configure MySQL Primary with a custom my.cnf file | `""` | -| `primary.existingConfigmap` | Name of existing ConfigMap with MySQL Primary configuration. | `""` | -| `primary.containerPorts.mysql` | Container port for mysql | `3306` | -| `primary.updateStrategy.type` | Update strategy type for the MySQL primary statefulset | `RollingUpdate` | -| `primary.podAnnotations` | Additional pod annotations for MySQL primary pods | `{}` | -| `primary.podAffinityPreset` | MySQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | MySQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | MySQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | MySQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | MySQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for MySQL primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for MySQL primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for MySQL primary pods assignment | `[]` | -| `primary.priorityClassName` | MySQL primary pods' priorityClassName | `""` | -| `primary.runtimeClassName` | MySQL primary pods' runtimeClassName | `""` | -| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `primary.terminationGracePeriodSeconds` | In seconds, time the given to the MySQL primary pod needs to terminate gracefully | `""` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MySQL primary pods | `""` | -| `primary.podSecurityContext.enabled` | Enable security context for MySQL primary pods | `true` | -| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `primary.containerSecurityContext.enabled` | MySQL primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `primary.containerSecurityContext.runAsUser` | User ID for the MySQL primary container | `1001` | -| `primary.containerSecurityContext.runAsNonRoot` | Set MySQL primary container's Security Context runAsNonRoot | `true` | -| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | -| `primary.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | -| `primary.containerSecurityContext.seccompProfile.type` | Set Client container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.resources.limits` | The resources limits for MySQL primary containers | `{}` | -| `primary.resources.requests` | The requested resources for MySQL primary containers | `{}` | -| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.startupProbe.enabled` | Enable startupProbe | `true` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `15` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.customLivenessProbe` | Override default liveness probe for MySQL primary containers | `{}` | -| `primary.customReadinessProbe` | Override default readiness probe for MySQL primary containers | `{}` | -| `primary.customStartupProbe` | Override default startup probe for MySQL primary containers | `{}` | -| `primary.extraFlags` | MySQL primary additional command line flags | `""` | -| `primary.extraEnvVars` | Extra environment variables to be set on MySQL primary containers | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MySQL primary containers | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MySQL primary containers | `""` | -| `primary.extraPodSpec` | Optionally specify extra PodSpec for the MySQL Primary pod(s) | `{}` | -| `primary.extraPorts` | Extra ports to expose | `[]` | -| `primary.persistence.enabled` | Enable persistence on MySQL primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | -| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MySQL primary replicas | `""` | -| `primary.persistence.subPath` | The name of a volume's sub path to mount for persistence | `""` | -| `primary.persistence.storageClass` | MySQL primary persistent volume storage Class | `""` | -| `primary.persistence.annotations` | MySQL primary persistent volume claim annotations | `{}` | -| `primary.persistence.accessModes` | MySQL primary persistent volume access Modes | `["ReadWriteOnce"]` | -| `primary.persistence.size` | MySQL primary persistent volume size | `8Gi` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary StatefulSet | `false` | -| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MySQL Primary pod(s) | `[]` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MySQL Primary container(s) | `[]` | -| `primary.initContainers` | Add additional init containers for the MySQL Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers for the MySQL Primary pod(s) | `[]` | -| `primary.service.type` | MySQL Primary K8s service type | `ClusterIP` | -| `primary.service.ports.mysql` | MySQL Primary K8s service port | `3306` | -| `primary.service.nodePorts.mysql` | MySQL Primary K8s service node port | `""` | -| `primary.service.clusterIP` | MySQL Primary K8s service clusterIP IP | `""` | -| `primary.service.loadBalancerIP` | MySQL Primary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when MySQL Primary service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `primary.service.annotations` | Additional custom annotations for MySQL primary service | `{}` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.service.headless.annotations` | Additional custom annotations for headless MySQL primary service. | `{}` | -| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MySQL primary pods | `false` | -| `primary.pdb.minAvailable` | Minimum number/percentage of MySQL primary pods that should remain scheduled | `1` | -| `primary.pdb.maxUnavailable` | Maximum number/percentage of MySQL primary pods that may be made unavailable | `""` | -| `primary.podLabels` | MySQL Primary pod label. If labels are same as commonLabels , this will take precedence | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.command` | Override default container command on MySQL Primary container(s) (useful when using custom images) | `[]` | +| `primary.args` | Override default container args on MySQL Primary container(s) (useful when using custom images) | `[]` | +| `primary.lifecycleHooks` | for the MySQL Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `primary.hostAliases` | Deployment pod host aliases | `[]` | +| `primary.configuration` | Configure MySQL Primary with a custom my.cnf file | `""` | +| `primary.existingConfigmap` | Name of existing ConfigMap with MySQL Primary configuration. | `""` | +| `primary.containerPorts.mysql` | Container port for mysql | `3306` | +| `primary.updateStrategy.type` | Update strategy type for the MySQL primary statefulset | `RollingUpdate` | +| `primary.podAnnotations` | Additional pod annotations for MySQL primary pods | `{}` | +| `primary.podAffinityPreset` | MySQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | MySQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | MySQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | MySQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | MySQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for MySQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for MySQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for MySQL primary pods assignment | `[]` | +| `primary.priorityClassName` | MySQL primary pods' priorityClassName | `""` | +| `primary.runtimeClassName` | MySQL primary pods' runtimeClassName | `""` | +| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `primary.terminationGracePeriodSeconds` | In seconds, time the given to the MySQL primary pod needs to terminate gracefully | `""` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MySQL primary pods | `""` | +| `primary.podSecurityContext.enabled` | Enable security context for MySQL primary pods | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `primary.containerSecurityContext.enabled` | MySQL primary container securityContext | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.runAsUser` | User ID for the MySQL primary container | `1001` | +| `primary.containerSecurityContext.runAsGroup` | Group ID for the MySQL primary container | `0` | +| `primary.containerSecurityContext.runAsNonRoot` | Set MySQL primary container's Security Context runAsNonRoot | `true` | +| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | +| `primary.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | +| `primary.containerSecurityContext.seccompProfile.type` | Set Client container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.startupProbe.enabled` | Enable startupProbe | `true` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `15` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.customLivenessProbe` | Override default liveness probe for MySQL primary containers | `{}` | +| `primary.customReadinessProbe` | Override default readiness probe for MySQL primary containers | `{}` | +| `primary.customStartupProbe` | Override default startup probe for MySQL primary containers | `{}` | +| `primary.extraFlags` | MySQL primary additional command line flags | `""` | +| `primary.extraEnvVars` | Extra environment variables to be set on MySQL primary containers | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MySQL primary containers | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MySQL primary containers | `""` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the MySQL Primary pod(s) | `{}` | +| `primary.extraPorts` | Extra ports to expose | `[]` | +| `primary.persistence.enabled` | Enable persistence on MySQL primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | +| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MySQL primary replicas | `""` | +| `primary.persistence.subPath` | The name of a volume's sub path to mount for persistence | `""` | +| `primary.persistence.storageClass` | MySQL primary persistent volume storage Class | `""` | +| `primary.persistence.annotations` | MySQL primary persistent volume claim annotations | `{}` | +| `primary.persistence.accessModes` | MySQL primary persistent volume access Modes | `["ReadWriteOnce"]` | +| `primary.persistence.size` | MySQL primary persistent volume size | `8Gi` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary StatefulSet | `false` | +| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MySQL Primary pod(s) | `[]` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MySQL Primary container(s) | `[]` | +| `primary.initContainers` | Add additional init containers for the MySQL Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers for the MySQL Primary pod(s) | `[]` | +| `primary.service.type` | MySQL Primary K8s service type | `ClusterIP` | +| `primary.service.ports.mysql` | MySQL Primary K8s service port | `3306` | +| `primary.service.nodePorts.mysql` | MySQL Primary K8s service node port | `""` | +| `primary.service.clusterIP` | MySQL Primary K8s service clusterIP IP | `""` | +| `primary.service.loadBalancerIP` | MySQL Primary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when MySQL Primary service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `primary.service.annotations` | Additional custom annotations for MySQL primary service | `{}` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.service.headless.annotations` | Additional custom annotations for headless MySQL primary service. | `{}` | +| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MySQL primary pods | `false` | +| `primary.pdb.minAvailable` | Minimum number/percentage of MySQL primary pods that should remain scheduled | `1` | +| `primary.pdb.maxUnavailable` | Maximum number/percentage of MySQL primary pods that may be made unavailable | `""` | +| `primary.podLabels` | MySQL Primary pod label. If labels are same as commonLabels , this will take precedence | `{}` | ### MySQL Secondary parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | -| `secondary.replicaCount` | Number of MySQL secondary replicas | `1` | -| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `secondary.hostAliases` | Deployment pod host aliases | `[]` | -| `secondary.command` | Override default container command on MySQL Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.args` | Override default container args on MySQL Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.lifecycleHooks` | for the MySQL Secondary container(s) to automate configuration before or after startup | `{}` | -| `secondary.configuration` | Configure MySQL Secondary with a custom my.cnf file | `""` | -| `secondary.existingConfigmap` | Name of existing ConfigMap with MySQL Secondary configuration. | `""` | -| `secondary.containerPorts.mysql` | Container port for mysql | `3306` | -| `secondary.updateStrategy.type` | Update strategy type for the MySQL secondary statefulset | `RollingUpdate` | -| `secondary.podAnnotations` | Additional pod annotations for MySQL secondary pods | `{}` | -| `secondary.podAffinityPreset` | MySQL secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.podAntiAffinityPreset` | MySQL secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `secondary.nodeAffinityPreset.type` | MySQL secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.nodeAffinityPreset.key` | MySQL secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | -| `secondary.nodeAffinityPreset.values` | MySQL secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | -| `secondary.affinity` | Affinity for MySQL secondary pods assignment | `{}` | -| `secondary.nodeSelector` | Node labels for MySQL secondary pods assignment | `{}` | -| `secondary.tolerations` | Tolerations for MySQL secondary pods assignment | `[]` | -| `secondary.priorityClassName` | MySQL secondary pods' priorityClassName | `""` | -| `secondary.runtimeClassName` | MySQL secondary pods' runtimeClassName | `""` | -| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `secondary.terminationGracePeriodSeconds` | In seconds, time the given to the MySQL secondary pod needs to terminate gracefully | `""` | -| `secondary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MySQL secondary pods | `""` | -| `secondary.podSecurityContext.enabled` | Enable security context for MySQL secondary pods | `true` | -| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `secondary.containerSecurityContext.enabled` | MySQL secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `secondary.containerSecurityContext.runAsUser` | User ID for the MySQL secondary container | `1001` | -| `secondary.containerSecurityContext.runAsNonRoot` | Set MySQL secondary container's Security Context runAsNonRoot | `true` | -| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | -| `secondary.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | -| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `secondary.resources.limits` | The resources limits for MySQL secondary containers | `{}` | -| `secondary.resources.requests` | The requested resources for MySQL secondary containers | `{}` | -| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `secondary.startupProbe.enabled` | Enable startupProbe | `true` | -| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `15` | -| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `secondary.customLivenessProbe` | Override default liveness probe for MySQL secondary containers | `{}` | -| `secondary.customReadinessProbe` | Override default readiness probe for MySQL secondary containers | `{}` | -| `secondary.customStartupProbe` | Override default startup probe for MySQL secondary containers | `{}` | -| `secondary.extraFlags` | MySQL secondary additional command line flags | `""` | -| `secondary.extraEnvVars` | An array to add extra environment variables on MySQL secondary containers | `[]` | -| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MySQL secondary containers | `""` | -| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MySQL secondary containers | `""` | -| `secondary.extraPodSpec` | Optionally specify extra PodSpec for the MySQL Secondary pod(s) | `{}` | -| `secondary.extraPorts` | Extra ports to expose | `[]` | -| `secondary.persistence.enabled` | Enable persistence on MySQL secondary replicas using a `PersistentVolumeClaim` | `true` | -| `secondary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MySQL secondary replicas | `""` | -| `secondary.persistence.subPath` | The name of a volume's sub path to mount for persistence | `""` | -| `secondary.persistence.storageClass` | MySQL secondary persistent volume storage Class | `""` | -| `secondary.persistence.annotations` | MySQL secondary persistent volume claim annotations | `{}` | -| `secondary.persistence.accessModes` | MySQL secondary persistent volume access Modes | `["ReadWriteOnce"]` | -| `secondary.persistence.size` | MySQL secondary persistent volume size | `8Gi` | -| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `secondary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only StatefulSet | `false` | -| `secondary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `secondary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MySQL secondary pod(s) | `[]` | -| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MySQL secondary container(s) | `[]` | -| `secondary.initContainers` | Add additional init containers for the MySQL secondary pod(s) | `[]` | -| `secondary.sidecars` | Add additional sidecar containers for the MySQL secondary pod(s) | `[]` | -| `secondary.service.type` | MySQL secondary Kubernetes service type | `ClusterIP` | -| `secondary.service.ports.mysql` | MySQL secondary Kubernetes service port | `3306` | -| `secondary.service.nodePorts.mysql` | MySQL secondary Kubernetes service node port | `""` | -| `secondary.service.clusterIP` | MySQL secondary Kubernetes service clusterIP IP | `""` | -| `secondary.service.loadBalancerIP` | MySQL secondary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `secondary.service.loadBalancerSourceRanges` | Addresses that are allowed when MySQL secondary service is LoadBalancer | `[]` | -| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `secondary.service.annotations` | Additional custom annotations for MySQL secondary service | `{}` | -| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `secondary.service.headless.annotations` | Additional custom annotations for headless MySQL secondary service. | `{}` | -| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MySQL secondary pods | `false` | -| `secondary.pdb.minAvailable` | Minimum number/percentage of MySQL secondary pods that should remain scheduled | `1` | -| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MySQL secondary pods that may be made unavailable | `""` | -| `secondary.podLabels` | Additional pod labels for MySQL secondary pods | `{}` | +| Name | Description | Value | +| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | +| `secondary.replicaCount` | Number of MySQL secondary replicas | `1` | +| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `secondary.hostAliases` | Deployment pod host aliases | `[]` | +| `secondary.command` | Override default container command on MySQL Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.args` | Override default container args on MySQL Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.lifecycleHooks` | for the MySQL Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.configuration` | Configure MySQL Secondary with a custom my.cnf file | `""` | +| `secondary.existingConfigmap` | Name of existing ConfigMap with MySQL Secondary configuration. | `""` | +| `secondary.containerPorts.mysql` | Container port for mysql | `3306` | +| `secondary.updateStrategy.type` | Update strategy type for the MySQL secondary statefulset | `RollingUpdate` | +| `secondary.podAnnotations` | Additional pod annotations for MySQL secondary pods | `{}` | +| `secondary.podAffinityPreset` | MySQL secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.podAntiAffinityPreset` | MySQL secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `secondary.nodeAffinityPreset.type` | MySQL secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.nodeAffinityPreset.key` | MySQL secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | +| `secondary.nodeAffinityPreset.values` | MySQL secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | +| `secondary.affinity` | Affinity for MySQL secondary pods assignment | `{}` | +| `secondary.nodeSelector` | Node labels for MySQL secondary pods assignment | `{}` | +| `secondary.tolerations` | Tolerations for MySQL secondary pods assignment | `[]` | +| `secondary.priorityClassName` | MySQL secondary pods' priorityClassName | `""` | +| `secondary.runtimeClassName` | MySQL secondary pods' runtimeClassName | `""` | +| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `secondary.terminationGracePeriodSeconds` | In seconds, time the given to the MySQL secondary pod needs to terminate gracefully | `""` | +| `secondary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MySQL secondary pods | `""` | +| `secondary.podSecurityContext.enabled` | Enable security context for MySQL secondary pods | `true` | +| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `secondary.containerSecurityContext.enabled` | MySQL secondary container securityContext | `true` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `secondary.containerSecurityContext.runAsUser` | User ID for the MySQL secondary container | `1001` | +| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MySQL secondary container | `0` | +| `secondary.containerSecurityContext.runAsNonRoot` | Set MySQL secondary container's Security Context runAsNonRoot | `true` | +| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | +| `secondary.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | +| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `none` | +| `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `secondary.startupProbe.enabled` | Enable startupProbe | `true` | +| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `15` | +| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `secondary.customLivenessProbe` | Override default liveness probe for MySQL secondary containers | `{}` | +| `secondary.customReadinessProbe` | Override default readiness probe for MySQL secondary containers | `{}` | +| `secondary.customStartupProbe` | Override default startup probe for MySQL secondary containers | `{}` | +| `secondary.extraFlags` | MySQL secondary additional command line flags | `""` | +| `secondary.extraEnvVars` | An array to add extra environment variables on MySQL secondary containers | `[]` | +| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MySQL secondary containers | `""` | +| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MySQL secondary containers | `""` | +| `secondary.extraPodSpec` | Optionally specify extra PodSpec for the MySQL Secondary pod(s) | `{}` | +| `secondary.extraPorts` | Extra ports to expose | `[]` | +| `secondary.persistence.enabled` | Enable persistence on MySQL secondary replicas using a `PersistentVolumeClaim` | `true` | +| `secondary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MySQL secondary replicas | `""` | +| `secondary.persistence.subPath` | The name of a volume's sub path to mount for persistence | `""` | +| `secondary.persistence.storageClass` | MySQL secondary persistent volume storage Class | `""` | +| `secondary.persistence.annotations` | MySQL secondary persistent volume claim annotations | `{}` | +| `secondary.persistence.accessModes` | MySQL secondary persistent volume access Modes | `["ReadWriteOnce"]` | +| `secondary.persistence.size` | MySQL secondary persistent volume size | `8Gi` | +| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `secondary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only StatefulSet | `false` | +| `secondary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `secondary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MySQL secondary pod(s) | `[]` | +| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MySQL secondary container(s) | `[]` | +| `secondary.initContainers` | Add additional init containers for the MySQL secondary pod(s) | `[]` | +| `secondary.sidecars` | Add additional sidecar containers for the MySQL secondary pod(s) | `[]` | +| `secondary.service.type` | MySQL secondary Kubernetes service type | `ClusterIP` | +| `secondary.service.ports.mysql` | MySQL secondary Kubernetes service port | `3306` | +| `secondary.service.nodePorts.mysql` | MySQL secondary Kubernetes service node port | `""` | +| `secondary.service.clusterIP` | MySQL secondary Kubernetes service clusterIP IP | `""` | +| `secondary.service.loadBalancerIP` | MySQL secondary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `secondary.service.loadBalancerSourceRanges` | Addresses that are allowed when MySQL secondary service is LoadBalancer | `[]` | +| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `secondary.service.annotations` | Additional custom annotations for MySQL secondary service | `{}` | +| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `secondary.service.headless.annotations` | Additional custom annotations for headless MySQL secondary service. | `{}` | +| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MySQL secondary pods | `false` | +| `secondary.pdb.minAvailable` | Minimum number/percentage of MySQL secondary pods that should remain scheduled | `1` | +| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MySQL secondary pods that may be made unavailable | `""` | +| `secondary.podLabels` | Additional pod labels for MySQL secondary pods | `{}` | ### RBAC parameters @@ -336,66 +341,72 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resources` | Init container volume-permissions resources | `{}` | +| Name | Description | Value | +| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Metrics parameters -| Name | Description | Value | -| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | -| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.containerSecurityContext.enabled` | MySQL metrics container securityContext | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | User ID for the MySQL metrics container | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set MySQL metrics container's Security Context runAsNonRoot | `true` | -| `metrics.containerPorts.http` | Container port for http | `9104` | -| `metrics.service.type` | Kubernetes service type for MySQL Prometheus Exporter | `ClusterIP` | -| `metrics.service.clusterIP` | Kubernetes service clusterIP for MySQL Prometheus Exporter | `""` | -| `metrics.service.port` | MySQL Prometheus Exporter service port | `9104` | -| `metrics.service.annotations` | Prometheus exporter service annotations | `{}` | -| `metrics.extraArgs.primary` | Extra args to be passed to mysqld_exporter on Primary pods | `[]` | -| `metrics.extraArgs.secondary` | Extra args to be passed to mysqld_exporter on Secondary pods | `[]` | -| `metrics.resources.limits` | The resources limits for MySQL prometheus exporter containers | `{}` | -| `metrics.resources.requests` | The requested resources for MySQL prometheus exporter containers | `{}` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | Specify the namespace in which the serviceMonitor resource will be created | `""` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | -| `metrics.serviceMonitor.annotations` | ServiceMonitor annotations | `{}` | -| `metrics.prometheusRule.enabled` | Creates a Prometheus Operator prometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the prometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | +| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.containerSecurityContext.enabled` | MySQL metrics container securityContext | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | User ID for the MySQL metrics container | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MySQL metrics container | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set MySQL metrics container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `metrics.containerPorts.http` | Container port for http | `9104` | +| `metrics.service.type` | Kubernetes service type for MySQL Prometheus Exporter | `ClusterIP` | +| `metrics.service.clusterIP` | Kubernetes service clusterIP for MySQL Prometheus Exporter | `""` | +| `metrics.service.port` | MySQL Prometheus Exporter service port | `9104` | +| `metrics.service.annotations` | Prometheus exporter service annotations | `{}` | +| `metrics.extraArgs.primary` | Extra args to be passed to mysqld_exporter on Primary pods | `[]` | +| `metrics.extraArgs.secondary` | Extra args to be passed to mysqld_exporter on Secondary pods | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Specify the namespace in which the serviceMonitor resource will be created | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.annotations` | ServiceMonitor annotations | `{}` | +| `metrics.prometheusRule.enabled` | Creates a Prometheus Operator prometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the prometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | The above parameters map to the env variables defined in [bitnami/mysql](https://github.com/bitnami/containers/tree/main/bitnami/mysql). For more information please refer to the [bitnami/mysql](https://github.com/bitnami/containers/tree/main/bitnami/mysql) image documentation. @@ -424,6 +435,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mysql ## Configuration and installation details +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + ### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. diff --git a/charts/bitnami/mysql/charts/common/.helmignore b/charts/bitnami/mysql/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/bitnami/mysql/charts/common/.helmignore +++ b/charts/bitnami/mysql/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/bitnami/mysql/charts/common/Chart.yaml b/charts/bitnami/mysql/charts/common/Chart.yaml index 9a6aa881f..2acf0cd40 100644 --- a/charts/bitnami/mysql/charts/common/Chart.yaml +++ b/charts/bitnami/mysql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.14.1 +version: 2.18.0 diff --git a/charts/bitnami/mysql/charts/common/README.md b/charts/bitnami/mysql/charts/common/README.md index a76fa46a2..0d01a1e06 100644 --- a/charts/bitnami/mysql/charts/common/README.md +++ b/charts/bitnami/mysql/charts/common/README.md @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl b/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/mysql/charts/common/templates/_resources.tpl b/charts/bitnami/mysql/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/bitnami/mysql/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/bitnami/mysql/charts/common/templates/_warnings.tpl b/charts/bitnami/mysql/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/bitnami/mysql/charts/common/templates/_warnings.tpl +++ b/charts/bitnami/mysql/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/bitnami/mysql/templates/NOTES.txt b/charts/bitnami/mysql/templates/NOTES.txt index ecf604c3e..4643ec343 100644 --- a/charts/bitnami/mysql/templates/NOTES.txt +++ b/charts/bitnami/mysql/templates/NOTES.txt @@ -73,3 +73,4 @@ To access the MySQL Prometheus metrics from outside the cluster execute the foll {{ include "mysql.validateValues" . }} {{ include "mysql.checkRollingTags" . }} {{- end }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "secondary" "volumePermissions") "context" $) }} diff --git a/charts/bitnami/mysql/templates/primary/statefulset.yaml b/charts/bitnami/mysql/templates/primary/statefulset.yaml index 011856718..cb70a3e8b 100644 --- a/charts/bitnami/mysql/templates/primary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/primary/statefulset.yaml @@ -72,7 +72,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.primary.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} @@ -93,6 +93,8 @@ spec: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -100,6 +102,9 @@ spec: {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.primary.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }} @@ -109,7 +114,7 @@ spec: image: {{ include "mysql.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -244,6 +249,8 @@ spec: {{- end }} {{- if .Values.primary.resources }} resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -251,6 +258,18 @@ spec: {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mysql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mysql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mysql/logs + subPath: app-logs-dir {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d @@ -276,7 +295,7 @@ spec: image: {{ include "mysql.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -322,12 +341,17 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} - {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} volumeMounts: + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mysql-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.primary.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }} @@ -362,6 +386,8 @@ spec: path: mysql-replication-password {{- end }} {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.primary.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/mysql/templates/secondary/statefulset.yaml b/charts/bitnami/mysql/templates/secondary/statefulset.yaml index 3e358b043..00163520d 100644 --- a/charts/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/secondary/statefulset.yaml @@ -73,7 +73,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.secondary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.secondary.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.secondary.terminationGracePeriodSeconds }} @@ -94,6 +94,8 @@ spec: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -101,6 +103,9 @@ spec: {{- if .Values.secondary.persistence.subPath }} subPath: {{ .Values.secondary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.secondary.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.initContainers "context" $) | nindent 8 }} @@ -110,7 +115,7 @@ spec: image: {{ include "mysql.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.secondary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -228,6 +233,8 @@ spec: {{- end }} {{- if .Values.secondary.resources }} resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- else if ne .Values.secondary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -252,6 +259,18 @@ spec: - name: mysql-credentials mountPath: /opt/bitnami/mysql/secrets/ {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mysql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mysql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mysql/logs + subPath: app-logs-dir {{- if .Values.secondary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -260,7 +279,7 @@ spec: image: {{ include "mysql.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -306,12 +325,17 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} - {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} volumeMounts: + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mysql-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.secondary.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.sidecars "context" $) | nindent 8 }} @@ -342,6 +366,8 @@ spec: - key: mysql-replication-password path: mysql-replication-password {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.secondary.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/mysql/values.yaml b/charts/bitnami/mysql/values.yaml index f5fb356c1..3f88d1f1d 100644 --- a/charts/bitnami/mysql/values.yaml +++ b/charts/bitnami/mysql/values.yaml @@ -19,7 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -47,13 +55,11 @@ commonLabels: {} ## @param extraDeploy Array with extra yaml to deploy with the chart. Evaluated as a template ## extraDeploy: [] - ## @param serviceBindings.enabled Create secret for service binding (Experimental) ## Ref: https://servicebinding.io/service-provider/ ## serviceBindings: enabled: false - ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -68,7 +74,6 @@ diagnosticMode: ## args: - infinity - ## @section MySQL common parameters ## @@ -85,7 +90,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mysql - tag: 8.0.36-debian-11-r4 + tag: 8.0.36-debian-12-r8 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -178,10 +183,8 @@ startdbScripts: {} ## @param startdbScriptsConfigMap ConfigMap with the startdb scripts (Note: Overrides `startdbScripts`) ## startdbScriptsConfigMap: "" - ## @section MySQL Primary parameters ## - primary: ## @param primary.name Name of the primary database (eg primary, master, leader, ...) ## @@ -333,43 +336,46 @@ primary: ## @param primary.containerSecurityContext.enabled MySQL primary container securityContext ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MySQL primary container + ## @param primary.containerSecurityContext.runAsGroup Group ID for the MySQL primary container ## @param primary.containerSecurityContext.runAsNonRoot Set MySQL primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation ## @param primary.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.seccompProfile.type Set Client container's Security Context seccomp profile + ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false ## MySQL primary container's resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param primary.resources.limits The resources limits for MySQL primary containers - ## @param primary.resources.requests The requested resources for MySQL primary containers + ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 250m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 250m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "none" + ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param primary.livenessProbe.enabled Enable livenessProbe @@ -574,7 +580,6 @@ primary: ## @param primary.service.headless.annotations Additional custom annotations for headless MySQL primary service. ## annotations: {} - ## MySQL primary Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## @@ -591,10 +596,8 @@ primary: ## @param primary.podLabels MySQL Primary pod label. If labels are same as commonLabels , this will take precedence ## podLabels: {} - ## @section MySQL Secondary parameters ## - secondary: ## @param secondary.name Name of the secondary database (eg secondary, slave, ...) ## @@ -750,43 +753,46 @@ secondary: ## @param secondary.containerSecurityContext.enabled MySQL secondary container securityContext ## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MySQL secondary container + ## @param secondary.containerSecurityContext.runAsGroup Group ID for the MySQL secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set MySQL secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation ## @param secondary.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## @param secondary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false ## MySQL secondary container's resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param secondary.resources.limits The resources limits for MySQL secondary containers - ## @param secondary.resources.requests The requested resources for MySQL secondary containers + ## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 250m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 250m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "none" + ## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param secondary.livenessProbe.enabled Enable livenessProbe @@ -991,7 +997,6 @@ secondary: ## @param secondary.service.headless.annotations Additional custom annotations for headless MySQL secondary service. ## annotations: {} - ## MySQL secondary Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## @@ -1008,7 +1013,6 @@ secondary: ## @param secondary.podLabels Additional pod labels for MySQL secondary pods ## podLabels: {} - ## @section RBAC parameters ## @@ -1029,7 +1033,6 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## automountServiceAccountToken: false - ## Role Based Access ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## @@ -1049,7 +1052,6 @@ rbac: ## - list ## rules: [] - ## @section Network Policy ## @@ -1107,8 +1109,6 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - - ## @section Volume Permissions parameters ## @@ -1129,7 +1129,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1140,10 +1140,21 @@ volumePermissions: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param volumePermissions.resources Init container volume-permissions resources + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## resources: {} - ## @section Metrics parameters ## @@ -1163,7 +1174,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r5 + tag: 0.15.1-debian-12-r8 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1179,13 +1190,25 @@ metrics: ## @param metrics.containerSecurityContext.enabled MySQL metrics container securityContext ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MySQL metrics container + ## @param metrics.containerSecurityContext.runAsGroup Group ID for the MySQL metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set MySQL metrics container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation + ## @param metrics.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false ## @param metrics.containerPorts.http Container port for http ## containerPorts: @@ -1253,22 +1276,21 @@ metrics: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for MySQL prometheus exporter containers - ## @param metrics.resources.requests The requested resources for MySQL prometheus exporter containers + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Mysqld Prometheus exporter liveness probe ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @param metrics.livenessProbe.enabled Enable livenessProbe @@ -1347,7 +1369,6 @@ metrics: ## @param metrics.serviceMonitor.annotations ServiceMonitor annotations ## annotations: {} - ## Prometheus Operator prometheusRule configuration ## prometheusRule: diff --git a/charts/bitnami/postgresql/Chart.lock b/charts/bitnami/postgresql/Chart.lock index 0f3b2c87d..5320fb8e1 100644 --- a/charts/bitnami/postgresql/Chart.lock +++ b/charts/bitnami/postgresql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T15:52:42.25759233+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-11T20:27:44.112846437Z" diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index f71a19bb0..d5712df8e 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r112 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r26 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14 - name: postgresql - image: docker.io/bitnami/postgresql:16.2.0-debian-11-r17 + image: docker.io/bitnami/postgresql:16.2.0-debian-12-r8 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.2.0 @@ -38,4 +38,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 14.1.3 +version: 14.3.3 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index 1996c36eb..e05a3dfb7 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -66,20 +66,21 @@ kubectl delete pvc -l release=my-release ### Global parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | -| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | -| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | -| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | -| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | -| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -214,6 +215,7 @@ kubectl delete pvc -l release=my-release | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -249,7 +251,7 @@ kubectl delete pvc -l release=my-release | `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | | `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `false` | +| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | | `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -325,6 +327,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -360,7 +363,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | | `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `false` | +| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | | `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -394,44 +397,47 @@ kubectl delete pvc -l release=my-release ### Backup parameters -| Name | Description | Value | -| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | -| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | -| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | -| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | -| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | -| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | -| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | -| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | -| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | -| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | -| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | -| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | -| `backup.cronjob.labels` | Set the cronjob labels | `{}` | -| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | -| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | -| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | -| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | -| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | -| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | -| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | -| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | -| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| Name | Description | Value | +| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | +| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `none` | +| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | ### Volume Permissions parameters @@ -480,6 +486,7 @@ kubectl delete pvc -l release=my-release | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | diff --git a/charts/bitnami/postgresql/charts/common/Chart.yaml b/charts/bitnami/postgresql/charts/common/Chart.yaml index 3046b5910..f86ccd23a 100644 --- a/charts/bitnami/postgresql/charts/common/Chart.yaml +++ b/charts/bitnami/postgresql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.19.0 diff --git a/charts/bitnami/postgresql/charts/common/templates/_compatibility.tpl b/charts/bitnami/postgresql/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/postgresql/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/postgresql/charts/common/templates/_resources.tpl b/charts/bitnami/postgresql/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/postgresql/charts/common/templates/_resources.tpl +++ b/charts/bitnami/postgresql/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/postgresql/templates/backup/cronjob.yaml b/charts/bitnami/postgresql/templates/backup/cronjob.yaml index cdf87f743..f48f6c487 100644 --- a/charts/bitnami/postgresql/templates/backup/cronjob.yaml +++ b/charts/bitnami/postgresql/templates/backup/cronjob.yaml @@ -77,7 +77,7 @@ spec: {{- if .Values.tls.autoGenerated }} value: /tmp/certs/ca.crt {{- else }} - value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} + value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }} {{- end }} {{- end }} command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} @@ -89,8 +89,16 @@ spec: - name: datadir mountPath: {{ .Values.backup.cronjob.storage.mountPath }} subPath: {{ .Values.backup.cronjob.storage.subPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 14 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.backup.cronjob.resources }} + resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }} + {{- else if ne .Values.backup.cronjob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }} {{- end }} restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} {{- if .Values.backup.cronjob.podSecurityContext.enabled }} @@ -111,4 +119,6 @@ spec: persistentVolumeClaim: claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall {{- end }} + - name: empty-dir + emptyDir: {} {{- end }} diff --git a/charts/bitnami/postgresql/templates/primary/statefulset.yaml b/charts/bitnami/postgresql/templates/primary/statefulset.yaml index 184e32e62..c08191bbd 100644 --- a/charts/bitnami/postgresql/templates/primary/statefulset.yaml +++ b/charts/bitnami/postgresql/templates/primary/statefulset.yaml @@ -80,7 +80,7 @@ spec: terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} {{- end }} hostNetwork: {{ .Values.primary.hostNetwork }} hostIPC: {{ .Values.primary.hostIPC }} @@ -97,7 +97,7 @@ spec: {{- end }} # We don't require a privileged container in this case {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/sh @@ -106,6 +106,9 @@ spec: cp /tmp/certs/* /opt/bitnami/postgresql/certs/ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: raw-certificates mountPath: /tmp/certs - name: postgresql-certificates @@ -156,13 +159,14 @@ spec: securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.primary.persistence.enabled }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: {{ .Values.primary.persistence.mountPath }} {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} - {{- end }} {{- if .Values.shmVolume.enabled }} - name: dshm mountPath: /dev/shm @@ -183,7 +187,7 @@ spec: image: {{ include "postgresql.v1.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -453,6 +457,18 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/logs + subPath: app-logs-dir {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d/ @@ -497,7 +513,7 @@ spec: image: {{ include "postgresql.v1.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -561,6 +577,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ @@ -580,6 +599,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} - name: postgresql-config configMap: diff --git a/charts/bitnami/postgresql/templates/read/statefulset.yaml b/charts/bitnami/postgresql/templates/read/statefulset.yaml index 86666d6a6..7cfa06bda 100644 --- a/charts/bitnami/postgresql/templates/read/statefulset.yaml +++ b/charts/bitnami/postgresql/templates/read/statefulset.yaml @@ -78,7 +78,7 @@ spec: terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} {{- end }} {{- if .Values.readReplicas.podSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }} {{- end }} hostNetwork: {{ .Values.readReplicas.hostNetwork }} hostIPC: {{ .Values.readReplicas.hostIPC }} @@ -95,7 +95,7 @@ spec: {{- end }} # We don't require a privileged container in this case {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /bin/sh @@ -104,6 +104,9 @@ spec: cp /tmp/certs/* /opt/bitnami/postgresql/certs/ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: raw-certificates mountPath: /tmp/certs - name: postgresql-certificates @@ -154,13 +157,14 @@ spec: securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} {{- end }} volumeMounts: - {{ if .Values.readReplicas.persistence.enabled }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: {{ .Values.readReplicas.persistence.mountPath }} {{- if .Values.readReplicas.persistence.subPath }} subPath: {{ .Values.readReplicas.persistence.subPath }} {{- end }} - {{- end }} {{- if .Values.shmVolume.enabled }} - name: dshm mountPath: /dev/shm @@ -181,7 +185,7 @@ spec: image: {{ include "postgresql.v1.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -380,6 +384,18 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/logs + subPath: app-logs-dir {{- if .Values.auth.usePasswordFiles }} - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ @@ -412,7 +428,7 @@ spec: image: {{ include "postgresql.v1.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -468,6 +484,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ @@ -517,6 +536,8 @@ spec: sizeLimit: {{ .Values.shmVolume.sizeLimit }} {{- end }} {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.readReplicas.extraVolumes }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} {{- end }} @@ -534,7 +555,9 @@ spec: whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }} {{- end }} volumeClaimTemplates: - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: data {{- if .Values.readReplicas.persistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index 2b673dc2e..c97426e5f 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -42,6 +42,15 @@ global: service: ports: postgresql: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -96,7 +105,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.2.0-debian-11-r17 + tag: 16.2.0-debian-12-r8 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -470,6 +479,7 @@ primary: ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -481,6 +491,7 @@ primary: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -621,7 +632,7 @@ primary: allowExternal: true ## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - allowExternalEgress: false + allowExternalEgress: true ## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice ## e.g: ## extraIngress: @@ -905,6 +916,7 @@ readReplicas: ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged ## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -916,6 +928,7 @@ readReplicas: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1056,7 +1069,7 @@ readReplicas: allowExternal: true ## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - allowExternalEgress: false + allowExternalEgress: true ## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice ## e.g: ## extraIngress: @@ -1257,6 +1270,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1267,6 +1281,7 @@ backup: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1288,6 +1303,22 @@ backup: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ ## nodeSelector: {} + ## backup cronjob container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory + ## Example: + resources: {} + ## resources: + ## requests: + ## cpu: 1 + ## memory: 512Mi + ## limits: + ## cpu: 2 + ## memory: 1024Mi storage: ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) ## If defined, PVC must be created manually before volume will be bound @@ -1348,7 +1379,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r112 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1457,7 +1488,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r26 + tag: 0.15.0-debian-12-r14 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1501,6 +1532,7 @@ metrics: ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1512,6 +1544,7 @@ metrics: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false diff --git a/charts/bitnami/redis/Chart.lock b/charts/bitnami/redis/Chart.lock index c95648577..b57246baa 100644 --- a/charts/bitnami/redis/Chart.lock +++ b/charts/bitnami/redis/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T16:01:05.77962376+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-08T15:56:40.04210215Z" diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index c386f87c9..a1c438fef 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -5,14 +5,16 @@ annotations: catalog.cattle.io/release-name: redis category: Database images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 - - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2 - - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r5 + image: docker.io/bitnami/redis:7.2.4-debian-12-r9 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7 licenses: Apache-2.0 apiVersion: v2 appVersion: 7.2.4 @@ -37,4 +39,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.14.0 +version: 18.19.2 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index 85dbf6dd1..8cac98b7e 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -71,12 +71,13 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ------------------------------------------------------ | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -120,6 +121,7 @@ The command removes all the Kubernetes components associated with the chart and | `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | | `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | | `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | | `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | | `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | @@ -173,6 +175,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | | `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | +| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | | `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | | `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | | `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | @@ -292,6 +295,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | | `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | | `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | +| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | | `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | | `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | | `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | @@ -434,6 +438,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | | `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | | `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | +| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | | `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | | `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | | `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | @@ -448,6 +453,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | | `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | +| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | | `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | | `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | @@ -535,6 +541,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | | `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | | `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | | `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | @@ -586,28 +593,36 @@ The command removes all the Kubernetes components associated with the chart and ### Init Container Parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | -| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` | -| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | +| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | +| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | +| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | +| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | +| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | +| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` | +| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### useExternalDNS Parameters diff --git a/charts/bitnami/redis/charts/common/Chart.yaml b/charts/bitnami/redis/charts/common/Chart.yaml index 3046b5910..f86ccd23a 100644 --- a/charts/bitnami/redis/charts/common/Chart.yaml +++ b/charts/bitnami/redis/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.19.0 diff --git a/charts/bitnami/redis/charts/common/templates/_compatibility.tpl b/charts/bitnami/redis/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/redis/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/redis/charts/common/templates/_resources.tpl b/charts/bitnami/redis/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/redis/charts/common/templates/_resources.tpl +++ b/charts/bitnami/redis/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/redis/templates/NOTES.txt b/charts/bitnami/redis/templates/NOTES.txt index 69b65e090..a5c679c92 100644 --- a/charts/bitnami/redis/templates/NOTES.txt +++ b/charts/bitnami/redis/templates/NOTES.txt @@ -53,6 +53,22 @@ For Redis Sentinel: {{- end }} {{- end }} +{{- if and .Values.auth.usePasswordFiles (not .Values.auth.usePasswordFileFromSecret) (or (empty .Values.master.initContainers) (empty .Values.replica.initContainers)) }} + +------------------------------------------------------------------------------- + WARNING + + By specifying ".Values.auth.usePasswordFiles=true" and ".Values.auth.usePasswordFileFromSecret=false" + Redis is expecting that the password is mounted as a file in each pod + (by default in /opt/bitnami/redis/secrets/redis-password) + + Ensure that you specify the respective initContainers in + both .Values.master.initContainers and .Values.replica.initContainers + in order to populate the contents of this file. + +------------------------------------------------------------------------------- +{{- end }} + {{- if eq .Values.architecture "replication" }} {{- if .Values.sentinel.enabled }} diff --git a/charts/bitnami/redis/templates/_helpers.tpl b/charts/bitnami/redis/templates/_helpers.tpl index 9eb017f19..6857ec3f0 100644 --- a/charts/bitnami/redis/templates/_helpers.tpl +++ b/charts/bitnami/redis/templates/_helpers.tpl @@ -33,6 +33,13 @@ Return the proper image name (for the init container volume-permissions image) {{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} {{- end -}} +{{/* +Return kubectl image +*/}} +{{- define "redis.kubectl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }} +{{- end -}} + {{/* Return sysctl image */}} @@ -261,6 +268,7 @@ Compile all warnings into a single message, and call fail. {{- $messages := append $messages (include "redis.validateValues.architecture" .) -}} {{- $messages := append $messages (include "redis.validateValues.podSecurityPolicy.create" .) -}} {{- $messages := append $messages (include "redis.validateValues.tls" .) -}} +{{- $messages := append $messages (include "redis.validateValues.createMaster" .) -}} {{- $messages := without $messages "" -}} {{- $message := join "\n" $messages -}} @@ -312,6 +320,16 @@ redis: tls.enabled {{- end -}} {{- end -}} +{{/* Validate values of Redis® - master service enabled */}} +{{- define "redis.validateValues.createMaster" -}} +{{- if and .Values.sentinel.service.createMaster (or (not .Values.rbac.create) (not .Values.replica.automountServiceAccountToken) (not .Values.serviceAccount.create)) }} +redis: sentinel.service.createMaster + In order to redirect requests only to the master pod via the service, you also need to + create rbac and serviceAccount. In addition, you need to enable + replica.automountServiceAccountToken. +{{- end -}} +{{- end -}} + {{/* Define the suffix utilized for external-dns */}} {{- define "redis.externalDNS.suffix" -}} {{ printf "%s.%s" (include "common.names.fullname" .) .Values.useExternalDNS.suffix }} diff --git a/charts/bitnami/redis/templates/configmap.yaml b/charts/bitnami/redis/templates/configmap.yaml index 6c370a2aa..a8c60a6df 100644 --- a/charts/bitnami/redis/templates/configmap.yaml +++ b/charts/bitnami/redis/templates/configmap.yaml @@ -52,6 +52,9 @@ data: sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} + {{- if .Values.sentinel.service.createMaster}} + sentinel client-reconfig-script {{ .Values.sentinel.masterSet }} /opt/bitnami/scripts/start-scripts/push-master-label.sh + {{- end }} # User-supplied sentinel configuration: {{- if .Values.sentinel.configuration }} {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.configuration "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/headless-svc.yaml b/charts/bitnami/redis/templates/headless-svc.yaml index e69329f82..ea914a8dd 100644 --- a/charts/bitnami/redis/templates/headless-svc.yaml +++ b/charts/bitnami/redis/templates/headless-svc.yaml @@ -9,12 +9,14 @@ metadata: name: {{ printf "%s-headless" (include "common.names.fullname" .) }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations (include "redis.externalDNS.annotations" .) }} annotations: {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} {{- include "redis.externalDNS.annotations" . | nindent 4 }} + {{- end }} spec: type: ClusterIP clusterIP: None diff --git a/charts/bitnami/redis/templates/master/application.yaml b/charts/bitnami/redis/templates/master/application.yaml index 9e7636967..108ddea73 100644 --- a/charts/bitnami/redis/templates/master/application.yaml +++ b/charts/bitnami/redis/templates/master/application.yaml @@ -62,7 +62,7 @@ spec: hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.master.podSecurityContext.enabled }} - securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.masterServiceAccountName" . }} automountServiceAccountToken: {{ .Values.master.automountServiceAccountToken }} @@ -108,7 +108,7 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.master.lifecycleHooks "context" $) | nindent 12 }} {{- end }} {{- if .Values.master.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -247,10 +247,12 @@ spec: {{- end }} - name: config mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf + - name: empty-dir mountPath: /opt/bitnami/redis/etc/ - - name: tmp + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: redis-certificates mountPath: /opt/bitnami/redis/certs @@ -264,7 +266,7 @@ spec: image: {{ include "redis.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -347,6 +349,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: app-tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: redis-password mountPath: /secrets/ @@ -393,6 +398,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: redis-data mountPath: {{ .Values.master.persistence.path }} {{- if .Values.master.persistence.subPath }} @@ -418,6 +426,9 @@ spec: {{- end }} {{- if .Values.sysctl.mountHostSys }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: host-sys mountPath: /host-sys {{- end }} @@ -434,11 +445,15 @@ spec: defaultMode: 0755 {{- if .Values.auth.usePasswordFiles }} - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} secret: secretName: {{ template "redis.secretName" . }} items: - key: {{ template "redis.secretPasswordKey" . }} path: redis-password + {{- else }} + emptyDir: {} + {{- end }} {{- end }} - name: config configMap: @@ -448,19 +463,7 @@ spec: hostPath: path: /sys {{- end }} - - name: redis-tmp-conf - {{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }} - emptyDir: - {{- if .Values.master.persistence.medium }} - medium: {{ .Values.master.persistence.medium | quote }} - {{- end }} - {{- if .Values.master.persistence.sizeLimit }} - sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - - name: tmp + - name: empty-dir {{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }} emptyDir: {{- if .Values.master.persistence.medium }} diff --git a/charts/bitnami/redis/templates/replicas/application.yaml b/charts/bitnami/redis/templates/replicas/application.yaml index ba02686c5..96a351796 100644 --- a/charts/bitnami/redis/templates/replicas/application.yaml +++ b/charts/bitnami/redis/templates/replicas/application.yaml @@ -60,7 +60,7 @@ spec: hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.replica.podSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.replicaServiceAccountName" . }} automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} @@ -108,7 +108,7 @@ spec: {{- end }} {{- end }} {{- if .Values.replica.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -267,8 +267,12 @@ spec: {{- end }} - name: config mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf + - name: empty-dir mountPath: /opt/bitnami/redis/etc + subPath: app-conf-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: redis-certificates mountPath: /opt/bitnami/redis/certs @@ -282,7 +286,7 @@ spec: image: {{ include "redis.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -365,6 +369,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: redis-password mountPath: /secrets/ @@ -411,6 +418,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: redis-data mountPath: {{ .Values.replica.persistence.path }} {{- if .Values.replica.persistence.subPath }} @@ -436,6 +446,9 @@ spec: {{- end }} {{- if .Values.sysctl.mountHostSys }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: host-sys mountPath: /host-sys {{- end }} @@ -452,11 +465,15 @@ spec: defaultMode: 0755 {{- if .Values.auth.usePasswordFiles }} - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} secret: secretName: {{ template "redis.secretName" . }} items: - key: {{ template "redis.secretPasswordKey" . }} path: redis-password + {{- else }} + emptyDir: {} + {{- end }} {{- end }} - name: config configMap: @@ -466,7 +483,7 @@ spec: hostPath: path: /sys {{- end }} - - name: redis-tmp-conf + - name: empty-dir {{- if or .Values.replica.persistence.medium .Values.replica.persistence.sizeLimit }} emptyDir: {{- if .Values.replica.persistence.medium }} diff --git a/charts/bitnami/redis/templates/role.yaml b/charts/bitnami/redis/templates/role.yaml index 5bab3b7cc..710ac48d4 100644 --- a/charts/bitnami/redis/templates/role.yaml +++ b/charts/bitnami/redis/templates/role.yaml @@ -23,6 +23,11 @@ rules: - 'use' resourceNames: [{{ printf "%s-master" (include "common.names.fullname" .) }}] {{- end }} + {{- if and .Values.sentinel.enabled .Values.sentinel.service.createMaster}} + - apiGroups: [""] + resources: ["pods"] + verbs: ["list", "patch"] + {{- end -}} {{- if .Values.rbac.rules }} {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} {{- end }} diff --git a/charts/bitnami/redis/templates/scripts-configmap.yaml b/charts/bitnami/redis/templates/scripts-configmap.yaml index f785faf34..082de6821 100644 --- a/charts/bitnami/redis/templates/scripts-configmap.yaml +++ b/charts/bitnami/redis/templates/scripts-configmap.yaml @@ -366,6 +366,13 @@ data: REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} fi + {{- if .Values.sentinel.service.createMaster }} + if [[ "${REDIS_REPLICATION_MODE}" == "master" ]]; then + # Add isMaster label to master node for master service + echo "${REDIS_MASTER_HOST/.*}" > /etc/shared/current + fi + {{- end }} + if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST" REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}" @@ -481,7 +488,7 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi @@ -561,7 +568,7 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi @@ -596,6 +603,14 @@ data: exit 0 fi + {{- if .Values.sentinel.service.createMaster}} + push-master-label.sh: | + #!/bin/bash + # https://download.redis.io/redis-stable/sentinel.conf + + echo "${6/.*}" > /etc/shared/current + echo "${4/.*}" > /etc/shared/previous + {{- end }} {{- else }} start-master.sh: | #!/bin/bash @@ -755,3 +770,29 @@ data: {{- end }} {{- end }} {{- end }} +--- +{{- if .Values.sentinel.service.createMaster}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + update-master-label.sh: | + #!/bin/bash + while true; do + while [ ! -f "/etc/shared/current" ]; do + sleep 1 + done + echo "new master elected, updating label(s)..." + kubectl label pod --field-selector metadata.name="$(< "/etc/shared/current")" isMaster="true" --overwrite + if [ -f /etc/shared/previous ]; then + kubectl label pod --field-selector metadata.name="$(< "/etc/shared/previous")" isMaster="false" --overwrite + fi + rm "/etc/shared/current" "/etc/shared/previous" + done +{{- end }} diff --git a/charts/bitnami/redis/templates/secret.yaml b/charts/bitnami/redis/templates/secret.yaml index 003a2768c..2b8b0bb8c 100644 --- a/charts/bitnami/redis/templates/secret.yaml +++ b/charts/bitnami/redis/templates/secret.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) (or .Values.auth.usePasswordFileFromSecret (not .Values.auth.usePasswordFiles)) -}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/bitnami/redis/templates/sentinel/service.yaml b/charts/bitnami/redis/templates/sentinel/service.yaml index f80e6442a..3211c3109 100644 --- a/charts/bitnami/redis/templates/sentinel/service.yaml +++ b/charts/bitnami/redis/templates/sentinel/service.yaml @@ -100,5 +100,62 @@ spec: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.podLabels .Values.commonLabels ) "context" . ) }} selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node + +{{- if and .Values.sentinel.enabled .Values.sentinel.service.createMaster}} +--- +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "common.names.fullname" . }}-master" + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: node + {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.sentinel.service.type }} + {{- if or (eq .Values.sentinel.service.type "LoadBalancer") (eq .Values.sentinel.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.sentinel.service.loadBalancerClass }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.sentinel.service.clusterIP (eq .Values.sentinel.service.type "ClusterIP") }} + clusterIP: {{ .Values.sentinel.service.clusterIP }} + {{- end }} + {{- if .Values.sentinel.service.sessionAffinity }} + sessionAffinity: {{ .Values.sentinel.service.sessionAffinity }} + {{- end }} + {{- if .Values.sentinel.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-redis + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + port: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "NodePort" }} + port: {{ $redisport }} + {{- else}} + port: {{ .Values.sentinel.service.ports.redis }} + {{- end }} + targetPort: {{ .Values.replica.containerPorts.redis }} + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + nodePort: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "ClusterIP" }} + nodePort: null + {{- else if eq .Values.sentinel.service.type "NodePort" }} + nodePort: {{ $redisport }} + {{- end }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + isMaster: "true" +{{- end }} {{- end }} {{- end }} diff --git a/charts/bitnami/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/redis/templates/sentinel/statefulset.yaml index 2806898a9..dfb1352bf 100644 --- a/charts/bitnami/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/redis/templates/sentinel/statefulset.yaml @@ -59,7 +59,7 @@ spec: hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.replica.podSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.serviceAccountName" . }} {{- if .Values.replica.priorityClassName }} @@ -114,7 +114,7 @@ spec: {{- end }} {{- end }} {{- if .Values.replica.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -295,10 +295,12 @@ spec: {{- end }} - name: config mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf + - name: empty-dir mountPath: /opt/bitnami/redis/etc - - name: tmp + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: redis-certificates mountPath: /opt/bitnami/redis/certs @@ -324,7 +326,7 @@ spec: {{- end }} {{- end }} {{- if .Values.sentinel.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.sentinel.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.sentinel.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -455,10 +457,17 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.sentinel.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: start-scripts mountPath: /opt/bitnami/scripts/start-scripts - name: health mountPath: /health + {{- if .Values.sentinel.service.createMaster}} + - name: kubectl-shared + mountPath: /etc/shared + {{- end }} - name: sentinel-data mountPath: /opt/bitnami/redis-sentinel/etc {{- if .Values.auth.usePasswordFiles }} @@ -487,7 +496,7 @@ spec: image: {{ template "redis.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -568,6 +577,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.auth.usePasswordFiles }} - name: redis-password mountPath: /secrets/ @@ -581,6 +593,22 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} {{- end }} + {{- if .Values.sentinel.service.createMaster }} + - name: kubectl-shared + image: {{ template "redis.kubectl.image" . }} + imagePullPolicy: {{ .Values.kubectl.image.pullPolicy | quote }} + command: {{- toYaml .Values.kubectl.command | nindent 12 }} + securityContext: + runAsUser: 0 + volumeMounts: + - name: kubectl-shared + mountPath: /etc/shared + - name: kubectl-scripts + mountPath: /opt/bitnami/scripts/kubectl-scripts + {{- if .Values.kubectl.resources }} + resources: {{- toYaml .Values.kubectl.resources | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.replica.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} {{- end }} @@ -614,6 +642,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: redis-data mountPath: {{ .Values.replica.persistence.path }} {{- if .Values.replica.persistence.subPath }} @@ -639,6 +670,9 @@ spec: {{- end }} {{- if .Values.sysctl.mountHostSys }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: host-sys mountPath: /host-sys {{- end }} @@ -653,13 +687,25 @@ spec: configMap: name: {{ printf "%s-health" (include "common.names.fullname" .) }} defaultMode: 0755 + {{- if .Values.sentinel.service.createMaster}} + - name: kubectl-shared + emptyDir: {} + - name: kubectl-scripts + configMap: + name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- end }} {{- if .Values.auth.usePasswordFiles }} - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} secret: secretName: {{ template "redis.secretName" . }} items: - key: {{ template "redis.secretPasswordKey" . }} path: redis-password + {{- else }} + emptyDir: {} + {{- end }} {{- end }} - name: config configMap: @@ -683,19 +729,7 @@ spec: emptyDir: {} {{- end }} {{- end }} - - name: redis-tmp-conf - {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }} - emptyDir: - {{- if .Values.sentinel.persistence.medium }} - medium: {{ .Values.sentinel.persistence.medium | quote }} - {{- end }} - {{- if .Values.sentinel.persistence.sizeLimit }} - sizeLimit: {{ .Values.sentinel.persistence.sizeLimit | quote }} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - - name: tmp + - name: empty-dir {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }} emptyDir: {{- if .Values.sentinel.persistence.medium }} diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index 63872e68c..a9517f047 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -22,6 +22,15 @@ global: storageClass: "" redis: password: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -91,7 +100,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.4-debian-11-r5 + tag: 7.2.4-debian-12-r9 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -141,6 +150,9 @@ auth: ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable ## usePasswordFiles: false + ## @param auth.usePasswordFileFromSecret Mount password file from secret + ## + usePasswordFileFromSecret: true ## @param commonConfiguration [string] Common configuration to be added into the ConfigMap ## ref: https://redis.io/topics/config ## @@ -297,6 +309,7 @@ master: ## @param master.containerSecurityContext.runAsGroup Set Redis® master containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set Redis® master containers' Security Context runAsNonRoot ## @param master.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Redis® pod(s) privileges + ## @param master.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param master.containerSecurityContext.seccompProfile.type Set Redis® master containers' Security Context seccompProfile ## @param master.containerSecurityContext.capabilities.drop Set Redis® master containers' Security Context capabilities to drop ## @@ -307,11 +320,11 @@ master: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param master.kind Use either Deployment, StatefulSet (default) or DaemonSet ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ ## @@ -758,6 +771,7 @@ replica: ## @param replica.containerSecurityContext.runAsGroup Set Redis® replicas containers' Security Context runAsGroup ## @param replica.containerSecurityContext.runAsNonRoot Set Redis® replicas containers' Security Context runAsNonRoot ## @param replica.containerSecurityContext.allowPrivilegeEscalation Set Redis® replicas pod's Security Context allowPrivilegeEscalation + ## @param replica.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param replica.containerSecurityContext.seccompProfile.type Set Redis® replicas containers' Security Context seccompProfile ## @param replica.containerSecurityContext.capabilities.drop Set Redis® replicas containers' Security Context capabilities to drop ## @@ -768,11 +782,11 @@ replica: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param replica.schedulerName Alternate scheduler for Redis® replicas pods ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -1094,7 +1108,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.4-debian-11-r6 + tag: 7.2.4-debian-12-r7 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1311,6 +1325,7 @@ sentinel: ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser ## @param sentinel.containerSecurityContext.runAsGroup Set Redis® Sentinel containers' Security Context runAsGroup ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis® Sentinel containers' Security Context runAsNonRoot + ## @param sentinel.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param sentinel.containerSecurityContext.allowPrivilegeEscalation Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation ## @param sentinel.containerSecurityContext.seccompProfile.type Set Redis® Sentinel containers' Security Context seccompProfile ## @param sentinel.containerSecurityContext.capabilities.drop Set Redis® Sentinel containers' Security Context capabilities to drop @@ -1322,11 +1337,11 @@ sentinel: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param sentinel.lifecycleHooks for the Redis® sentinel container(s) to automate configuration before or after startup ## lifecycleHooks: {} @@ -1368,6 +1383,12 @@ sentinel: ## @param sentinel.service.clusterIP Redis® Sentinel service Cluster IP ## clusterIP: "" + + ## @param sentinel.service.createMaster Enable master service pointing to the current master (experimental) + ## NOTE: rbac.create need to be set to true + ## + createMaster: false + ## @param sentinel.service.loadBalancerIP Redis® Sentinel service Load Balancer IP ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## @@ -1585,7 +1606,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.57.0-debian-11-r2 + tag: 1.58.0-debian-12-r4 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1681,6 +1702,7 @@ metrics: ## @param metrics.containerSecurityContext.runAsGroup Set Redis® exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis® exporter containers' Security Context runAsNonRoot ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set Redis® exporter containers' Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem ## @param metrics.containerSecurityContext.seccompProfile.type Set Redis® exporter containers' Security Context seccompProfile ## @param metrics.containerSecurityContext.capabilities.drop Set Redis® exporter containers' Security Context capabilities to drop ## @@ -1691,11 +1713,11 @@ metrics: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis® metrics sidecar ## extraVolumes: [] @@ -1950,7 +1972,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1989,6 +2011,50 @@ volumePermissions: containerSecurityContext: seLinuxOptions: null runAsUser: 0 + +## Kubectl InitContainer +## used by Sentinel to update the isMaster label on the Redis(TM) pods +## +kubectl: + ## Bitnami Kubectl image version + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param kubectl.image.registry [default: REGISTRY_NAME] Kubectl image registry + ## @param kubectl.image.repository [default: REPOSITORY_NAME/kubectl] Kubectl image repository + ## @skip kubectl.image.tag Kubectl image tag (immutable tags are recommended), by default, using the current version + ## @param kubectl.image.digest Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param kubectl.image.pullPolicy Kubectl image pull policy + ## @param kubectl.image.pullSecrets Kubectl pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.29.2-debian-12-r3 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param kubectl.command kubectl command to execute + ## + command: ["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"] + ## Bitnami Kubectl resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param kubectl.resources.limits The resources limits for the kubectl containers + ## @param kubectl.resources.requests The requested resources for the kubectl containers + ## + resources: + limits: {} + requests: {} + ## init-sysctl container parameters ## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) ## @@ -2008,7 +2074,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/spark/Chart.lock b/charts/bitnami/spark/Chart.lock index ac4f98ed6..6315e41fa 100644 --- a/charts/bitnami/spark/Chart.lock +++ b/charts/bitnami/spark/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T16:07:29.505476981+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-11T12:38:52.801091+01:00" diff --git a/charts/bitnami/spark/Chart.yaml b/charts/bitnami/spark/Chart.yaml index d781882e2..7dab086f7 100644 --- a/charts/bitnami/spark/Chart.yaml +++ b/charts/bitnami/spark/Chart.yaml @@ -6,10 +6,10 @@ annotations: category: Infrastructure images: | - name: spark - image: docker.io/bitnami/spark:3.5.0-debian-11-r22 + image: docker.io/bitnami/spark:3.5.1-debian-12-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 3.5.0 +appVersion: 3.5.1 dependencies: - name: common repository: file://./charts/common @@ -30,4 +30,4 @@ maintainers: name: spark sources: - https://github.com/bitnami/charts/tree/main/bitnami/spark -version: 8.6.0 +version: 8.9.1 diff --git a/charts/bitnami/spark/README.md b/charts/bitnami/spark/README.md index 22670973b..cb16a2a0d 100644 --- a/charts/bitnami/spark/README.md +++ b/charts/bitnami/spark/README.md @@ -57,11 +57,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -115,12 +116,10 @@ The command removes all the Kubernetes components associated with the chart and | `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `master.podSecurityContext.fsGroup` | Set master pod's Security Context Group ID | `1001` | -| `master.podSecurityContext.runAsUser` | Set master pod's Security Context User ID | `1001` | -| `master.podSecurityContext.runAsGroup` | Set master pod's Security Context Group ID | `0` | -| `master.podSecurityContext.seLinuxOptions` | Set master pod's Security Context SELinux options | `nil` | | `master.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `master.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `master.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `master.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -211,6 +210,7 @@ The command removes all the Kubernetes components associated with the chart and | `worker.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `worker.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `worker.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `worker.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `worker.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | diff --git a/charts/bitnami/spark/charts/common/Chart.yaml b/charts/bitnami/spark/charts/common/Chart.yaml index 3046b5910..f86ccd23a 100644 --- a/charts/bitnami/spark/charts/common/Chart.yaml +++ b/charts/bitnami/spark/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.19.0 diff --git a/charts/bitnami/spark/charts/common/templates/_compatibility.tpl b/charts/bitnami/spark/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/spark/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/spark/charts/common/templates/_resources.tpl b/charts/bitnami/spark/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/spark/charts/common/templates/_resources.tpl +++ b/charts/bitnami/spark/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/spark/templates/statefulset-master.yaml b/charts/bitnami/spark/templates/statefulset-master.yaml index 7d69c842c..81508e939 100644 --- a/charts/bitnami/spark/templates/statefulset-master.yaml +++ b/charts/bitnami/spark/templates/statefulset-master.yaml @@ -67,7 +67,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.master.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.master.podSecurityContext.enabled }} - securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.master.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.master.terminationGracePeriodSeconds }} @@ -140,10 +140,13 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.security.ssl.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: certs - mountPath: /certs - - name: shared-certs - mountPath: /opt/bitnami/spark/conf/certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: certs + mountPath: /certs + - name: shared-certs + mountPath: /opt/bitnami/spark/conf/certs {{- end }} {{- end }} containers: @@ -151,7 +154,7 @@ spec: image: {{ include "spark.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.master.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -179,6 +182,21 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.master.extraContainerPorts "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/work + subPath: app-work-dir {{- if .Values.master.existingConfigmap }} - name: config mountPath: /bitnami/spark/conf/ @@ -318,6 +336,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.master.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.master.existingConfigmap }} - name: config configMap: diff --git a/charts/bitnami/spark/templates/statefulset-worker.yaml b/charts/bitnami/spark/templates/statefulset-worker.yaml index 968e68ba0..ffbad0a31 100644 --- a/charts/bitnami/spark/templates/statefulset-worker.yaml +++ b/charts/bitnami/spark/templates/statefulset-worker.yaml @@ -68,7 +68,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.worker.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.worker.podSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.worker.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} @@ -142,10 +142,13 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.security.ssl.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: certs - mountPath: /certs - - name: shared-certs - mountPath: /opt/bitnami/spark/conf/certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: certs + mountPath: /certs + - name: shared-certs + mountPath: /opt/bitnami/spark/conf/certs {{- end }} {{- end }} containers: @@ -153,7 +156,7 @@ spec: image: {{ include "spark.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.worker.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.worker.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.worker.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -183,6 +186,21 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraContainerPorts "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/spark/work + subPath: app-work-dir {{- if .Values.worker.existingConfigmap }} - name: config mountPath: '/bitnami/spark/conf/' @@ -342,6 +360,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.worker.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.worker.existingConfigmap }} - name: config configMap: diff --git a/charts/bitnami/spark/values.yaml b/charts/bitnami/spark/values.yaml index a173ae9ff..c20db0a3f 100644 --- a/charts/bitnami/spark/values.yaml +++ b/charts/bitnami/spark/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -93,7 +102,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/spark - tag: 3.5.0-debian-11-r22 + tag: 3.5.1-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -174,9 +183,6 @@ master: ## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface ## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param master.podSecurityContext.fsGroup Set master pod's Security Context Group ID - ## @param master.podSecurityContext.runAsUser Set master pod's Security Context User ID - ## @param master.podSecurityContext.runAsGroup Set master pod's Security Context Group ID - ## @param master.podSecurityContext.seLinuxOptions [object,nullable] Set master pod's Security Context SELinux options ## podSecurityContext: enabled: true @@ -184,14 +190,12 @@ master: sysctls: [] supplementalGroups: [] fsGroup: 1001 - runAsUser: 1001 - runAsGroup: 0 - seLinuxOptions: null ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param master.containerSecurityContext.enabled Enabled containers' Security Context ## @param master.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param master.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param master.containerSecurityContext.privileged Set container's Security Context privileged ## @param master.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -203,6 +207,7 @@ master: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -542,6 +547,7 @@ worker: ## @param worker.containerSecurityContext.enabled Enabled containers' Security Context ## @param worker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param worker.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param worker.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param worker.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param worker.containerSecurityContext.privileged Set container's Security Context privileged ## @param worker.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -553,6 +559,7 @@ worker: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false diff --git a/charts/bitnami/tomcat/Chart.lock b/charts/bitnami/tomcat/Chart.lock index 061f93bf6..537558ab4 100644 --- a/charts/bitnami/tomcat/Chart.lock +++ b/charts/bitnami/tomcat/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T16:14:22.980667142+01:00" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T15:53:43.135308944+01:00" diff --git a/charts/bitnami/tomcat/Chart.yaml b/charts/bitnami/tomcat/Chart.yaml index c67a995a5..570b56112 100644 --- a/charts/bitnami/tomcat/Chart.yaml +++ b/charts/bitnami/tomcat/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: ApplicationServer images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r6 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-12-r11 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: tomcat - image: docker.io/bitnami/tomcat:10.1.18-debian-11-r4 + image: docker.io/bitnami/tomcat:10.1.19-debian-12-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 10.1.18 +appVersion: 10.1.19 dependencies: - name: common repository: file://./charts/common @@ -38,4 +38,4 @@ maintainers: name: tomcat sources: - https://github.com/bitnami/charts/tree/main/bitnami/tomcat -version: 10.15.0 +version: 10.17.0 diff --git a/charts/bitnami/tomcat/README.md b/charts/bitnami/tomcat/README.md index 558447c2e..37a7580ad 100644 --- a/charts/bitnami/tomcat/README.md +++ b/charts/bitnami/tomcat/README.md @@ -59,11 +59,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters diff --git a/charts/bitnami/tomcat/charts/common/Chart.yaml b/charts/bitnami/tomcat/charts/common/Chart.yaml index 3046b5910..2acf0cd40 100644 --- a/charts/bitnami/tomcat/charts/common/Chart.yaml +++ b/charts/bitnami/tomcat/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.18.0 diff --git a/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl b/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/tomcat/charts/common/templates/_resources.tpl b/charts/bitnami/tomcat/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/tomcat/charts/common/templates/_resources.tpl +++ b/charts/bitnami/tomcat/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/tomcat/templates/_pod.tpl b/charts/bitnami/tomcat/templates/_pod.tpl index 81d81f862..0944cb68b 100644 --- a/charts/bitnami/tomcat/templates/_pod.tpl +++ b/charts/bitnami/tomcat/templates/_pod.tpl @@ -32,7 +32,7 @@ nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeS tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 2 }} {{- end }} {{- if .Values.podSecurityContext.enabled }} -securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 2 }} +securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 2 }} {{- end }} {{- if .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 2 }} @@ -66,7 +66,7 @@ containers: image: {{ template "tomcat.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 6 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }} {{- end }} {{- if .Values.command }} command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 6 }} @@ -158,7 +158,7 @@ containers: image: {{ template "tomcat.metrics.jmx.image" . }} imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }} {{- if .Values.metrics.jmx.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.jmx.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.jmx.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - java diff --git a/charts/bitnami/tomcat/values.yaml b/charts/bitnami/tomcat/values.yaml index d8653d6e8..5b5ea0b07 100644 --- a/charts/bitnami/tomcat/values.yaml +++ b/charts/bitnami/tomcat/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -59,7 +68,7 @@ extraDeploy: [] image: registry: docker.io repository: bitnami/tomcat - tag: 10.1.18-debian-11-r4 + tag: 10.1.19-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -627,7 +636,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -685,7 +694,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r6 + tag: 0.20.0-debian-12-r11 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 8610ba3d9..1c327cdec 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: memcached repository: oci://registry-1.docker.io/bitnamicharts - version: 6.10.1 + version: 6.14.0 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 15.2.2 + version: 16.5.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:b87b08edb2f92f0219f4469f1f1f93dd85a9f2c550fb7c982f369c7358bde2dd -generated: "2024-02-14T16:17:15.586621322+01:00" + version: 2.19.0 +digest: sha256:f14e7183217316a026257bb89543ec1055b763c37dd4bfba26c2c725ac0e7571 +generated: "2024-03-08T16:54:42.092136196Z" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index a1e687d5f..7e4f9c5eb 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: CMS images: | - name: apache-exporter - image: docker.io/bitnami/apache-exporter:1.0.6-debian-11-r2 + image: docker.io/bitnami/apache-exporter:1.0.6-debian-12-r8 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: wordpress - image: docker.io/bitnami/wordpress:6.4.3-debian-11-r4 + image: docker.io/bitnami/wordpress:6.4.3-debian-12-r20 licenses: Apache-2.0 apiVersion: v2 appVersion: 6.4.3 @@ -22,7 +22,7 @@ dependencies: - condition: mariadb.enabled name: mariadb repository: file://./charts/mariadb - version: 15.x.x + version: 16.x.x - name: common repository: file://./charts/common tags: @@ -47,4 +47,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 19.3.0 +version: 20.1.2 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index 1e8b06e52..006c3d053 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -57,11 +57,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -629,6 +630,10 @@ To enable the new features, it is not possible to do it by upgrading an existing ## Upgrading +### To 20.0.0 + +This major release bumps the and MariaDB chart version to [16.x.x](https://github.com/bitnami/charts/pull/23054); no major issues are expected during the upgrade. + ### To 19.0.0 This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade. diff --git a/charts/bitnami/wordpress/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/common/Chart.yaml index 3046b5910..f86ccd23a 100644 --- a/charts/bitnami/wordpress/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.19.0 diff --git a/charts/bitnami/wordpress/charts/common/templates/_compatibility.tpl b/charts/bitnami/wordpress/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/wordpress/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/wordpress/charts/common/templates/_resources.tpl b/charts/bitnami/wordpress/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/wordpress/charts/common/templates/_resources.tpl +++ b/charts/bitnami/wordpress/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.lock b/charts/bitnami/wordpress/charts/mariadb/Chart.lock index 08b61c8af..d63e6bfcf 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.lock +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.14.1 -digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 -generated: "2023-12-20T08:07:49.82584344Z" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T14:35:54.482130622+01:00" diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index fa6b4c057..fb54b676c 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -2,14 +2,14 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.2.2-debian-11-r6 + image: docker.io/bitnami/mariadb:11.2.3-debian-12-r4 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r5 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 -appVersion: 11.2.2 +appVersion: 11.2.3 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -33,4 +33,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 15.2.2 +version: 16.5.0 diff --git a/charts/bitnami/wordpress/charts/mariadb/README.md b/charts/bitnami/wordpress/charts/mariadb/README.md index eec0a2bb1..e8f307c60 100644 --- a/charts/bitnami/wordpress/charts/mariadb/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/README.md @@ -58,11 +58,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker Image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker Image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -108,203 +109,209 @@ The command removes all the Kubernetes components associated with the chart and ### MariaDB Primary parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | -| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | -| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | -| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `primary.hostAliases` | Add deployment host aliases | `[]` | -| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | -| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | -| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | -| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | -| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | -| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | -| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | -| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` | -| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | -| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | -| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | -| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | -| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | -| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | -| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | -| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` | -| `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` | -| `primary.startupProbe.enabled` | Enable startupProbe | `false` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | -| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | -| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | -| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | -| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | -| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | -| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | -| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | -| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | -| `primary.persistence.labels` | Labels for the PVC | `{}` | -| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | -| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | -| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | -| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | -| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | -| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` | -| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` | -| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | -| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | -| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` | -| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `1` | -| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction | `""` | -| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `primary.hostAliases` | Add deployment host aliases | `[]` | +| `primary.containerPorts.mysql` | Container port for mysql | `3306` | +| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | +| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | +| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | +| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | +| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | +| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | +| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | +| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` | +| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | +| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | +| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | +| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `0` | +| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | +| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | +| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `primary.startupProbe.enabled` | Enable startupProbe | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | +| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | +| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | +| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | +| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | +| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | +| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | +| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | +| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | +| `primary.persistence.labels` | Labels for the PVC | `{}` | +| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | +| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | +| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | +| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | +| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | +| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` | +| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` | +| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | +| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | +| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` | +| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `1` | +| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction | `""` | +| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | ### MariaDB Secondary parameters -| Name | Description | Value | -| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | -| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | -| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | -| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `secondary.hostAliases` | Add deployment host aliases | `[]` | -| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | -| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | -| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | -| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | -| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | -| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | -| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | -| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | -| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | -| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | -| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | -| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` | -| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | -| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` | -| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | -| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | -| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | -| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | -| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | -| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | -| `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` | -| `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` | -| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | -| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | -| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | -| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | -| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | -| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | -| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | -| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | -| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | -| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | -| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | -| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | -| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | -| `secondary.persistence.labels` | Labels for the PVC | `{}` | -| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | -| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | -| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | -| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | -| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | -| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | -| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | -| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | -| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` | -| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` | -| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | -| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | -| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | -| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | -| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` | -| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` | -| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `""` | -| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | +| Name | Description | Value | +| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | +| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | +| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `secondary.hostAliases` | Add deployment host aliases | `[]` | +| `secondary.containerPorts.mysql` | Container port for mysql | `3306` | +| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | +| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | +| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | +| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | +| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | +| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | +| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | +| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | +| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | +| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | +| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | +| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` | +| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | +| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` | +| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | +| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | +| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | +| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `0` | +| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | +| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | +| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | +| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `none` | +| `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | +| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | +| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | +| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | +| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | +| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | +| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | +| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | +| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | +| `secondary.persistence.labels` | Labels for the PVC | `{}` | +| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | +| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | +| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | +| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | +| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | +| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | +| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` | +| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` | +| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | +| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | +| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | +| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` | +| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` | +| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `""` | +| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | ### RBAC parameters @@ -318,85 +325,81 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| Name | Description | Value | +| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Metrics parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | -| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.annotations` | Annotations for the Exporter pod | `{}` | -| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | -| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` | -| `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | -| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | -| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | +| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.annotations` | Annotations for the Exporter pod | `{}` | +| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | +| `metrics.containerPorts.http` | Container port for http | `9104` | +| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | ### NetworkPolicy parameters -| Name | Description | Value | -| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the primary node. | `[]` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules` | Custom network policy for the secondary nodes. | `[]` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | The above parameters map to the env variables defined in [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb). For more information please refer to the [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image documentation. @@ -425,6 +428,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/maria ## Configuration and installation details +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + ### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -529,6 +538,10 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.r | Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +### To 16.0.0 + +This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure. + ### To 14.0.0 This major release bumps the MariaDB version to 11.1. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-between-minor-versions-on-linux/) for upgrading from MariaDB 11.0 to 11.1. No major issues are expected during the upgrade. diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/.helmignore b/charts/bitnami/wordpress/charts/mariadb/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/.helmignore +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml index 9a6aa881f..2acf0cd40 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.14.1 +version: 2.18.0 diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md b/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md index a76fa46a2..0d01a1e06 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_resources.tpl b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/NOTES.txt b/charts/bitnami/wordpress/charts/mariadb/templates/NOTES.txt index ba55fd85a..c1f4f6ba8 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/NOTES.txt +++ b/charts/bitnami/wordpress/charts/mariadb/templates/NOTES.txt @@ -73,3 +73,4 @@ To upgrade this helm chart: {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} {{- end }} {{- end }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "secondary" "volumePermissions") "context" $) }} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml deleted file mode 100644 index 64af059fa..000000000 --- a/charts/bitnami/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/networkpolicy.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/networkpolicy.yaml new file mode 100644 index 000000000..5d5fe77ba --- /dev/null +++ b/charts/bitnami/wordpress/charts/mariadb/templates/networkpolicy.yaml @@ -0,0 +1,76 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.http }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/primary/configmap.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/primary/configmap.yaml index 55ed4414e..d51d0a5cc 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/primary/configmap.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/primary/configmap.yaml @@ -16,5 +16,5 @@ metadata: {{- end }} data: my.cnf: |- -{{ .Values.primary.configuration | indent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} {{- end -}} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml deleted file mode 100644 index b3e5e6720..000000000 --- a/charts/bitnami/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: primary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} - - from: - {{- $secondaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $secondaryPodLabels "context" $ ) | nindent 14 }} - app.kubernetes.io/component: secondary - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml index 40d78eb9f..f7a79decb 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml @@ -76,7 +76,7 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if or .Values.primary.initContainers (and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled) }} initContainers: @@ -96,6 +96,8 @@ spec: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -103,6 +105,9 @@ spec: {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- end }} containers: @@ -110,7 +115,7 @@ spec: image: {{ include "mariadb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -196,7 +201,7 @@ spec: {{- end }} ports: - name: mysql - containerPort: 3306 + containerPort: {{ .Values.primary.containerPorts.mysql }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.primary.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} @@ -266,6 +271,18 @@ spec: - name: mariadb-credentials mountPath: /opt/bitnami/mariadb/secrets/ {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/logs + subPath: app-logs-dir {{- if .Values.primary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -274,7 +291,7 @@ spec: image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -299,11 +316,11 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.primary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} @@ -320,8 +337,13 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ @@ -334,6 +356,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} - name: config configMap: diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/configmap.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/configmap.yaml index 8a9599144..ef73b1242 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/configmap.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/configmap.yaml @@ -16,5 +16,5 @@ metadata: {{- end }} data: my.cnf: |- -{{ .Values.secondary.configuration | indent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.configuration "context" $ ) | nindent 4 }} {{- end -}} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml deleted file mode 100644 index d4545af44..000000000 --- a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress-secondary" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $secondaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $secondaryPodLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: secondary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml index 7419178cb..c9f330344 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml @@ -75,7 +75,7 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} {{- if .Values.secondary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if or .Values.secondary.initContainers (and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled) }} initContainers: @@ -95,6 +95,8 @@ spec: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -102,6 +104,9 @@ spec: {{- if .Values.secondary.persistence.subPath }} subPath: {{ .Values.secondary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- end }} containers: @@ -109,7 +114,7 @@ spec: image: {{ include "mariadb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.secondary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -183,7 +188,7 @@ spec: {{- end }} ports: - name: mysql - containerPort: 3306 + containerPort: {{ .Values.secondary.containerPorts.mysql }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.secondary.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customStartupProbe "context" $) | nindent 12 }} @@ -252,12 +257,24 @@ spec: {{- if .Values.secondary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/logs + subPath: app-logs-dir {{- if .Values.metrics.enabled }} - name: metrics image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -282,11 +299,11 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.secondary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} @@ -303,12 +320,17 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: app-tmp-dir {{- if .Values.metrics.extraVolumeMounts.secondary }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts.secondary "context" $) | nindent 12 }} {{- end }} @@ -332,6 +354,8 @@ spec: - key: mariadb-replication-password path: mariadb-replication-password {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.secondary.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index 9803c8d99..b8f6c04d6 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -19,7 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -52,7 +60,6 @@ runtimeClassName: "" ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) ## extraDeploy: [] - ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -67,13 +74,11 @@ diagnosticMode: ## args: - infinity - ## @param serviceBindings.enabled Create secret for service binding (Experimental) ## Ref: https://servicebinding.io/service-provider/ ## serviceBindings: enabled: false - ## @section MariaDB common parameters ## @@ -90,7 +95,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.2.2-debian-11-r6 + tag: 11.2.3-debian-12-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -166,7 +171,6 @@ initdbScripts: {} ## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) ## initdbScriptsConfigMap: "" - ## @section MariaDB Primary parameters ## @@ -192,6 +196,10 @@ primary: ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] + ## @param primary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file ## @@ -202,7 +210,7 @@ primary: basedir=/opt/bitnami/mariadb datadir=/bitnami/mariadb/data plugin_dir=/opt/bitnami/mariadb/plugin - port=3306 + port={{ .Values.primary.containerPorts.mysql }} socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M @@ -332,9 +340,11 @@ primary: ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container + ## @param primary.containerSecurityContext.runAsGroup Group ID for the MariaDB primary container ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation + ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## @@ -342,9 +352,11 @@ primary: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: false capabilities: drop: ["ALL"] seccompProfile: @@ -355,22 +367,21 @@ primary: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param primary.resources.limits The resources limits for MariaDB primary containers - ## @param primary.resources.requests The requested resources for MariaDB primary containers + ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "none" + ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) ## @param primary.startupProbe.enabled Enable startupProbe @@ -578,7 +589,6 @@ primary: ## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet ## revisionHistoryLimit: 10 - ## @section MariaDB Secondary parameters ## @@ -607,6 +617,10 @@ secondary: ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] + ## @param secondary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file ## @@ -616,7 +630,7 @@ secondary: explicit_defaults_for_timestamp basedir=/opt/bitnami/mariadb datadir=/bitnami/mariadb/data - port=3306 + port={{ .Values.secondary.containerPorts.mysql }} socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M @@ -745,9 +759,11 @@ secondary: ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext ## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container + ## @param secondary.containerSecurityContext.runAsGroup Group ID for the MariaDB secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set secondary container's Security Context allowPrivilegeEscalation + ## @param secondary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param secondary.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param secondary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## @@ -755,9 +771,11 @@ secondary: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: false capabilities: drop: ["ALL"] seccompProfile: @@ -768,22 +786,21 @@ secondary: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param secondary.resources.limits The resources limits for MariaDB secondary containers - ## @param secondary.resources.requests The requested resources for MariaDB secondary containers + ## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "none" + ## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) ## @param secondary.startupProbe.enabled Enable startupProbe @@ -989,7 +1006,6 @@ secondary: ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet ## revisionHistoryLimit: 10 - ## @section RBAC parameters ## @@ -1017,7 +1033,6 @@ rbac: ## @param rbac.create Whether to create and use RBAC resources or not ## create: false - ## @section Volume Permissions parameters ## @@ -1038,7 +1053,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1048,13 +1063,21 @@ volumePermissions: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} - + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @section Metrics parameters ## @@ -1074,7 +1097,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r5 + tag: 0.15.1-debian-12-r8 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1135,14 +1158,20 @@ metrics: extraVolumeMounts: primary: [] secondary: [] + ## @param metrics.containerPorts.http Container port for http + ## + containerPorts: + http: 9104 ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container + ## @param metrics.containerSecurityContext.runAsGroup Group ID for the MariaDB metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set metrics container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## Example: @@ -1158,6 +1187,8 @@ metrics: runAsNonRoot: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 + readOnlyRootFilesystem: false allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1169,22 +1200,21 @@ metrics: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for MariaDB prometheus exporter containers - ## @param metrics.resources.requests The requested resources for MariaDB prometheus exporter containers + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param metrics.livenessProbe.enabled Enable livenessProbe @@ -1283,102 +1313,57 @@ metrics: ## summary: MariaDB instance is down ## rules: [] - ## @section NetworkPolicy parameters -## - -## Add networkpolicies +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + enabled: true + ## @param networkPolicy.allowExternal The Policy model to apply + ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is + ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the primary node. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules Custom network policy for the secondary nodes. + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ingressRules: - ## Allow access to the primary node only from the indicated: - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - - ## Allow access to the secondary node only from the indicated: - ## - secondaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules Custom network policy rule + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.lock b/charts/bitnami/wordpress/charts/memcached/Chart.lock index 995f241b3..80a5f1280 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.lock +++ b/charts/bitnami/wordpress/charts/memcached/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.14.1 -digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 -generated: "2023-12-31T18:26:46.31299103Z" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T14:45:44.308851503+01:00" diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/Chart.yaml index cc0f3eea2..68722611b 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/Chart.yaml @@ -1,15 +1,15 @@ annotations: category: Infrastructure images: | - - name: memcached-exporter - image: docker.io/bitnami/memcached-exporter:0.14.2-debian-11-r5 - name: memcached - image: docker.io/bitnami/memcached:1.6.23-debian-11-r3 + image: docker.io/bitnami/memcached:1.6.24-debian-12-r0 + - name: memcached-exporter + image: docker.io/bitnami/memcached-exporter:0.14.2-debian-12-r10 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 -appVersion: 1.6.23 +appVersion: 1.6.24 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -30,4 +30,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 6.10.1 +version: 6.14.0 diff --git a/charts/bitnami/wordpress/charts/memcached/README.md b/charts/bitnami/wordpress/charts/memcached/README.md index ed3c59890..a8ed87581 100644 --- a/charts/bitnami/wordpress/charts/memcached/README.md +++ b/charts/bitnami/wordpress/charts/memcached/README.md @@ -55,11 +55,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -99,80 +100,80 @@ The command removes all the Kubernetes components associated with the chart and ### Deployment/Statefulset parameters -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| `replicaCount` | Number of Memcached nodes | `1` | -| `containerPorts.memcached` | Memcached container port | `11211` | -| `livenessProbe.enabled` | Enable livenessProbe on Memcached containers | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe on Memcached containers | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe on Memcached containers | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `lifecycleHooks` | for the Memcached container(s) to automate configuration before or after startup | `{}` | -| `resources.limits` | The resources limits for the Memcached containers | `{}` | -| `resources.requests.memory` | The requested memory for the Memcached containers | `256Mi` | -| `resources.requests.cpu` | The requested cpu for the Memcached containers | `250m` | -| `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` | -| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | -| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `hostAliases` | Add deployment host aliases | `[]` | -| `podLabels` | Extra labels for Memcached pods | `{}` | -| `podAnnotations` | Annotations for Memcached pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` | -| `priorityClassName` | Name of the existing priority class to be used by Memcached pods, priority class needs to be created beforehand | `""` | -| `schedulerName` | Kubernetes pod scheduler registry | `""` | -| `terminationGracePeriodSeconds` | In seconds, time the given to the memcached pod needs to terminate gracefully | `""` | -| `updateStrategy.type` | Memcached statefulset strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | Memcached statefulset rolling update configuration parameters | `{}` | -| `extraVolumes` | Optionally specify extra list of additional volumes for the Memcached pod(s) | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Memcached container(s) | `[]` | -| `sidecars` | Add additional sidecar containers to the Memcached pod(s) | `[]` | -| `initContainers` | Add additional init containers to the Memcached pod(s) | `[]` | -| `autoscaling.enabled` | Enable memcached statefulset autoscaling (requires architecture: "high-availability") | `false` | -| `autoscaling.minReplicas` | memcached statefulset autoscaling minimum number of replicas | `3` | -| `autoscaling.maxReplicas` | memcached statefulset autoscaling maximum number of replicas | `6` | -| `autoscaling.targetCPU` | memcached statefulset autoscaling target CPU percentage | `50` | -| `autoscaling.targetMemory` | memcached statefulset autoscaling target CPU memory | `50` | -| `pdb.create` | Deploy a pdb object for the Memcached pod | `false` | -| `pdb.minAvailable` | Minimum available Memcached replicas | `""` | -| `pdb.maxUnavailable` | Maximum unavailable Memcached replicas | `1` | +| Name | Description | Value | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of Memcached nodes | `1` | +| `containerPorts.memcached` | Memcached container port | `11211` | +| `livenessProbe.enabled` | Enable livenessProbe on Memcached containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on Memcached containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe on Memcached containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `lifecycleHooks` | for the Memcached container(s) to automate configuration before or after startup | `{}` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `podLabels` | Extra labels for Memcached pods | `{}` | +| `podAnnotations` | Annotations for Memcached pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` | +| `priorityClassName` | Name of the existing priority class to be used by Memcached pods, priority class needs to be created beforehand | `""` | +| `schedulerName` | Kubernetes pod scheduler registry | `""` | +| `terminationGracePeriodSeconds` | In seconds, time the given to the memcached pod needs to terminate gracefully | `""` | +| `updateStrategy.type` | Memcached statefulset strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | Memcached statefulset rolling update configuration parameters | `{}` | +| `extraVolumes` | Optionally specify extra list of additional volumes for the Memcached pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Memcached container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the Memcached pod(s) | `[]` | +| `initContainers` | Add additional init containers to the Memcached pod(s) | `[]` | +| `autoscaling.enabled` | Enable memcached statefulset autoscaling (requires architecture: "high-availability") | `false` | +| `autoscaling.minReplicas` | memcached statefulset autoscaling minimum number of replicas | `3` | +| `autoscaling.maxReplicas` | memcached statefulset autoscaling maximum number of replicas | `6` | +| `autoscaling.targetCPU` | memcached statefulset autoscaling target CPU percentage | `50` | +| `autoscaling.targetMemory` | memcached statefulset autoscaling target CPU memory | `50` | +| `pdb.create` | Deploy a pdb object for the Memcached pod | `false` | +| `pdb.minAvailable` | Minimum available Memcached replicas | `""` | +| `pdb.maxUnavailable` | Maximum unavailable Memcached replicas | `1` | ### Traffic Exposure parameters @@ -220,72 +221,73 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Memcached exporter image repository | `REPOSITORY_NAME/memcached-exporter` | -| `metrics.image.digest` | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.containerPorts.metrics` | Memcached Prometheus Exporter container port | `9150` | -| `metrics.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `metrics.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Memcached Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Memcached Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Memcached Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.podAnnotations` | Memcached Prometheus exporter pod Annotation and Labels | `{}` | -| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | -| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Memcached exporter image repository | `REPOSITORY_NAME/memcached-exporter` | +| `metrics.image.digest` | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.containerPorts.metrics` | Memcached Prometheus Exporter container port | `9150` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Memcached Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Memcached Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Memcached Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.podAnnotations` | Memcached Prometheus exporter pod Annotation and Labels | `{}` | +| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | The above parameters map to the environment variables defined in the [bitnami/memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) container image. For more information please refer to the [bitnami/memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) container image documentation. @@ -312,6 +314,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/memca ## Configuration and installation details +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + ### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/.helmignore b/charts/bitnami/wordpress/charts/memcached/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/.helmignore +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml index 9a6aa881f..2acf0cd40 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.14.1 +version: 2.18.0 diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/README.md b/charts/bitnami/wordpress/charts/memcached/charts/common/README.md index a76fa46a2..0d01a1e06 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/README.md +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/README.md @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..c529f0872 --- /dev/null +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_resources.tpl b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_warnings.tpl b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_warnings.tpl +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/bitnami/wordpress/charts/memcached/templates/NOTES.txt b/charts/bitnami/wordpress/charts/memcached/templates/NOTES.txt index a62e8f50f..626d0da4f 100644 --- a/charts/bitnami/wordpress/charts/memcached/templates/NOTES.txt +++ b/charts/bitnami/wordpress/charts/memcached/templates/NOTES.txt @@ -41,3 +41,4 @@ To access the Memcached Prometheus metrics from outside the cluster execute the {{- include "memcached.validateValues" . }} {{- include "memcached.checkRollingTags" . }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "volumePermissions") "context" $) }} diff --git a/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml b/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml index da8277251..33ea05bbf 100644 --- a/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml +++ b/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml @@ -64,7 +64,7 @@ spec: schedulerName: {{ .Values.schedulerName }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} @@ -78,7 +78,7 @@ spec: image: {{ template "memcached.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -149,10 +149,16 @@ spec: {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: tmp + - name: empty-dir + mountPath: /opt/bitnami/memcached/conf + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -161,7 +167,7 @@ spec: image: {{ template "memcached.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - name: metrics @@ -192,13 +198,22 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - - name: tmp + - name: empty-dir emptyDir: {} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml b/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml index 291984565..d5f3d54c0 100644 --- a/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml @@ -70,7 +70,7 @@ spec: schedulerName: {{ .Values.schedulerName }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} @@ -94,10 +94,15 @@ spec: runAsUser: {{ .Values.volumePermissions.containerSecurityContext.runAsUser }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data mountPath: /cache-state + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -108,7 +113,7 @@ spec: image: {{ template "memcached.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -193,14 +198,20 @@ spec: {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: {{- if .Values.persistence.enabled }} - name: data mountPath: /cache-state {{- end }} - - name: tmp + - name: empty-dir + mountPath: /opt/bitnami/memcached/conf + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -209,7 +220,7 @@ spec: image: {{ template "memcached.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - name: metrics @@ -241,13 +252,15 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: - - name: tmp + - name: empty-dir emptyDir: {} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/charts/bitnami/wordpress/charts/memcached/values.yaml b/charts/bitnami/wordpress/charts/memcached/values.yaml index dfc151b1e..c61da0ebf 100644 --- a/charts/bitnami/wordpress/charts/memcached/values.yaml +++ b/charts/bitnami/wordpress/charts/memcached/values.yaml @@ -18,7 +18,15 @@ global: ## imagePullSecrets: [] storageClass: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -42,7 +50,6 @@ commonLabels: {} ## @param commonAnnotations Add annotations to all the deployed resources ## commonAnnotations: {} - ## Enable diagnostic mode in the deployment/statefulset ## diagnosticMode: @@ -57,7 +64,6 @@ diagnosticMode: ## args: - infinity - ## @section Memcached parameters ## Bitnami Memcached image version @@ -73,7 +79,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/memcached - tag: 1.6.23-debian-11-r3 + tag: 1.6.24-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -135,7 +141,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for Memcached nodes ## extraEnvVarsSecret: "" - ## @section Deployment/Statefulset parameters ## @param replicaCount Number of Memcached nodes @@ -203,15 +208,21 @@ customStartupProbe: {} lifecycleHooks: {} ## Memcached resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resources.limits The resources limits for the Memcached containers -## @param resources.requests.memory The requested memory for the Memcached containers -## @param resources.requests.cpu The requested cpu for the Memcached containers +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m +resourcesPreset: "none" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled Memcached pods' Security Context @@ -231,6 +242,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -242,6 +254,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -403,9 +416,7 @@ pdb: create: false minAvailable: "" maxUnavailable: 1 - ## @section Traffic Exposure parameters - service: ## @param service.type Kubernetes Service type ## @@ -457,7 +468,6 @@ service: ## @param service.extraPorts Extra ports to expose in the Memcached service (normally used with the `sidecar` value) ## extraPorts: [] - ## Network Policy configuration ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## @@ -512,7 +522,6 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - ## @section Other Parameters ## Service account for Memcached to use. @@ -533,7 +542,6 @@ serviceAccount: ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} - ## @section Persistence parameters ## Enable persistence using Persistent Volume Claims @@ -572,7 +580,6 @@ persistence: ## app: my-app ## selector: {} - ## @section Volume Permissions parameters ## @@ -593,7 +600,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -606,12 +613,21 @@ volumePermissions: pullSecrets: [] ## Init container resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser @@ -621,7 +637,6 @@ volumePermissions: containerSecurityContext: seLinuxOptions: null runAsUser: 0 - ## Prometheus Exporter / Metrics ## metrics: @@ -640,7 +655,7 @@ metrics: image: registry: docker.io repository: bitnami/memcached-exporter - tag: 0.14.2-debian-11-r5 + tag: 0.14.2-debian-12-r10 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -657,17 +672,27 @@ metrics: metrics: 9150 ## Memcached Prometheus exporter container resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param metrics.resources.limits Init container volume-permissions resource limits - ## @param metrics.resources.requests Init container volume-permissions resource requests + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Metrics Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -679,9 +704,10 @@ metrics: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] diff --git a/charts/bitnami/wordpress/templates/deployment.yaml b/charts/bitnami/wordpress/templates/deployment.yaml index 5d82fc9e0..720d8fa6a 100644 --- a/charts/bitnami/wordpress/templates/deployment.yaml +++ b/charts/bitnami/wordpress/templates/deployment.yaml @@ -66,7 +66,7 @@ spec: schedulerName: {{ .Values.schedulerName | quote }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ include "wordpress.serviceAccountName" .}} {{- if .Values.terminationGracePeriodSeconds }} @@ -126,7 +126,7 @@ spec: args: {{- include "common.tplvalues.render" ( dict "value" .Values.args "context" $) | nindent 12 }} {{- end }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: BITNAMI_DEBUG @@ -344,7 +344,7 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.sidecars }} diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index fefd9c8d1..c71781261 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -73,7 +82,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.4.3-debian-11-r4 + tag: 6.4.3-debian-12-r20 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -776,7 +785,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -879,7 +888,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 1.0.6-debian-11-r2 + tag: 1.0.6-debian-12-r8 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/zookeeper/Chart.lock b/charts/bitnami/zookeeper/Chart.lock index 5bb07db3e..4e03f81f4 100644 --- a/charts/bitnami/zookeeper/Chart.lock +++ b/charts/bitnami/zookeeper/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.15.3 -digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002 -generated: "2024-02-14T16:17:28.095153805+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-12T14:54:51.594358116Z" diff --git a/charts/bitnami/zookeeper/Chart.yaml b/charts/bitnami/zookeeper/Chart.yaml index 0aca76dd8..744ed230a 100644 --- a/charts/bitnami/zookeeper/Chart.yaml +++ b/charts/bitnami/zookeeper/Chart.yaml @@ -6,12 +6,12 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r96 + image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: zookeeper - image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r8 + image: docker.io/bitnami/zookeeper:3.9.2-debian-12-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 3.9.1 +appVersion: 3.9.2 dependencies: - name: common repository: file://./charts/common @@ -30,4 +30,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.9.0 +version: 12.12.1 diff --git a/charts/bitnami/zookeeper/README.md b/charts/bitnami/zookeeper/README.md index 250b42e50..8d65721f6 100644 --- a/charts/bitnami/zookeeper/README.md +++ b/charts/bitnami/zookeeper/README.md @@ -56,11 +56,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -167,6 +168,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | diff --git a/charts/bitnami/zookeeper/charts/common/Chart.yaml b/charts/bitnami/zookeeper/charts/common/Chart.yaml index 3046b5910..f86ccd23a 100644 --- a/charts/bitnami/zookeeper/charts/common/Chart.yaml +++ b/charts/bitnami/zookeeper/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.14.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.15.3 +version: 2.19.0 diff --git a/charts/bitnami/zookeeper/charts/common/templates/_compatibility.tpl b/charts/bitnami/zookeeper/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..17665d567 --- /dev/null +++ b/charts/bitnami/zookeeper/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/bitnami/zookeeper/charts/common/templates/_resources.tpl b/charts/bitnami/zookeeper/charts/common/templates/_resources.tpl index cfd41e571..d90f8752d 100644 --- a/charts/bitnami/zookeeper/charts/common/templates/_resources.tpl +++ b/charts/bitnami/zookeeper/charts/common/templates/_resources.tpl @@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% */}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} {{- $presets := dict "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi") + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") ) "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi") + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") ) "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi") + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") ) "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi") + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") ) "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi") + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi") + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi") + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} {{- if hasKey $presets .type -}} diff --git a/charts/bitnami/zookeeper/templates/statefulset.yaml b/charts/bitnami/zookeeper/templates/statefulset.yaml index 29b49253a..82b2208de 100644 --- a/charts/bitnami/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/zookeeper/templates/statefulset.yaml @@ -74,7 +74,7 @@ spec: schedulerName: {{ .Values.schedulerName }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.dnsPolicy }} dnsPolicy: {{ .Values.dnsPolicy }} @@ -101,7 +101,7 @@ spec: find {{ .Values.dataLogDir }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{- end }} {{- if .Values.volumePermissions.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.volumePermissions.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} @@ -109,6 +109,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: /bitnami/zookeeper {{- if .Values.dataLogDir }} @@ -121,7 +124,7 @@ spec: image: {{ include "zookeeper.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} command: - /scripts/init-certs.sh @@ -161,6 +164,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: scripts mountPath: /scripts/init-certs.sh subPath: init-certs.sh @@ -185,7 +191,7 @@ spec: image: {{ template "zookeeper.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -416,6 +422,15 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/zookeeper/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/zookeeper/logs + subPath: app-logs-dir - name: scripts mountPath: /scripts/setup.sh subPath: setup.sh @@ -447,6 +462,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: scripts configMap: name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} diff --git a/charts/bitnami/zookeeper/values.yaml b/charts/bitnami/zookeeper/values.yaml index 7e394fc86..99a66e4bf 100644 --- a/charts/bitnami/zookeeper/values.yaml +++ b/charts/bitnami/zookeeper/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -76,7 +85,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.9.1-debian-11-r8 + tag: 3.9.2-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -343,6 +352,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -354,6 +364,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -749,7 +760,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r96 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/cert-manager/cert-manager/Chart.yaml b/charts/cert-manager/cert-manager/Chart.yaml index 9e635a610..7758c567b 100644 --- a/charts/cert-manager/cert-manager/Chart.yaml +++ b/charts/cert-manager/cert-manager/Chart.yaml @@ -10,7 +10,7 @@ annotations: catalog.cattle.io/namespace: cert-manager catalog.cattle.io/release-name: cert-manager apiVersion: v1 -appVersion: v1.14.2 +appVersion: v1.14.4 description: A Helm chart for cert-manager home: https://github.com/cert-manager/cert-manager icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png @@ -27,4 +27,4 @@ maintainers: name: cert-manager sources: - https://github.com/cert-manager/cert-manager -version: v1.14.2 +version: v1.14.4 diff --git a/charts/cert-manager/cert-manager/README.md b/charts/cert-manager/cert-manager/README.md index 8f4096b06..9c1a485cc 100644 --- a/charts/cert-manager/cert-manager/README.md +++ b/charts/cert-manager/cert-manager/README.md @@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. ```bash -$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.crds.yaml +$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml ``` To install the chart with the release name `my-release`: @@ -29,7 +29,7 @@ To install the chart with the release name `my-release`: $ helm repo add jetstack https://charts.jetstack.io ## Install the cert-manager helm chart -$ helm install my-release --namespace cert-manager --version v1.14.2 jetstack/cert-manager +$ helm install my-release --namespace cert-manager --version v1.14.4 jetstack/cert-manager ``` In order to begin issuing certificates, you will need to set up a ClusterIssuer @@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als delete the previously installed CustomResourceDefinition resources: ```console -$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.crds.yaml +$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml ``` ## Configuration diff --git a/charts/clastix/kamaji/Chart.yaml b/charts/clastix/kamaji/Chart.yaml index df1341fe9..d4c5097a2 100644 --- a/charts/clastix/kamaji/Chart.yaml +++ b/charts/clastix/kamaji/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.4.1 +appVersion: v0.4.2 description: Kamaji is a Kubernetes Control Plane Manager. home: https://github.com/clastix/kamaji icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png @@ -20,4 +20,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.14.1 +version: 0.15.1 diff --git a/charts/clastix/kamaji/README.md b/charts/clastix/kamaji/README.md index 70e77a0b7..0e808dda6 100644 --- a/charts/clastix/kamaji/README.md +++ b/charts/clastix/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.14.1](https://img.shields.io/badge/Version-0.14.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square) +![Version: 0.15.1](https://img.shields.io/badge/Version-0.15.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.2](https://img.shields.io/badge/AppVersion-v0.4.2-informational?style=flat-square) Kamaji is a Kubernetes Control Plane Manager. @@ -66,6 +66,8 @@ Here the values you can override: | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods | +| cfssl.image.repository | string | `"cfssl/cfssl"` | | +| cfssl.image.tag | string | `"latest"` | | | datastore.basicAuth.passwordSecret.keyPath | string | `nil` | The Secret key where the data is stored. | | datastore.basicAuth.passwordSecret.name | string | `nil` | The name of the Secret containing the password used to connect to the relational database. | | datastore.basicAuth.passwordSecret.namespace | string | `nil` | The namespace of the Secret containing the password used to connect to the relational database. | diff --git a/charts/clastix/kamaji/templates/etcd_job_preinstall.yaml b/charts/clastix/kamaji/templates/etcd_job_preinstall.yaml index 834e29732..3344a58a5 100644 --- a/charts/clastix/kamaji/templates/etcd_job_preinstall.yaml +++ b/charts/clastix/kamaji/templates/etcd_job_preinstall.yaml @@ -19,7 +19,7 @@ spec: restartPolicy: Never initContainers: - name: cfssl - image: cfssl/cfssl:latest + image: "{{ .Values.cfssl.image.repository }}:{{ .Values.cfssl.image.tag }}" command: - bash - -c diff --git a/charts/clastix/kamaji/values.yaml b/charts/clastix/kamaji/values.yaml index 6dc584db2..814f2aa90 100644 --- a/charts/clastix/kamaji/values.yaml +++ b/charts/clastix/kamaji/values.yaml @@ -214,3 +214,8 @@ datastore: namespace: # -- Key of the Secret which contains the content of the private key. keyPath: + +cfssl: + image: + repository: cfssl/cfssl + tag: latest \ No newline at end of file diff --git a/charts/cloudcasa/cloudcasa/Chart.yaml b/charts/cloudcasa/cloudcasa/Chart.yaml index 244059317..d6194e8aa 100644 --- a/charts/cloudcasa/cloudcasa/Chart.yaml +++ b/charts/cloudcasa/cloudcasa/Chart.yaml @@ -1,12 +1,12 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CloudCasa - catalog.cattle.io/kube-version: '>=1.17.0-0' + catalog.cattle.io/kube-version: '>=1.20.0-0' catalog.cattle.io/release-name: cloudcasa apiVersion: v2 -appVersion: 3.4.1 -description: CloudCasa backup service for Kubernetes and cloud native applications. - Offering CloudCasa Pro and CloudCasa for Velero services. +appVersion: 3.1.0 +description: CloudCasa backup service for Kubernetes and cloud-native applications. + Offering CloudCasa Pro and CloudCasa Velero management services. home: https://cloudcasa.io icon: https://partner-charts.rancher.io/assets/logos/cloudcasa.png keywords: @@ -16,9 +16,9 @@ keywords: - catalogic - cloudcasa - velero -kubeVersion: '>=1.17.0-0' +kubeVersion: '>=1.20.0-0' maintainers: - email: support@cloudcasa.io - name: catalogicsoftware + name: CloudCasa Support name: cloudcasa -version: 3.4.1 +version: 3.4.2 diff --git a/charts/cloudcasa/cloudcasa/README.md b/charts/cloudcasa/cloudcasa/README.md index 3e9867624..fca4c6f41 100644 --- a/charts/cloudcasa/cloudcasa/README.md +++ b/charts/cloudcasa/cloudcasa/README.md @@ -4,59 +4,49 @@ # Introduction -CloudCasa is a SaaS data protection, recovery, and migration solution for Kubernetes. Configuration is quick and easy, and the basic service is free. +CloudCasa is a SaaS data protection, disaster recovery, migration, and replication solution for Kubernetes and cloud-native applications. Configuration is quick and easy, and basic service is free. CloudCasa provides two types of backup services for Kubernetes: -* **CloudCasa for Velero** provides centralized management and monitoring, guided recovery, and commercial support for existing Velero backup installations. * **CloudCasa Pro** provides centralized backup services for large, complex, multi-cluster, multi-cloud, and hybrid cloud environments. It includes multi-cloud account integration, managed backup storage, and advanced cross-cloud recovery. +* **CloudCasa Velero Management** provides centralized management and monitoring, guided recovery, and commercial support for existing Velero backup installations. -Whether you are managing existing Velero installations or using the advanced Pro features, with CloudCasa you don’t need to be a storage or data protection expert to back up and restore your Kubernetes clusters. +Whether you are managing existing Velero installations or using the advanced Pro features, with CloudCasa you don't need to be a storage or data protection expert to back up and restore your Kubernetes clusters. This Helm chart installs and configures the CloudCasa agent on a Kubernetes cluster. See the CloudCasa [Getting Started Guide](https://cloudcasa.io/get-started) for more information. ## Prerequisites -1. Kubernetes 1.17+ +1. Kubernetes 1.20+ 2. Helm 3.0+ ## Installation - -### Rancher Installation (Apps & Marketplace) - -1. Log in to https://home.cloudcasa.io and add your Kubernetes cluster under the Protection tab. Note the returned cluster ID. -2. Go to Apps & Marketplace in the Rancher UI. In the Chart section, check the Partners checkbox and click on the CloudCasa chart. -3. Provide a Name (e.g. CloudCasa) and optional description. -4. In the CloudCasa Configuration section, provide the Cluster ID obtained above. -5. Click on the Install button to complete installation of the agent. -6. Click on Upgrade version to upgrade the existing helmchart. -**Note**: Validate the existence of four CRDS viz. volumesnapshotlocations.velero.io, volumesnapshotcontents.snapshot.storage.k8s.io, volumesnapshots.snapshot.storage.k8s.io and volumesnapshotclasses.snapshot.storage.k8s.io. If any one of the crds doesnt exist, execute the edit/upgrade operation. - -### Helm CLI Installation +### Installing the CloudCasa Agent 1. Log in to https://home.cloudcasa.io and add your Kubernetes cluster under the Protection tab. Note the returned cluster ID. -2. Execute the following helm commands, replacing `````` with the Cluster ID obtained above: +2. Add the CloudCasa Helm repo to your Helm configuration, if it hasn't been added already. + ``` + $ helm repo add cloudcasa-repo https://catalogicsoftware.github.io/cloudcasa-helmchart + ``` +3. To install the agent, execute the following helm commands, replacing `````` with the Cluster ID obtained above: ``` - $ helm repo add cloudcasa-repo https://catalogicsoftware.github.io/cloudcasa-helmchart - $ helm install cloudcasa.io cloudcasa-repo/cloudcasa --set cluster_id= + $ helm repo update + $ helm install cloudcasa cloudcasa-repo/cloudcasa --set cluster_id= ``` This will install the CloudCasa agent and complete registration of the cluster with the CloudCasa service. ## Updating the CloudCasa Agent -1. Log in to https://home.cloudcasa.io and obtain the cluster ID for your cluster by selecting it under the Protection tab. -2. Execute the following commands to update the agent: +1. Log in to https://home.cloudcasa.io and obtain the cluster ID for your cluster by selecting it under the Protection tab. You can also obtain the current setting for it with the command ```helm get values cloudcasa```. +2. Execute the following commands to update the agent, replacing `````` with the Cluster ID obtained above: ``` $ helm repo update - $ helm upgrade cloudcasa.io cloudcasa-repo/cloudcasa --set cluster_id= + $ helm upgrade cloudcasa cloudcasa-repo/cloudcasa --set cluster_id= ``` -**Note**: Validate the existence of four CRDS viz. volumesnapshotlocations.velero.io, volumesnapshotcontents.snapshot.storage.k8s.io, volumesnapshots.snapshot.storage.k8s.io and volumesnapshotclasses.snapshot.storage.k8s.io. If any one of the crds doesnt exist, again execute the upgrade command. - ## Uninstalling the CloudCasa Agent 1. Execute the following commands to uninstall CloudCasa. ``` - $ helm uninstall cloudcasa.io - $ kubectl delete namespace/cloudcasa-io clusterrolebinding/cloudcasa-io + $ helm uninstall cloudcasa ``` *CloudCasa is a trademark of Catalogic Software Inc.* diff --git a/charts/cloudcasa/cloudcasa/templates/NOTES.txt b/charts/cloudcasa/cloudcasa/templates/NOTES.txt index c6a308b44..087f3e4d9 100644 --- a/charts/cloudcasa/cloudcasa/templates/NOTES.txt +++ b/charts/cloudcasa/cloudcasa/templates/NOTES.txt @@ -1,5 +1,10 @@ ------Please be patient while the chart is being deployed----- +Please be patient while the CloudCasa agent is being deployed. It may take several minutes. -Tip: Watch the App deployment status using the command: kubectl/oc get pods -n cloudcasa-io +The agent is configured with cluster ID: {{ .Values.cluster_id }} + +Once the agent completes startup, the state shown for the cluster in the CloudCasa Clusters/Overview +page (https://home.cloudcasa.io/clusters/overview) will change to "Active". +If the cluster stays in the "Registered" or "Pending" state, you may have provided the wrong ClusterID. + +You can check the agent deployment status using the command: kubectl get pods -n cloudcasa-io -Monitor the Cloudcasa UI, the registered cluster should be moved to Ready State. If the cluster is still in Pending state, wrong ClusterID would have been provided. diff --git a/charts/cloudcasa/cloudcasa/templates/cluster-register.yaml b/charts/cloudcasa/cloudcasa/templates/cluster-register.yaml index 44bf193a9..d8770563d 100644 --- a/charts/cloudcasa/cloudcasa/templates/cluster-register.yaml +++ b/charts/cloudcasa/cloudcasa/templates/cluster-register.yaml @@ -1,22 +1,15 @@ -# Manifest created on 2023-04-3 -# ----------------------------------------------------------------------- -# Steps to delete CloudCasa from the cluster are: -# ----------------------------------------------------------------------- -# kubectl delete namespace/cloudcasa-io clusterrolebinding/cloudcasa-io -# kubectl delete crds -l component=kubeagent_backup_helper -# ----------------------------------------------------------------------- - +--- +# This list contains the CloudCasa Agent Manager and RBAC resources +# required to deploy the Cloudcasa agent. apiVersion: v1 kind: List -# This list contains Cloudcasa Agent Manager and RBAC resources -# required to deploy the Cloudcasa Kube Agent +metadata: + name: cloudcasa-agent items: {{- if not (lookup "v1" "Namespace" "cloudcasa-io" "cloudcasa-io") }} - apiVersion: v1 kind: Namespace metadata: - annotations: - "helm.sh/resource-policy": keep creationTimestamp: null labels: component: kubeagent-backup-helper @@ -66,7 +59,7 @@ items: app: cloudcasa-kubeagent-manager spec: containers: - - image: catalogicsoftware/amds-kagent:3.1.0-prod.230 + - image: catalogicsoftware/amds-kagent:3.1.0-prod args: ["/usr/local/bin/kubeagentmanager", "--server_addr", "agent.cloudcasa.io:443", "--tls", "true"] name: kubeagentmanager resources: @@ -87,7 +80,7 @@ items: - name: AMDS_CLUSTER_ID value: {{ .Values.cluster_id }} - name: KUBEMOVER_IMAGE - value: catalogicsoftware/amds-kagent:3.1.0-prod.230 + value: catalogicsoftware/amds-kagent:3.1.0-prod - name: DEPLOYMENT_PLATFORM {{ if (lookup "v1" "Namespace" "" "cattle-system") }} value: "rancher" @@ -104,4 +97,3 @@ items: volumes: - emptyDir: {} name: scratch ---- diff --git a/charts/cloudcasa/cloudcasa/values.yaml b/charts/cloudcasa/cloudcasa/values.yaml index 90f712b35..f0295c514 100644 --- a/charts/cloudcasa/cloudcasa/values.yaml +++ b/charts/cloudcasa/cloudcasa/values.yaml @@ -1,4 +1,4 @@ -## Please, note that this will override the parameters, including dependencies, configured to use the global value +## Please note that this will override the parameters, including dependencies, configured to use the global value. -## Cloudcasa AMDS Cluster ID. To be provided by the user. +## CloudCasa Cluster ID. To be provided by the user. cluster_id: "" diff --git a/charts/cockroach-labs/cockroachdb/Chart.yaml b/charts/cockroach-labs/cockroachdb/Chart.yaml index 6b4d8a8a9..51f7a6dec 100644 --- a/charts/cockroach-labs/cockroachdb/Chart.yaml +++ b/charts/cockroach-labs/cockroachdb/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.8-0' catalog.cattle.io/release-name: cockroachdb apiVersion: v1 -appVersion: 23.2.1 +appVersion: 23.2.2 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. home: https://www.cockroachlabs.com icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png @@ -14,4 +14,4 @@ maintainers: name: cockroachdb sources: - https://github.com/cockroachdb/cockroach -version: 12.0.1 +version: 12.0.2 diff --git a/charts/cockroach-labs/cockroachdb/README.md b/charts/cockroach-labs/cockroachdb/README.md index 51188679c..07d438772 100644 --- a/charts/cockroach-labs/cockroachdb/README.md +++ b/charts/cockroach-labs/cockroachdb/README.md @@ -229,10 +229,10 @@ kubectl get pods \ ``` ``` -my-release-cockroachdb-0 cockroachdb/cockroach:v23.2.1 -my-release-cockroachdb-1 cockroachdb/cockroach:v23.2.1 -my-release-cockroachdb-2 cockroachdb/cockroach:v23.2.1 -my-release-cockroachdb-3 cockroachdb/cockroach:v23.2.1 +my-release-cockroachdb-0 cockroachdb/cockroach:v23.2.2 +my-release-cockroachdb-1 cockroachdb/cockroach:v23.2.2 +my-release-cockroachdb-2 cockroachdb/cockroach:v23.2.2 +my-release-cockroachdb-3 cockroachdb/cockroach:v23.2.2 ``` Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade: @@ -316,7 +316,7 @@ For details see the [`values.yaml`](values.yaml) file. | `conf.store.size` | CockroachDB storage size | `""` | | `conf.store.attrs` | CockroachDB storage attributes | `""` | | `image.repository` | Container image name | `cockroachdb/cockroach` | -| `image.tag` | Container image tag | `v23.2.1` | +| `image.tag` | Container image tag | `v23.2.2` | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | | `statefulset.replicas` | StatefulSet replicas number | `3` | diff --git a/charts/cockroach-labs/cockroachdb/templates/job.init.yaml b/charts/cockroach-labs/cockroachdb/templates/job.init.yaml index 3e61d88a3..a4f498a15 100644 --- a/charts/cockroach-labs/cockroachdb/templates/job.init.yaml +++ b/charts/cockroach-labs/cockroachdb/templates/job.init.yaml @@ -49,7 +49,7 @@ spec: {{- end }} {{- end }} restartPolicy: OnFailure - terminationGracePeriodSeconds: 0 + terminationGracePeriodSeconds: 300 {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }} imagePullSecrets: {{- if .Values.image.credentials }} diff --git a/charts/cockroach-labs/cockroachdb/templates/statefulset.yaml b/charts/cockroach-labs/cockroachdb/templates/statefulset.yaml index ad34211af..a627c3516 100644 --- a/charts/cockroach-labs/cockroachdb/templates/statefulset.yaml +++ b/charts/cockroach-labs/cockroachdb/templates/statefulset.yaml @@ -148,7 +148,7 @@ spec: {{- end }} # No pre-stop hook is required, a SIGTERM plus some time is all that's # needed for graceful shutdown of a node. - terminationGracePeriodSeconds: 60 + terminationGracePeriodSeconds: 300 containers: - name: db image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/charts/cockroach-labs/cockroachdb/values.yaml b/charts/cockroach-labs/cockroachdb/values.yaml index e402b958d..7c757022b 100644 --- a/charts/cockroach-labs/cockroachdb/values.yaml +++ b/charts/cockroach-labs/cockroachdb/values.yaml @@ -7,7 +7,7 @@ fullnameOverride: "" image: repository: cockroachdb/cockroach - tag: v23.2.1 + tag: v23.2.2 pullPolicy: IfNotPresent credentials: {} # registry: docker.io diff --git a/charts/crate/crate-operator/Chart.lock b/charts/crate/crate-operator/Chart.lock index 2b905577e..145a1593c 100644 --- a/charts/crate/crate-operator/Chart.lock +++ b/charts/crate/crate-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: crate-operator-crds repository: file://../crate-operator-crds - version: 2.35.0 -digest: sha256:a67a1a3d07ce8276d9ab9eb2722b72213317802d33670ad1ba804944689a3087 -generated: "2024-02-15T09:09:42.445977198Z" + version: 2.38.1 +digest: sha256:147fae70bea115a4061056f76d174b8a89bdbf7585e28bf86e2f8e5e10ed7865 +generated: "2024-03-14T09:07:58.874121656Z" diff --git a/charts/crate/crate-operator/Chart.yaml b/charts/crate/crate-operator/Chart.yaml index 278ea0a2f..3ae8d7888 100644 --- a/charts/crate/crate-operator/Chart.yaml +++ b/charts/crate/crate-operator/Chart.yaml @@ -3,16 +3,16 @@ annotations: catalog.cattle.io/display-name: CrateDB Operator catalog.cattle.io/release-name: crate-operator apiVersion: v2 -appVersion: 2.35.0 +appVersion: 2.38.1 dependencies: - condition: crate-operator-crds.enabled name: crate-operator-crds repository: file://./charts/crate-operator-crds - version: 2.35.0 + version: 2.38.1 description: Crate Operator - Helm chart for installing and upgrading Crate Operator. icon: https://raw.githubusercontent.com/crate/crate/master/docs/_static/crate-logo.svg maintainers: - name: Crate.io name: crate-operator type: application -version: 2.35.0 +version: 2.38.1 diff --git a/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml b/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml index 4667b7a5d..ca2dfe69e 100644 --- a/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml +++ b/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 2.35.0 +appVersion: 2.38.1 description: Crate Operator CRDs - Helm chart for installing and upgrading Custom Resource Definitions (CRDs) for the Crate Operator. maintainers: - name: Crate.io name: crate-operator-crds type: application -version: 2.35.0 +version: 2.38.1 diff --git a/charts/crowdstrike/falcon-sensor/Chart.yaml b/charts/crowdstrike/falcon-sensor/Chart.yaml index 7ef5bc4bc..c73f3746f 100644 --- a/charts/crowdstrike/falcon-sensor/Chart.yaml +++ b/charts/crowdstrike/falcon-sensor/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>1.22.0-0' catalog.cattle.io/release-name: falcon-sensor apiVersion: v2 -appVersion: 1.25.3 +appVersion: 1.26.1 description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes clusters. home: https://crowdstrike.com icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg @@ -24,4 +24,4 @@ name: falcon-sensor sources: - https://github.com/CrowdStrike/falcon-helm type: application -version: 1.25.3 +version: 1.26.1 diff --git a/charts/crowdstrike/falcon-sensor/templates/node_priorityclass.yaml b/charts/crowdstrike/falcon-sensor/templates/node_priorityclass.yaml index 23a3e080c..2f4181a2e 100644 --- a/charts/crowdstrike/falcon-sensor/templates/node_priorityclass.yaml +++ b/charts/crowdstrike/falcon-sensor/templates/node_priorityclass.yaml @@ -1,5 +1,5 @@ {{- if .Values.node.enabled }} -{{- if and .Values.node.daemonset.priorityClassCreate (or .Values.node.daemonset.priorityClassName .Values.node.gke.autopilot) }} +{{- if or .Values.node.daemonset.priorityClassCreate .Values.node.gke.autopilot }} apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: diff --git a/charts/datadog/datadog-operator/CHANGELOG.md b/charts/datadog/datadog-operator/CHANGELOG.md index 8780ca9ac..32d28b7aa 100644 --- a/charts/datadog/datadog-operator/CHANGELOG.md +++ b/charts/datadog/datadog-operator/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 1.5.1 + +* Add configuration for Operator flag `introspectionEnabled`: this parameter is used to enable the Introspection. It is disabled by default. + ## 1.5.0 * Update Datadog Operator version to 1.4.0. diff --git a/charts/datadog/datadog-operator/Chart.yaml b/charts/datadog/datadog-operator/Chart.yaml index 8b046ad21..1abf00508 100644 --- a/charts/datadog/datadog-operator/Chart.yaml +++ b/charts/datadog/datadog-operator/Chart.yaml @@ -26,4 +26,4 @@ name: datadog-operator sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 1.5.0 +version: 1.5.1 diff --git a/charts/datadog/datadog-operator/README.md b/charts/datadog/datadog-operator/README.md index 94d05f939..75e029d94 100644 --- a/charts/datadog/datadog-operator/README.md +++ b/charts/datadog/datadog-operator/README.md @@ -1,6 +1,6 @@ # Datadog Operator -![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) +![Version: 1.5.1](https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) ## Values @@ -33,6 +33,7 @@ | image.tag | string | `"1.4.0"` | Define the Datadog Operator version to use | | imagePullSecrets | list | `[]` | Datadog Operator repository pullSecret (ex: specify docker registry credentials) | | installCRDs | bool | `true` | Set to true to deploy the Datadog's CRDs | +| introspection.enabled | bool | `false` | If true, enables introspection feature (beta). Requires v1.4.0+ | | logLevel | string | `"info"` | Set Datadog Operator log level (debug, info, error, panic, fatal) | | maximumGoroutines | string | `nil` | Override default goroutines threshold for the health check failure. | | metricsPort | int | `8383` | Port used for OpenMetrics endpoint | diff --git a/charts/datadog/datadog-operator/templates/deployment.yaml b/charts/datadog/datadog-operator/templates/deployment.yaml index a8de14218..0c2b45f7f 100644 --- a/charts/datadog/datadog-operator/templates/deployment.yaml +++ b/charts/datadog/datadog-operator/templates/deployment.yaml @@ -107,6 +107,9 @@ spec: {{- end }} {{- if and .Values.maximumGoroutines (semverCompare ">=1.0.0-rc.13" .Values.image.tag) }} - "-maximumGoroutines={{ .Values.maximumGoroutines }}" + {{- end }} + {{- if (semverCompare ">=1.4.0" .Values.image.tag) }} + - "-introspectionEnabled={{ .Values.introspection.enabled }}" {{- end }} - "-datadogMonitorEnabled={{ .Values.datadogMonitor.enabled }}" {{- if (semverCompare ">=1.0.0-rc.13" .Values.image.tag) }} diff --git a/charts/datadog/datadog-operator/values.yaml b/charts/datadog/datadog-operator/values.yaml index 15ecc5a3c..af9863a35 100644 --- a/charts/datadog/datadog-operator/values.yaml +++ b/charts/datadog/datadog-operator/values.yaml @@ -56,6 +56,11 @@ fullnameOverride: "" logLevel: "info" # maximumGoroutines -- Override default goroutines threshold for the health check failure. maximumGoroutines: + + +introspection: +# introspection.enabled -- If true, enables introspection feature (beta). Requires v1.4.0+ + enabled: false # supportExtendedDaemonset -- If true, supports using ExtendedDaemonSet CRD supportExtendedDaemonset: "false" # operatorMetricsEnabled -- Enable forwarding of Datadog Operator metrics and events to Datadog. diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index d7a0dda5f..28cc6e271 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,13 @@ # Datadog changelog +## 3.57.3 + +* Exclude agent, cluster agent and agent clusterchecks pods from injection from the admission controller. + +## 3.57.2 + +* Add `networkpolicies` default permission for the cluster agent. + ## 3.57.1 * Allow configuring CWS security profile based auto suppression feature and enable it by default. diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index ec7e331a6..9e661fdcf 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.57.1 +version: 3.57.3 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index eee03e8cd..8a283120a 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.57.1](https://img.shields.io/badge/Version-3.57.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.57.3](https://img.shields.io/badge/Version-3.57.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). diff --git a/charts/datadog/datadog/templates/agent-clusterchecks-deployment.yaml b/charts/datadog/datadog/templates/agent-clusterchecks-deployment.yaml index edcbfaf26..d845f4756 100644 --- a/charts/datadog/datadog/templates/agent-clusterchecks-deployment.yaml +++ b/charts/datadog/datadog/templates/agent-clusterchecks-deployment.yaml @@ -27,6 +27,7 @@ spec: labels: {{ include "datadog.template-labels" . | indent 8 }} app.kubernetes.io/component: clusterchecks-agent + admission.datadoghq.com/enabled: "false" app: {{ template "datadog.fullname" . }}-clusterchecks {{- if .Values.clusterChecksRunner.additionalLabels }} {{ toYaml .Values.clusterChecksRunner.additionalLabels | indent 8 }} diff --git a/charts/datadog/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/datadog/templates/cluster-agent-deployment.yaml index 636649ee1..d0bc7b0d3 100644 --- a/charts/datadog/datadog/templates/cluster-agent-deployment.yaml +++ b/charts/datadog/datadog/templates/cluster-agent-deployment.yaml @@ -38,6 +38,7 @@ spec: labels: {{ include "datadog.template-labels" . | indent 8 }} app.kubernetes.io/component: cluster-agent + admission.datadoghq.com/enabled: "false" app: {{ template "datadog.fullname" . }}-cluster-agent {{- if .Values.clusterAgent.podLabels }} {{ toYaml .Values.clusterAgent.podLabels | indent 8 }} diff --git a/charts/datadog/datadog/templates/cluster-agent-rbac.yaml b/charts/datadog/datadog/templates/cluster-agent-rbac.yaml index 975098c8e..a414f640f 100644 --- a/charts/datadog/datadog/templates/cluster-agent-rbac.yaml +++ b/charts/datadog/datadog/templates/cluster-agent-rbac.yaml @@ -171,6 +171,7 @@ rules: - networking.k8s.io resources: - ingresses + - networkpolicies verbs: - list - get diff --git a/charts/datadog/datadog/templates/daemonset.yaml b/charts/datadog/datadog/templates/daemonset.yaml index 5aba67ff2..15c75d96b 100644 --- a/charts/datadog/datadog/templates/daemonset.yaml +++ b/charts/datadog/datadog/templates/daemonset.yaml @@ -9,7 +9,6 @@ metadata: labels: {{ include "datadog.labels" . | indent 4 }} app.kubernetes.io/component: agent - admission.datadoghq.com/enabled: "false" {{- if .Values.agents.additionalLabels }} {{ toYaml .Values.agents.additionalLabels | indent 4 }} {{- end }} @@ -30,6 +29,7 @@ spec: labels: {{ include "datadog.template-labels" . | indent 8 }} app.kubernetes.io/component: agent + admission.datadoghq.com/enabled: "false" app: {{ template "datadog.fullname" . }} {{- if .Values.agents.podLabels }} {{ toYaml .Values.agents.podLabels | indent 8 }} diff --git a/charts/dell/csi-vxflexos/Chart.yaml b/charts/dell/csi-vxflexos/Chart.yaml index 640eae0a2..8a87d74cd 100644 --- a/charts/dell/csi-vxflexos/Chart.yaml +++ b/charts/dell/csi-vxflexos/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: vxflexos catalog.cattle.io/release-name: vxflexos apiVersion: v2 -appVersion: 2.9.1 +appVersion: 2.9.2 description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a VxFlex OS StorageClass. ' @@ -19,4 +19,4 @@ maintainers: name: csi-vxflexos sources: - https://github.com/dell/csi-vxflexos -version: 2.9.1 +version: 2.9.2 diff --git a/charts/dell/csi-vxflexos/templates/node.yaml b/charts/dell/csi-vxflexos/templates/node.yaml index 80c898dc7..a45a6c843 100644 --- a/charts/dell/csi-vxflexos/templates/node.yaml +++ b/charts/dell/csi-vxflexos/templates/node.yaml @@ -297,6 +297,8 @@ spec: mountPath: /storage - name: udev-d mountPath: /rules.d + - name: host-opt-emc-path + mountPath: /host_opt_emc_path {{- end }} initContainers: - name: sdc @@ -325,6 +327,8 @@ spec: mountPath: /host-os-release - name: sdc-storage mountPath: /storage + - name: host-opt-emc-path + mountPath: /host_opt_emc_path - name: udev-d mountPath: /rules.d - name: scaleio-path-opt @@ -370,6 +374,10 @@ spec: hostPath: path: /etc/os-release type: File + - name: host-opt-emc-path + hostPath: + path: /opt/emc + type: Directory - name: vxflexos-config secret: secretName: {{ .Release.Name }}-config diff --git a/charts/dell/csi-vxflexos/values.yaml b/charts/dell/csi-vxflexos/values.yaml index 94fcfbc04..0e3847534 100644 --- a/charts/dell/csi-vxflexos/values.yaml +++ b/charts/dell/csi-vxflexos/values.yaml @@ -3,14 +3,14 @@ # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.9.1 +version: v2.9.2 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-vxflexos:v2.9.1 + driver: dellemc/csi-vxflexos:v2.9.2 # "powerflexSdc" defines the SDC image for init container. powerflexSdc: dellemc/sdc:4.5 # CSI sidecars diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index 19e418346..e93debc55 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,14 +1,12 @@ annotations: artifacthub.io/changes: | - - Allow setting hostIP for daemonset (#220) - - Add missing permissions for v1 CRDs (#222) - - Use Ingress Controller 1.10.11 version for base image + - Use Ingress Controller 1.11.0 version for base image catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: haproxy apiVersion: v2 -appVersion: 1.10.11 +appVersion: 1.11.0 description: A Helm chart for HAProxy Kubernetes Ingress Controller home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png @@ -23,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.37.0 +version: 1.38.2 diff --git a/charts/haproxy/haproxy/templates/NOTES.txt b/charts/haproxy/haproxy/templates/NOTES.txt index 6028ea0dc..6927cf890 100644 --- a/charts/haproxy/haproxy/templates/NOTES.txt +++ b/charts/haproxy/haproxy/templates/NOTES.txt @@ -22,16 +22,51 @@ Service ports mapped are: - name: {{ $key }} containerPort: {{ $value }} protocol: TCP +{{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP {{- end }} {{- end }} {{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} {{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} {{- range $key, $value := .Values.controller.containerPort }} - name: {{ $key }} containerPort: {{ $value }} protocol: TCP +{{- if $useHostPort }} hostPort: {{ index $hostPorts $key | default $value }} {{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} {{- end }} Node IP can be found with: diff --git a/charts/haproxy/haproxy/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/templates/controller-daemonset.yaml index 56b082ace..1c8594c5e 100644 --- a/charts/haproxy/haproxy/templates/controller-daemonset.yaml +++ b/charts/haproxy/haproxy/templates/controller-daemonset.yaml @@ -101,6 +101,8 @@ spec: - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} - --http-bind-port={{ .Values.controller.containerPort.http }} - --https-bind-port={{ .Values.controller.containerPort.https }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} {{- if .Values.controller.ingressClass }} - --ingress.class={{ .Values.controller.ingressClass }} {{- end }} @@ -147,6 +149,15 @@ spec: hostIP: {{ $hostIP }} {{- end }} {{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp containerPort: {{ .port }} diff --git a/charts/haproxy/haproxy/templates/controller-deployment.yaml b/charts/haproxy/haproxy/templates/controller-deployment.yaml index 71753220e..990f70c14 100644 --- a/charts/haproxy/haproxy/templates/controller-deployment.yaml +++ b/charts/haproxy/haproxy/templates/controller-deployment.yaml @@ -101,6 +101,8 @@ spec: - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} - --http-bind-port={{ .Values.controller.containerPort.http }} - --https-bind-port={{ .Values.controller.containerPort.https }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} {{- if .Values.controller.ingressClass }} - --ingress.class={{ .Values.controller.ingressClass }} {{- end }} @@ -141,6 +143,9 @@ spec: containerPort: {{ $value }} protocol: TCP {{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp containerPort: {{ .targetPort }} diff --git a/charts/haproxy/haproxy/templates/controller-service.yaml b/charts/haproxy/haproxy/templates/controller-service.yaml index 3afc7c516..d6b4b71d1 100644 --- a/charts/haproxy/haproxy/templates/controller-service.yaml +++ b/charts/haproxy/haproxy/templates/controller-service.yaml @@ -67,6 +67,18 @@ spec: nodePort: {{ .Values.controller.service.nodePorts.https }} {{- end }} {{- end }} + {{- if .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} {{- if .Values.controller.service.enablePorts.stat }} - name: stat port: {{ .Values.controller.service.ports.stat }} @@ -119,5 +131,8 @@ spec: loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} {{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} {{- end }} {{- end }} diff --git a/charts/haproxy/haproxy/values.yaml b/charts/haproxy/haproxy/values.yaml index 71b04ee79..b3bdb0181 100644 --- a/charts/haproxy/haproxy/values.yaml +++ b/charts/haproxy/haproxy/values.yaml @@ -18,9 +18,9 @@ podSecurityPolicy: annotations: {} ## Specify pod annotations - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl ## # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default @@ -154,7 +154,7 @@ controller: scheme: HTTP ## IngressClass: - ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class @@ -317,6 +317,12 @@ controller: # - --namespace-whitelist=default # - --namespace-whitelist=namespace1 # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s ## Custom configuration for Controller ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation @@ -398,6 +404,7 @@ controller: enablePorts: http: true https: true + quic: true stat: true prometheus: true @@ -406,6 +413,7 @@ controller: targetPorts: http: http https: https + quic: quic stat: stat prometheus: prometheus @@ -420,7 +428,7 @@ controller: ## Set external traffic policy ## Default is "Cluster", setting it to "Local" preserves source IP - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer # externalTrafficPolicy: "Local" ## Expose service via external IPs that route to one or more cluster nodes @@ -431,9 +439,13 @@ controller: loadBalancerIP: "" ## Source IP ranges permitted to access Network Load Balancer - # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ loadBalancerSourceRanges: [] + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + ## Service ClusterIP ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ # clusterIP: "" diff --git a/charts/hashicorp/consul/Chart.yaml b/charts/hashicorp/consul/Chart.yaml index 545c08aef..481e83302 100644 --- a/charts/hashicorp/consul/Chart.yaml +++ b/charts/hashicorp/consul/Chart.yaml @@ -1,11 +1,11 @@ annotations: artifacthub.io/images: | - name: consul - image: hashicorp/consul:1.17.3 + image: hashicorp/consul:1.18.0 - name: consul-k8s-control-plane - image: hashicorp/consul-k8s-control-plane:1.3.3 + image: hashicorp/consul-k8s-control-plane:1.4.0 - name: consul-dataplane - image: hashicorp/consul-dataplane:1.3.3 + image: hashicorp/consul-dataplane:1.4.0 - name: envoy image: envoyproxy/envoy:v1.25.11 artifacthub.io/license: MPL-2.0 @@ -25,7 +25,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: consul apiVersion: v2 -appVersion: 1.17.3 +appVersion: 1.18.0 description: Official HashiCorp Consul Chart home: https://www.consul.io icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png @@ -34,4 +34,4 @@ name: consul sources: - https://github.com/hashicorp/consul - https://github.com/hashicorp/consul-k8s -version: 1.3.3 +version: 1.4.0 diff --git a/charts/hashicorp/consul/README.md b/charts/hashicorp/consul/README.md index e7d7fd928..a0a9929ed 100644 --- a/charts/hashicorp/consul/README.md +++ b/charts/hashicorp/consul/README.md @@ -42,7 +42,7 @@ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). The following pre-requisites must be met before installing Consul on Kubernetes. - * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. It is possible that this chart works with earlier versions, but it is untested. * Helm install diff --git a/charts/hashicorp/consul/templates/_helpers.tpl b/charts/hashicorp/consul/templates/_helpers.tpl index bb2da193f..ca87485a7 100644 --- a/charts/hashicorp/consul/templates/_helpers.tpl +++ b/charts/hashicorp/consul/templates/_helpers.tpl @@ -189,24 +189,27 @@ Expand the name of the chart. {{- end -}} {{/* -Compute the maximum number of unavailable replicas for the PodDisruptionBudget. -This defaults to (n/2)-1 where n is the number of members of the server cluster. -Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise -use the integer value -Add a special case for replicas=1, where it should default to 0 as well. +Calculate max number of server pods that are allowed to be voluntarily disrupted. +When there's 1 server, this is set to 0 because this pod should not be disrupted. This is an edge +case and I'm not sure it makes a difference when there's only one server but that's what the previous config was and +I don't want to change it for this edge case. +Otherwise we've changed this to always be 1 as part of the move to set leave_on_terminate +to true. With leave_on_terminate set to true, whenever a server pod is stopped, the number of peers in raft +is reduced. If the number of servers is odd and the count is reduced by 1, the quorum size doesn't change, +but if it's reduced by more than 1, the quorum size can change so that's why this is now always hardcoded to 1. */}} -{{- define "consul.pdb.maxUnavailable" -}} +{{- define "consul.server.pdb.maxUnavailable" -}} {{- if eq (int .Values.server.replicas) 1 -}} {{ 0 }} {{- else if .Values.server.disruptionBudget.maxUnavailable -}} {{ .Values.server.disruptionBudget.maxUnavailable -}} {{- else -}} -{{- if eq (int .Values.server.replicas) 3 -}} -{{- 1 -}} -{{- else -}} -{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{ 1 }} {{- end -}} {{- end -}} + +{{- define "consul.server.autopilotMinQuorum" -}} +{{- add (div (int .Values.server.replicas) 2) 1 -}} {{- end -}} {{- define "consul.pdb.connectInject.maxUnavailable" -}} @@ -448,10 +451,10 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} */}} {{- define "consul.validateTelemetryCollectorCloud" -}} {{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} -{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }} {{- end }} {{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} -{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set."}} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }} {{- end }} {{- end }} @@ -511,8 +514,8 @@ Usage: {{ template "consul.validateResourceAPIs" . }} {{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} {{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} {{- end }} -{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.adminPartitions.enabled ) }} -{{fail "When the value global.experiments.resourceAPIs is set, global.adminPartitions.enabled is currently unsupported."}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) (not (mustHas "v2tenancy" .Values.global.experiments)) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.experiments.v2tenancy must also be set to support global.adminPartitions.enabled."}} {{- end }} {{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} {{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} @@ -529,9 +532,6 @@ Usage: {{ template "consul.validateResourceAPIs" . }} {{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} {{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} {{- end }} -{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled ) }} -{{fail "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported."}} -{{- end }} {{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} {{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} {{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml index 250663794..c6845870b 100644 --- a/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml @@ -96,8 +96,12 @@ rules: - apiGroups: - mesh.consul.hashicorp.com resources: + - gatewayclassconfigs + - gatewayclasses + - meshconfigurations - grpcroutes - httproutes + - meshgateways - tcproutes - proxyconfigurations verbs: @@ -111,14 +115,42 @@ rules: - apiGroups: - mesh.consul.hashicorp.com resources: + - gatewayclassconfigs/status + - gatewayclasses/status + - meshconfigurations/status - grpcroutes/status - httproutes/status + - meshgateways/status - tcproutes/status - proxyconfigurations/status verbs: - get - patch - update +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch {{- end }} - apiGroups: [ "" ] resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] diff --git a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml index 13c69e83a..1565e9281 100644 --- a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml +++ b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml @@ -157,6 +157,9 @@ spec: {{- if (mustHas "resource-apis" .Values.global.experiments) }} -enable-resource-apis=true \ {{- end }} + {{- if (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true \ + {{- end }} {{- range $k, $v := .Values.connectInject.consulNode.meta }} -node-meta={{ $k }}={{ $v }} \ {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-apigateways.yaml b/charts/hashicorp/consul/templates/crd-apigateways.yaml new file mode 100644 index 000000000..755fb05b6 --- /dev/null +++ b/charts/hashicorp/consul/templates/crd-apigateways.yaml @@ -0,0 +1,240 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: apigateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: APIGateway + listKind: APIGatewayList + plural: apigateways + singular: apigateway + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: APIGateway is the Schema for the API Gateway + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the APIGateway + type: string + listeners: + items: + properties: + hostname: + description: Hostname is the host name that a listener should + be bound to, if unspecified, the listener accepts requests + for all hostnames. + type: string + name: + description: Name is the name of the listener in a given gateway. + This must be unique within a gateway. + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: Protocol is the protocol that a listener should + use, it must either be "http" or "tcp" + type: string + tls: + description: TLS is the TLS settings for the listener. + properties: + certificates: + description: Certificates is a set of references to certificates + that a gateway listener uses for TLS termination. + items: + description: Reference identifies which resource a condition + relates to, when it is not the core resource itself. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the + resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all partitions." + type: string + peerName: + description: "PeerName identifies which peer the + resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes are + made to the group's resource types. + type: string + kind: + description: Kind identifies the specific resource + type within the group. + type: string + type: object + type: object + type: array + tlsParameters: + description: TLSParameters contains optional configuration + for running TLS termination. + properties: + cipherSuites: + items: + enum: + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA + - TLS_CIPHER_SUITE_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA + - TLS_CIPHER_SUITE_AES256_GCM_SHA384 + format: int32 + type: string + type: array + maxVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + minVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + type: object + type: object + type: object + minItems: 1 + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/templates/crd-exportedservices-v1.yaml new file mode 100644 index 000000000..081a2b0cf --- /dev/null +++ b/charts/hashicorp/consul/templates/crd-exportedservices-v1.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/templates/crd-exportedservices.yaml index 081a2b0cf..6613e3da7 100644 --- a/charts/hashicorp/consul/templates/crd-exportedservices.yaml +++ b/charts/hashicorp/consul/templates/crd-exportedservices.yaml @@ -10,15 +10,13 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - name: exportedservices.consul.hashicorp.com + name: exportedservices.multicluster.consul.hashicorp.com spec: - group: consul.hashicorp.com + group: multicluster.consul.hashicorp.com names: kind: ExportedServices listKind: ExportedServicesList plural: exportedservices - shortNames: - - exported-services singular: exportedservices scope: Namespaced versions: @@ -35,10 +33,10 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 + name: v2 schema: openAPIV3Schema: - description: ExportedServices is the Schema for the exportedservices API + description: ExportedServices is the Schema for the Exported Services API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -53,44 +51,15 @@ spec: metadata: type: object spec: - description: ExportedServicesSpec defines the desired state of ExportedServices. properties: - services: - description: Services is a list of services to be exported and the - list of partitions to expose them to. + consumers: items: - description: ExportedService manages the exporting of a service - in the local partition to other partitions. - properties: - consumers: - description: Consumers is a list of downstream consumers of - the service to be exported. - items: - description: ServiceConsumer represents a downstream consumer - of the service to be exported. - properties: - partition: - description: Partition is the admin partition to export - the service to. - type: string - peer: - description: Peer is the name of the peer to export the - service to. - type: string - samenessGroup: - description: SamenessGroup is the name of the sameness - group to export the service to. - type: string - type: object - type: array - name: - description: Name is the name of the service to be exported. - type: string - namespace: - description: Namespace is the namespace to export the service - from. - type: string type: object + x-kubernetes-preserve-unknown-fields: true + type: array + services: + items: + type: string type: array type: object status: diff --git a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs-v1.yaml b/charts/hashicorp/consul/templates/crd-gatewayclassconfigs-v1.yaml new file mode 100644 index 000000000..130db72a2 --- /dev/null +++ b/charts/hashicorp/consul/templates/crd-gatewayclassconfigs-v1.yaml @@ -0,0 +1,201 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml index 130db72a2..93effd843 100644 --- a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml +++ b/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml @@ -10,9 +10,9 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - name: gatewayclassconfigs.consul.hashicorp.com + name: gatewayclassconfigs.mesh.consul.hashicorp.com spec: - group: consul.hashicorp.com + group: mesh.consul.hashicorp.com names: kind: GatewayClassConfig listKind: GatewayClassConfigList @@ -20,11 +20,15 @@ spec: singular: gatewayclassconfig scope: Cluster versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 schema: openAPIV3Schema: - description: GatewayClassConfig defines the values that may be set on a GatewayClass - for Consul API Gateway. + description: GatewayClassConfig is the Schema for the Mesh Gateway API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -39,163 +43,1784 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of GatewayClassConfig. + description: GatewayClassConfigSpec specifies the desired state of the + GatewayClassConfig CRD. properties: - copyAnnotations: - description: Annotation Information to copy to services or deployments + annotations: + description: Annotations are applied to the created resource properties: - service: - description: List of annotations to copy to the gateway service. + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. items: type: string type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object type: object deployment: - description: Deployment defines the deployment configuration for the - gateway. + description: Deployment contains config specific to the Deployment + created from this GatewayClass properties: - defaultInstances: - default: 1 - description: Number of gateway instances that should be deployed - by default - format: int32 - maximum: 8 - minimum: 1 - type: integer - maxInstances: - default: 8 - description: Max allowed number of gateway instances - format: int32 - maximum: 8 - minimum: 1 - type: integer - minInstances: - default: 1 - description: Minimum allowed number of gateway instances - format: int32 - maximum: 8 - minimum: 1 - type: integer - resources: - description: Resources defines the resource requirements for the - gateway. + affinity: + description: Affinity specifies the affinity to use on the created + Deployment. properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + container: + description: Container contains config specific to the created + Deployment's container. + properties: + consul: + description: Consul specifies configuration for the consul-dataplane + container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + hostPort: + description: HostPort specifies a port to be exposed to the + external host network + format: int32 + type: integer + portModifier: + description: PortModifier specifies the value to be added + to every port value for listeners on this gateway. This + is generally used to avoid binding to privileged ports in + the container. + format: int32 + type: integer + resources: + description: Resources specifies the resource requirements + for the created Deployment's container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + dnsPolicy: + description: DNSPolicy specifies the dns policy to use. These + are set on a per pod basis. + enum: + - Default + - ClusterFirst + - ClusterFirstWithHostNet + - None + type: string + hostNetwork: + description: HostNetwork specifies whether the gateway pods should + run on the host network. + type: boolean + initContainer: + description: InitContainer contains config specific to the created + Deployment's init container. + properties: + consul: + description: Consul specifies configuration for the consul-k8s-control-plane + init container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + resources: + description: Resources specifies the resource requirements + for the created Deployment's init container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a feature that constrains the scheduling + of a pod to nodes that match specified labels. By defining NodeSelector + in a pod''s configuration, you can ensure that the pod is only + scheduled to nodes with the corresponding labels, providing + a way to influence the placement of workloads based on node + attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: PriorityClassName specifies the priority class name + to use on the created Deployment. + type: string + replicas: + description: Replicas specifies the configuration to control the + number of replicas for the created Deployment. + properties: + default: + description: Default is the number of replicas assigned to + the Deployment when created + format: int32 + type: integer + max: + description: Max is the maximum number of replicas allowed + for a gateway with this class. If the replica count exceeds + this value due to manual or automated scaling, the replica + count will be restored to this value. + format: int32 + type: integer + min: + description: Min is the minimum number of replicas allowed + for a gateway with this class. If the replica count drops + below this value due to manual or automated scaling, the + replica count will be restored to this value. + format: int32 + type: integer + type: object + securityContext: + description: SecurityContext specifies the security context for + the created Deployment's Pod. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for the uid of the container process. + If unspecified, no additional groups are added to any container. + Note that group memberships defined in the container image + for the uid of the container process are still effective, + even if they are not included in this list. Note that this + field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: Name of a property to set + type: string + value: + description: Value of a property to set type: string required: - name + - value type: object type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string type: object - requests: + type: object + tolerations: + description: Tolerations specifies the tolerations to use on the + created Deployment. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: 'TopologySpreadConstraints is a feature that controls + how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a beta-level + feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to topologies + that would help reduce the skew. A constraint is considered + "Unsatisfiable" for an incoming pod if and only if every + possible node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming + pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still be imbalanced, but + scheduler won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + role: + description: Role contains config specific to the Role created from + this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. type: object type: object type: object - mapPrivilegedContainerPorts: - description: The value to add to privileged ports ( ports < 1024) - for gateway containers - format: int32 - type: integer - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which must be true for the - pod to fit on a node. Selector which must match a node''s labels - for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + roleBinding: + description: RoleBinding contains config specific to the RoleBinding + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object type: object - openshiftSCCName: - description: The name of the OpenShift SecurityContextConstraints - resource for this gateway class to use. - type: string - podSecurityPolicy: - description: The name of an existing Kubernetes PodSecurityPolicy - to bind to the managed ServiceAccount if ACLs are managed. - type: string - serviceType: - description: Service Type string describes ingress methods for a service - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - tolerations: - description: 'Tolerations allow the scheduler to schedule nodes with - matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + service: + description: Service contains config specific to the Service created + from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: + description: Type specifies the type of Service to use (LoadBalancer, + ClusterIP, etc.) + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + type: object + serviceAccount: + description: ServiceAccount contains config specific to the corev1.ServiceAccount + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. items: - description: The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' properties: - effect: - description: Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. + message: + description: A human readable message indicating details about + the transition. type: string - operator: - description: Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. + reason: + description: The reason for the condition's last transition. type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + status: + description: Status of the condition, one of True, False, Unknown. type: string + type: + description: Type of condition. + type: string + required: + - status + - type type: object type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string type: object type: object served: true storage: true + subresources: + status: {} {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/templates/crd-gatewayclasses-external.yaml index 391637b5f..93435b7fc 100644 --- a/charts/hashicorp/consul/templates/crd-gatewayclasses-external.yaml +++ b/charts/hashicorp/consul/templates/crd-gatewayclasses-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: gatewayclasses.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml new file mode 100644 index 000000000..70763f910 --- /dev/null +++ b/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml @@ -0,0 +1,122 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClass is the Schema for the Gateway Class API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName is the name of the Kubernetes controller + that manages Gateways of this class + type: string + description: + description: Description of GatewayClass + type: string + parametersRef: + description: ParametersRef refers to a resource responsible for configuring + the behavior of the GatewayClass. + properties: + group: + description: The Kubernetes Group that the referred object belongs + to + type: string + kind: + description: The Kubernetes Kind that the referred object is + type: string + name: + description: The Name of the referred object + type: string + namespace: + description: The kubernetes namespace that the referred object + is in + type: string + required: + - name + type: object + required: + - controllerName + - parametersRef + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/templates/crd-gateways-external.yaml index ab56d4f5f..41df34942 100644 --- a/charts/hashicorp/consul/templates/crd-gateways-external.yaml +++ b/charts/hashicorp/consul/templates/crd-gateways-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: gateways.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/templates/crd-grpcroutes-external.yaml index 3e4aa7585..739ed2c65 100644 --- a/charts/hashicorp/consul/templates/crd-grpcroutes-external.yaml +++ b/charts/hashicorp/consul/templates/crd-grpcroutes-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/templates/crd-httproutes-external.yaml index c89591376..bba3672d1 100644 --- a/charts/hashicorp/consul/templates/crd-httproutes-external.yaml +++ b/charts/hashicorp/consul/templates/crd-httproutes-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: httproutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-meshconfigurations.yaml b/charts/hashicorp/consul/templates/crd-meshconfigurations.yaml new file mode 100644 index 000000000..21114d723 --- /dev/null +++ b/charts/hashicorp/consul/templates/crd-meshconfigurations.yaml @@ -0,0 +1,100 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshConfiguration + listKind: MeshConfigurationList + plural: meshconfigurations + singular: meshconfiguration + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshConfiguration is the Schema for the Mesh Configuration + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshConfiguration is responsible for configuring the default + behavior of Mesh Gateways. This is a Resource type. + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-meshgateways.yaml b/charts/hashicorp/consul/templates/crd-meshgateways.yaml new file mode 100644 index 000000000..6202add69 --- /dev/null +++ b/charts/hashicorp/consul/templates/crd-meshgateways.yaml @@ -0,0 +1,134 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshgateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + singular: meshgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshGateway is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the MeshGateway + type: string + listeners: + items: + properties: + name: + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + enum: + - TCP + type: string + type: object + minItems: 1 + type: array + workloads: + description: Selection of workloads to be configured as mesh gateways + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/templates/crd-proxyconfigurations.yaml index 9a33bd2ba..3d19d5ea4 100644 --- a/charts/hashicorp/consul/templates/crd-proxyconfigurations.yaml +++ b/charts/hashicorp/consul/templates/crd-proxyconfigurations.yaml @@ -127,24 +127,6 @@ spec: format: int32 type: string type: object - envoyExtensions: - items: - description: EnvoyExtension has configuration for an extension - that patches Envoy resources. - properties: - arguments: - type: object - x-kubernetes-preserve-unknown-fields: true - consulVersion: - type: string - envoyVersion: - type: string - name: - type: string - required: - type: boolean - type: object - type: array exposeConfig: properties: exposePaths: @@ -178,7 +160,7 @@ spec: format: int32 type: string maxInboundConnections: - format: int64 + format: int32 type: integer type: object listenerTracingJson: diff --git a/charts/hashicorp/consul/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/templates/crd-referencegrants-external.yaml index 6ae177d98..db9cf1202 100644 --- a/charts/hashicorp/consul/templates/crd-referencegrants-external.yaml +++ b/charts/hashicorp/consul/templates/crd-referencegrants-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: referencegrants.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/templates/crd-routetimeoutfilters.yaml index 95ab50320..07ebfe938 100644 --- a/charts/hashicorp/consul/templates/crd-routetimeoutfilters.yaml +++ b/charts/hashicorp/consul/templates/crd-routetimeoutfilters.yaml @@ -55,8 +55,10 @@ spec: description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. properties: idleTimeout: + format: duration type: string requestTimeout: + format: duration type: string type: object status: diff --git a/charts/hashicorp/consul/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/templates/crd-servicerouters.yaml index dca5aa7fc..c7924081f 100644 --- a/charts/hashicorp/consul/templates/crd-servicerouters.yaml +++ b/charts/hashicorp/consul/templates/crd-servicerouters.yaml @@ -149,9 +149,9 @@ spec: type: object type: object retryOn: - description: RetryOn is a flat list of conditions for Consul + description: 'RetryOn is a flat list of conditions for Consul to retry requests based on the response from an upstream - service. + service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' items: type: string type: array diff --git a/charts/hashicorp/consul/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/templates/crd-tcproutes-external.yaml index 91989135e..b5bc7be13 100644 --- a/charts/hashicorp/consul/templates/crd-tcproutes-external.yaml +++ b/charts/hashicorp/consul/templates/crd-tcproutes-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: tcproutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/templates/crd-tlsroutes-external.yaml index dfabd8071..1acd1b973 100644 --- a/charts/hashicorp/consul/templates/crd-tlsroutes-external.yaml +++ b/charts/hashicorp/consul/templates/crd-tlsroutes-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: tlsroutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/templates/crd-udproutes-external.yaml index 935cce22f..0661b24c1 100644 --- a/charts/hashicorp/consul/templates/crd-udproutes-external.yaml +++ b/charts/hashicorp/consul/templates/crd-udproutes-external.yaml @@ -1,21 +1,18 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: crd - gateway.networking.k8s.io/bundle-version: v0.6.2 - gateway.networking.k8s.io/channel: experimental - creationTimestamp: null name: udproutes.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/templates/gateway-cleanup-clusterrole.yaml index c533a882f..5518bfc39 100644 --- a/charts/hashicorp/consul/templates/gateway-cleanup-clusterrole.yaml +++ b/charts/hashicorp/consul/templates/gateway-cleanup-clusterrole.yaml @@ -24,6 +24,15 @@ rules: verbs: - get - delete + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshgateways + verbs: + - get + - delete {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: ["policy"] resources: ["podsecuritypolicies"] diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml index df6c22fd3..0d4f84272 100644 --- a/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml +++ b/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml @@ -52,8 +52,16 @@ spec: limits: memory: "50Mi" cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true {{- if .Values.global.acls.tolerations }} tolerations: {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config {{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/templates/gateway-resources-clusterrole.yaml index c3bdfeb4a..ad7082f06 100644 --- a/charts/hashicorp/consul/templates/gateway-resources-clusterrole.yaml +++ b/charts/hashicorp/consul/templates/gateway-resources-clusterrole.yaml @@ -10,8 +10,17 @@ metadata: release: {{ .Release.Name }} component: gateway-resources rules: + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - meshgateways + verbs: + - get + - update + - create - apiGroups: - consul.hashicorp.com + - mesh.consul.hashicorp.com resources: - gatewayclassconfigs verbs: @@ -20,6 +29,7 @@ rules: - create - apiGroups: - gateway.networking.k8s.io + - mesh.consul.hashicorp.com resources: - gatewayclasses verbs: diff --git a/charts/hashicorp/consul/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/templates/gateway-resources-configmap.yaml index 591aaa212..842ba6690 100644 --- a/charts/hashicorp/consul/templates/gateway-resources-configmap.yaml +++ b/charts/hashicorp/consul/templates/gateway-resources-configmap.yaml @@ -1,11 +1,16 @@ {{- if .Values.connectInject.enabled }} + +# Validation +# For meshGateway.wanAddress, static must be set if source is "Static" +{{if (and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static ""))}}{{fail ".meshGateway.wanAddress.static must be set to a value if .meshGateway.wanAddress.source is Static"}}{{ end }} + # Configuration of Gateway Resources Job which creates managed Gateway configuration. apiVersion: v1 kind: ConfigMap metadata: name: {{ template "consul.fullname" . }}-gateway-resources-config namespace: {{ .Release.Namespace }} - labels: + labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} @@ -16,4 +21,112 @@ data: resources.json: | {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled }} + config.yaml: | + gatewayClassConfigs: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + metadata: + name: consul-mesh-gateway + kind: GatewayClassConfig + spec: + labels: + set: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + deployment: + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: {{ toJson (default "{}" .Values.meshGateway.affinity) }} + {{- end }} + {{- if .Values.meshGateway.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.annotations }} + {{- end }} + {{- if .Values.global.extraLabels }} + labels: + set: {{ toJson .Values.global.extraLabels }} + {{- end }} + container: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + portModifier: {{ sub .Values.meshGateway.containerPort .Values.meshGateway.service.port }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + resources: {{ toJson .Values.meshGateway.resources }} + initContainer: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + resources: {{ toJson .Values.meshGateway.initServiceInitContainer.resources }} + {{- with .Values.meshGateway.nodeSelector }} + nodeSelector: {{ fromYaml . | toJson }} + {{- end }} + {{- with .Values.meshGateway.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ fromYamlArray . | toJson }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 16 | trim }} + {{- end }} + replicas: + default: {{ .Values.meshGateway.replicas }} + min: {{ .Values.meshGateway.replicas }} + max: {{ .Values.meshGateway.replicas }} + {{- if .Values.meshGateway.tolerations }} + tolerations: {{ fromYamlArray .Values.meshGateway.tolerations | toJson }} + {{- end }} + service: + {{- if .Values.meshGateway.service.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.service.annotations }} + {{- end }} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.serviceAccount.annotations }} + serviceAccount: + annotations: + set: {{ toJson .Values.meshGateway.serviceAccount.annotations }} + {{- end }} + meshGateways: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + kind: MeshGateway + metadata: + name: mesh-gateway + namespace: {{ .Release.Namespace }} + annotations: + # TODO are these annotations even necessary? + "consul.hashicorp.com/gateway-wan-address-source": {{ .Values.meshGateway.wanAddress.source | quote }} + "consul.hashicorp.com/gateway-wan-address-static": {{ .Values.meshGateway.wanAddress.static | quote }} + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.nodePort | quote }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.port | quote }} + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.wanAddress.port | quote }} + {{- end }} + spec: + gatewayClassName: consul-mesh-gateway + listeners: + - name: "wan" + port: {{ .Values.meshGateway.service.port }} + protocol: "TCP" + workloads: + prefixes: + - "mesh-gateway" + {{- end }} {{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/templates/gateway-resources-job.yaml index 1136d2e0f..5934372ed 100644 --- a/charts/hashicorp/consul/templates/gateway-resources-job.yaml +++ b/charts/hashicorp/consul/templates/gateway-resources-job.yaml @@ -51,7 +51,7 @@ spec: - -heritage={{ .Release.Service }} - -release-name={{ .Release.Name }} - -component=api-gateway - {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.enabled }} # Override values from the old stanza. To be removed after ~1.18 (t-eckert 2023-05-19) NET-6263 {{- if .Values.apiGateway.managedGatewayClass.deployment }} {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/templates/mesh-gateway-clusterrole.yaml index b951418b2..305310510 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-clusterrole.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-clusterrole.yaml @@ -1,4 +1,5 @@ {{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -32,3 +33,4 @@ rules: rules: [] {{- end }} {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/templates/mesh-gateway-clusterrolebinding.yaml index f8150ebb5..2fb80fc04 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-clusterrolebinding.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-clusterrolebinding.yaml @@ -1,4 +1,5 @@ {{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -18,3 +19,4 @@ subjects: name: {{ template "consul.fullname" . }}-mesh-gateway namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml index a22bdc087..efcc1f910 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml @@ -1,4 +1,5 @@ {{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} {{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} @@ -317,3 +318,4 @@ spec: {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml index 04576fe92..56e4b7924 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml @@ -1,4 +1,5 @@ {{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -52,3 +53,4 @@ spec: rule: 'RunAsAny' readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/templates/mesh-gateway-service.yaml index 5fdceca8d..80f82ac89 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-service.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-service.yaml @@ -1,4 +1,5 @@ {{- if and .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} apiVersion: v1 kind: Service metadata: @@ -31,3 +32,4 @@ spec: {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/templates/mesh-gateway-serviceaccount.yaml index 8c2da5ae0..b1a0661ea 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-serviceaccount.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-serviceaccount.yaml @@ -1,4 +1,5 @@ {{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -21,3 +22,4 @@ imagePullSecrets: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/partition-init-job.yaml b/charts/hashicorp/consul/templates/partition-init-job.yaml index bb4e7b370..21ad2930b 100644 --- a/charts/hashicorp/consul/templates/partition-init-job.yaml +++ b/charts/hashicorp/consul/templates/partition-init-job.yaml @@ -118,6 +118,9 @@ spec: {{- if .Values.global.cloud.enabled }} -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true + {{- end }} resources: requests: memory: "50Mi" diff --git a/charts/hashicorp/consul/templates/server-config-configmap.yaml b/charts/hashicorp/consul/templates/server-config-configmap.yaml index 423eeac60..8c74364a2 100644 --- a/charts/hashicorp/consul/templates/server-config-configmap.yaml +++ b/charts/hashicorp/consul/templates/server-config-configmap.yaml @@ -57,7 +57,12 @@ data: "enabled": true }, {{- end }} - "server": true + "server": true, + "leave_on_terminate": true, + "autopilot": { + "min_quorum": {{ template "consul.server.autopilotMinQuorum" . }}, + "disable_upgrade_migration": true + } } {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} diff --git a/charts/hashicorp/consul/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/templates/server-disruptionbudget.yaml index edf9c1c57..56805edc2 100644 --- a/charts/hashicorp/consul/templates/server-disruptionbudget.yaml +++ b/charts/hashicorp/consul/templates/server-disruptionbudget.yaml @@ -17,7 +17,7 @@ metadata: release: {{ .Release.Name }} component: server spec: - maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + maxUnavailable: {{ template "consul.server.pdb.maxUnavailable" . }} selector: matchLabels: app: {{ template "consul.name" . }} diff --git a/charts/hashicorp/consul/templates/server-statefulset.yaml b/charts/hashicorp/consul/templates/server-statefulset.yaml index e744f2fe8..6dcd2e320 100644 --- a/charts/hashicorp/consul/templates/server-statefulset.yaml +++ b/charts/hashicorp/consul/templates/server-statefulset.yaml @@ -506,8 +506,17 @@ spec: {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" {{- end }} - {{- if (mustHas "resource-apis" .Values.global.experiments) }} - -hcl="experiments=[\"resource-apis\"]" + + {{- if .Values.global.experiments }} + {{- $commaSeparatedValues := "" }} + {{- range $index, $value := .Values.global.experiments }} + {{- if ne $index 0 }} + {{- $commaSeparatedValues = printf "%s,\\\"%s\\\"" $commaSeparatedValues $value }} + {{- else }} + {{- $commaSeparatedValues = printf "\\\"%s\\\"" $value }} + {{- end }} + {{- end }} + -hcl="experiments=[{{ $commaSeparatedValues }}]" {{- end }} volumeMounts: - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} diff --git a/charts/hashicorp/consul/values.yaml b/charts/hashicorp/consul/values.yaml index 46162d36a..2bad84077 100644 --- a/charts/hashicorp/consul/values.yaml +++ b/charts/hashicorp/consul/values.yaml @@ -66,7 +66,7 @@ global: # image: "hashicorp/consul-enterprise:1.10.0-ent" # ``` # @default: hashicorp/consul: - image: hashicorp/consul:1.17.3 + image: hashicorp/consul:1.18.0 # Array of objects containing image pull secret names that will be applied to each service account. # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. @@ -86,7 +86,7 @@ global: # image that is used for functionality such as catalog sync. # This can be overridden per component. # @default: hashicorp/consul-k8s-control-plane: - imageK8S: hashicorp/consul-k8s-control-plane:1.3.3 + imageK8S: hashicorp/consul-k8s-control-plane:1.4.0 # The name of the datacenter that the agents should # register as. This can't be changed once the Consul cluster is up and running @@ -791,7 +791,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: hashicorp/consul-dataplane:1.3.3 + imageConsulDataplane: hashicorp/consul-dataplane:1.4.0 # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -911,6 +911,14 @@ global: # upgrade could risk breaking your Consul cluster. # If this flag is set, Consul components will use the # V2 resources APIs for all operations. + # * `v2tenancy`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul V2 resources (catalog, mesh, auth, etc) + # will use V2 implementations for tenancy (partitions and namesapces) + # instead of bridging to the existing V1 implementations. The + # `resource-apis` feature flag must also be set. # # Example: # @@ -1155,8 +1163,14 @@ server: # the server cluster is enabled. To disable, set to `false`. enabled: true - # The maximum number of unavailable pods. By default, this will be - # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # The maximum number of unavailable pods. In most cases you should not change this as it is automatically set to + # the correct number when left as null. This setting has been kept to not break backwards compatibility. + # + # By default, this is set to 1 internally in the chart. When server pods are stopped gracefully, they leave the Raft + # consensus pool. When running an odd number of servers, one server leaving the pool does not change the quorum + # size, and so fault tolerance is not affected. However, if more than one server were to leave the pool, the quorum + # size would change. That's why this is set to 1 internally and should not be changed in most cases. + # # If you need to set this to `0`, you will need to add a # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation # command because of a limitation in the Helm templating language. @@ -1540,7 +1554,7 @@ externalServers: # Note: If enabling clients, `client.join` must also be set to the hosts that should be # used to join the cluster. In most cases, the `client.join` values # should be the same, however, they may be different if you - # wish to use separate hosts for the HTTPS connections. + # wish to use separate hosts for the HTTPS connections. `tlsServerName` is required if TLS is enabled and 'hosts' is not a DNS name. # @type: array hosts: [] @@ -1550,7 +1564,7 @@ externalServers: # The GRPC port of the Consul servers. grpcPort: 8502 - # The server name to use as the SNI host header when connecting with HTTPS. + # The server name to use as the SNI host header when connecting with HTTPS. This name also appears as the hostname in the server certificate's subject field. # @type: string tlsServerName: null @@ -2928,7 +2942,7 @@ meshGateway: # are routable from other datacenters. # # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. - source: "Service" + source: Service # Port that gets registered for WAN traffic. # If source is set to "Service" then this setting will have no effect. diff --git a/charts/hpe/hpe-csi-driver/Chart.yaml b/charts/hpe/hpe-csi-driver/Chart.yaml index d3eccbeef..e74d74e5d 100644 --- a/charts/hpe/hpe-csi-driver/Chart.yaml +++ b/charts/hpe/hpe-csi-driver/Chart.yaml @@ -3,8 +3,14 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/license: Apache-2.0 artifacthub.io/links: | + - name: Release Highlights + url: https://scod.hpedev.io/csi_driver/index.html#latest_release + - name: Release Notes + url: https://github.com/hpe-storage/csi-driver/tree/master/release-notes - name: Documentation url: https://scod.hpedev.io/csi_driver + - name: Chart Source + url: https://github.com/hpe-storage/co-deployments artifacthub.io/prerelease: "false" artifacthub.io/recommendations: | - url: https://artifacthub.io/packages/olm/community-operators/hpe-csi-operator @@ -16,7 +22,7 @@ annotations: catalog.cattle.io/namespace: hpe-storage catalog.cattle.io/release-name: hpe-csi-driver apiVersion: v1 -appVersion: 2.4.0 +appVersion: 2.4.1 description: A Helm chart for installing the HPE CSI Driver for Kubernetes home: https://hpe.com/storage/containers icon: https://raw.githubusercontent.com/hpe-storage/co-deployments/master/docs/assets/hpedev.png @@ -29,6 +35,5 @@ maintainers: name: datamattsson name: hpe-csi-driver sources: -- https://github.com/hpe-storage/co-deployments - https://github.com/hpe-storage/csi-driver -version: 2.4.0 +version: 2.4.1 diff --git a/charts/hpe/hpe-csi-driver/README.md b/charts/hpe/hpe-csi-driver/README.md index 7c5c69850..e6008b1e8 100644 --- a/charts/hpe/hpe-csi-driver/README.md +++ b/charts/hpe/hpe-csi-driver/README.md @@ -1,6 +1,14 @@ # HPE CSI Driver for Kubernetes Helm chart -The [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/index.html) leverages Hewlett Packard Enterprise storage platforms to provide scalable and persistent storage for stateful applications. +The [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/index.html) leverages Hewlett Packard Enterprise primary storage platforms to provide scalable and persistent storage for stateful and ephemeral applications. Currently supported storage platforms include HPE GreenLake for Block Storage powered by HPE Alletra Storage MP, HPE Alletra 5000/6000/9000, HPE Nimble Storage, HPE Primera and HPE 3PAR. + +## Release highlights + +The HPE CSI Driver for Kubernetes Helm chart is the primary delivery vehicle for the HPE CSI Driver. + +- All resources for the HPE CSI Driver is available on [HPE Storage Container Orchestrator Documentation](https://scod.hpedev.io/) (SCOD). +- Visit [the latest release](https://scod.hpedev.io/csi_driver/index.html#latest_release) on SCOD to learn what's new in this chart. +- The release notes for the HPE CSI Driver are hosted on [GitHub](https://github.com/hpe-storage/csi-driver/tree/master/release-notes). ## Prerequisites @@ -8,12 +16,12 @@ The [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/index.html - Recent Ubuntu, SLES or RHEL (and its derives) compute nodes connected to their respective official package repositories - Helm 3 (Version >= 3.2.0 required) -Refer to [Compatibility & Support](https://scod.hpedev.io/csi_driver/index.html#compatibility_and_support) on [SCOD](https://scod.hpedev.io/) for currently supported versions of Kubernetes and compute nodes. +Refer to [Compatibility & Support](https://scod.hpedev.io/csi_driver/index.html#compatibility_and_support) for currently supported versions of Kubernetes and compute node operating systems. Depending on which [Container Storage Provider](https://scod.hpedev.io/container_storage_provider/index.html) (CSP) is being used, other prerequisites and requirements may apply, such as storage platform OS and features. -- [HPE Alletra 5000/6000 and Nimble Storage](https://scod.hpedev.io/container_storage_provider/hpe_nimble_storage/index.html) -- [HPE Alletra 9000, Primera and 3PAR](https://scod.hpedev.io/container_storage_provider/hpe_3par_primera/index.html) +- [HPE Alletra 5000/6000 and Nimble Storage](https://scod.hpedev.io/container_storage_provider/hpe_alletra_6000/index.html) +- [HPE Alletra Storage MP, Alletra 9000, Primera and 3PAR](https://scod.hpedev.io/container_storage_provider/hpe_alletra_storage_mp/index.html) ## Configuration and installation @@ -25,6 +33,7 @@ The following table lists the configurable parameters of the chart and their def | disable.primera | Disable HPE Primera (and 3PAR) CSP `Service`. | false | | disable.alletra6000 | Disable HPE Alletra 5000/6000 CSP `Service`. | false | | disable.alletra9000 | Disable HPE Alletra 9000 CSP `Service`. | false | +| disable.alletraStorageMP | Disable HPE Alletra Storage MP CSP `Service`. | false | | disableNodeConformance | Disable automatic installation of iSCSI, multipath and NFS packages. | false | | disableNodeConfiguration | Disables node conformance and configuration.`*` | false | | disableNodeGetVolumeStats | Disable NodeGetVolumeStats call to CSI driver. | false | @@ -89,11 +98,11 @@ Our recommendation is to uninstall the existing chart and install the chart with Before version 2.0.0 is uninstalled, the following CRDs needs to be updated. -**Important:** If there are HPE Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster, follow the [next steps](#update-rcg-info) before uninstallation. +**Important:** If there are HPE Alletra Storage MP, Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster, follow the [next steps](#update-rcg-info) before uninstallation. ##### Update RCG Info -This step is only necessary if there are HPE Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster. If there are none, proceed to the [next step](#update-crds). +This step is only necessary if there are HPE Alletra Storage MP, Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster. If there are none, proceed to the [next step](#update-crds). Change kubectl context into the Namespace where the HPE CSI Driver is installed. The most common is "hpe-storage". @@ -148,7 +157,7 @@ helm install my-hpe-csi-driver hpe-storage/hpe-csi-driver -n hpe-storage \ ## Using persistent storage with Kubernetes -Enable dynamic provisioning of persistent storage by creating a `StorageClass` API object that references a `Secret` which maps to a supported HPE primary storage backend. Refer to the [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/deployment.html#add_a_hpe_storage_backend) documentation on [HPE Storage Container Orchestration Documentation](https://scod.hpedev.io/). Also, it's helpful to be familiar with [persistent storage concepts](https://kubernetes.io/docs/concepts/storage/volumes/) in Kubernetes prior to deploying stateful workloads. +Enable dynamic provisioning of persistent storage by creating a `StorageClass` API object that references a `Secret` which maps to a supported HPE primary storage backend. Refer to the [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/deployment.html#add_a_hpe_storage_backend) documentation on SCOD. Also, it's helpful to be familiar with [persistent storage concepts](https://kubernetes.io/docs/concepts/storage/volumes/) in Kubernetes prior to deploying stateful workloads. ## Support diff --git a/charts/hpe/hpe-csi-driver/templates/hpe-csi-controller.yaml b/charts/hpe/hpe-csi-driver/templates/hpe-csi-controller.yaml index 86b3eec22..f2fd92bce 100644 --- a/charts/hpe/hpe-csi-driver/templates/hpe-csi-controller.yaml +++ b/charts/hpe/hpe-csi-driver/templates/hpe-csi-controller.yaml @@ -36,11 +36,11 @@ spec: containers: - name: csi-provisioner {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} - image: registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 {{- else if .Values.registry }} - image: {{ .Values.registry }}/sig-storage/csi-provisioner:v3.5.0 + image: {{ .Values.registry }}/sig-storage/csi-provisioner:v4.0.0 {{- else }} - image: registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 {{- end }} args: - "--csi-address=$(ADDRESS)" @@ -59,11 +59,11 @@ spec: mountPath: /var/lib/csi/sockets/pluginproxy - name: csi-attacher {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} - image: registry.k8s.io/sig-storage/csi-attacher:v4.3.0 + image: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 {{- else if .Values.registry }} - image: {{ .Values.registry }}/sig-storage/csi-attacher:v4.3.0 + image: {{ .Values.registry }}/sig-storage/csi-attacher:v4.5.0 {{- else }} - image: registry.k8s.io/sig-storage/csi-attacher:v4.3.0 + image: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 {{- end }} args: - "--v=5" @@ -81,11 +81,11 @@ spec: - name: csi-snapshotter {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "20") }} {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} - image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2 + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 {{- else if .Values.registry }} - image: {{ .Values.registry }}/sig-storage/csi-snapshotter:v6.2.2 + image: {{ .Values.registry }}/sig-storage/csi-snapshotter:v6.3.3 {{- else }} - image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2 + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 {{- end }} {{- end }} args: @@ -101,11 +101,11 @@ spec: {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "15") }} - name: csi-resizer {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} - image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + image: registry.k8s.io/sig-storage/csi-resizer:v1.9.3 {{- else if .Values.registry }} - image: {{ .Values.registry }}/sig-storage/csi-resizer:v1.8.0 + image: {{ .Values.registry }}/sig-storage/csi-resizer:v1.9.3 {{- else }} - image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + image: registry.k8s.io/sig-storage/csi-resizer:v1.9.3 {{- end }} args: - "--csi-address=$(ADDRESS)" @@ -120,9 +120,9 @@ spec: {{- end }} - name: hpe-csi-driver {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.0 + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.1 {{- else }} - image: quay.io/hpestorage/csi-driver:v2.4.0 + image: quay.io/hpestorage/csi-driver:v2.4.1 {{- end }} args : - "--endpoint=$(CSI_ENDPOINT)" @@ -148,9 +148,9 @@ spec: mountPath: /host - name: csi-volume-mutator {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/volume-mutator:v1.3.4 + image: {{ .Values.registry }}/hpestorage/volume-mutator:v1.3.5 {{- else }} - image: quay.io/hpestorage/volume-mutator:v1.3.4 + image: quay.io/hpestorage/volume-mutator:v1.3.5 {{- end }} args: - "--v=5" @@ -164,9 +164,9 @@ spec: mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-volume-group-snapshotter {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/volume-group-snapshotter:v1.0.4 + image: {{ .Values.registry }}/hpestorage/volume-group-snapshotter:v1.0.5 {{- else }} - image: quay.io/hpestorage/volume-group-snapshotter:v1.0.4 + image: quay.io/hpestorage/volume-group-snapshotter:v1.0.5 {{- end }} args: - "--v=5" @@ -180,9 +180,9 @@ spec: mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-volume-group-provisioner {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/volume-group-provisioner:v1.0.4 + image: {{ .Values.registry }}/hpestorage/volume-group-provisioner:v1.0.5 {{- else }} - image: quay.io/hpestorage/volume-group-provisioner:v1.0.4 + image: quay.io/hpestorage/volume-group-provisioner:v1.0.5 {{- end }} args: - "--v=5" @@ -196,9 +196,9 @@ spec: mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-extensions {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/csi-extensions:v1.2.5 + image: {{ .Values.registry }}/hpestorage/csi-extensions:v1.2.6 {{- else }} - image: quay.io/hpestorage/csi-extensions:v1.2.5 + image: quay.io/hpestorage/csi-extensions:v1.2.6 {{- end }} args: - "--v=5" diff --git a/charts/hpe/hpe-csi-driver/templates/hpe-csi-node.yaml b/charts/hpe/hpe-csi-driver/templates/hpe-csi-node.yaml index f12a957e9..67f00473f 100644 --- a/charts/hpe/hpe-csi-driver/templates/hpe-csi-node.yaml +++ b/charts/hpe/hpe-csi-driver/templates/hpe-csi-node.yaml @@ -32,14 +32,42 @@ spec: options: - name: ndots value: "1" + initContainers: + - name: hpe-csi-node-init + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.1 + {{- else }} + image: quay.io/hpestorage/csi-driver:v2.4.1 + {{- end}} + args: ['--node-init'] + volumeMounts: + - name: root-dir + mountPath: /host + mountPropagation: "Bidirectional" + - name: device-dir + mountPath: /dev + - name: sys + mountPath: /sys + - name: etc-hpe-storage-dir + mountPath: /etc/hpe-storage + - name: runsystemd + mountPath: /run/systemd + - name: etcsystemd + mountPath: /etc/systemd/system + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true containers: - name: csi-node-driver-registrar {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 {{- else if .Values.registry }} - image: {{ .Values.registry }}/sig-storage/csi-node-driver-registrar:v2.8.0 + image: {{ .Values.registry }}/sig-storage/csi-node-driver-registrar:v2.10.0 {{- else }} - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 {{- end}} args: - "--csi-address=$(ADDRESS)" @@ -69,9 +97,9 @@ spec: mountPath: /registration - name: hpe-csi-driver {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.0 + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.1 {{- else }} - image: quay.io/hpestorage/csi-driver:v2.4.0 + image: quay.io/hpestorage/csi-driver:v2.4.1 {{- end}} args : - "--endpoint=$(CSI_ENDPOINT)" diff --git a/charts/hpe/hpe-csi-driver/templates/nimble-csp.yaml b/charts/hpe/hpe-csi-driver/templates/nimble-csp.yaml index ffbec0727..e020cee0c 100644 --- a/charts/hpe/hpe-csi-driver/templates/nimble-csp.yaml +++ b/charts/hpe/hpe-csi-driver/templates/nimble-csp.yaml @@ -64,9 +64,9 @@ spec: containers: - name: nimble-csp {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/alletra-6000-and-nimble-csp:v2.4.0 + image: {{ .Values.registry }}/hpestorage/alletra-6000-and-nimble-csp:v2.4.1 {{- else }} - image: quay.io/hpestorage/alletra-6000-and-nimble-csp:v2.4.0 + image: quay.io/hpestorage/alletra-6000-and-nimble-csp:v2.4.1 {{- end }} imagePullPolicy: {{ .Values.imagePullPolicy | quote }} ports: diff --git a/charts/hpe/hpe-csi-driver/templates/primera-3par-csp.yaml b/charts/hpe/hpe-csi-driver/templates/primera-3par-csp.yaml index 93353d7a8..9c9a6d7cc 100644 --- a/charts/hpe/hpe-csi-driver/templates/primera-3par-csp.yaml +++ b/charts/hpe/hpe-csi-driver/templates/primera-3par-csp.yaml @@ -1,3 +1,22 @@ +{{- if not .Values.disable.alletraStorageMP }} +--- +### Alletra Storage MP CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: alletrastoragemp-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: alletrastoragemp-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: primera3par-csp + +{{- end }} + {{- if not .Values.disable.alletra9000 }} --- ### Alletra9000 CSP Service ### @@ -35,7 +54,7 @@ spec: app: primera3par-csp {{- end }} -{{- if or (not .Values.disable.alletra9000) (not .Values.disable.primera) }} +{{- if or (not .Values.disable.alletraStorageMP) (not .Values.disable.alletra9000) (not .Values.disable.primera) }} --- ### CSP deployment ### @@ -66,9 +85,9 @@ spec: containers: - name: primera3par-csp {{- if .Values.registry }} - image: {{ .Values.registry }}/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.0 + image: {{ .Values.registry }}/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.1 {{- else }} - image: quay.io/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.0 + image: quay.io/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.1 {{- end }} imagePullPolicy: {{ .Values.imagePullPolicy | quote }} env: diff --git a/charts/hpe/hpe-csi-driver/values.schema.json b/charts/hpe/hpe-csi-driver/values.schema.json index 2818c225f..8b2bd4273 100644 --- a/charts/hpe/hpe-csi-driver/values.schema.json +++ b/charts/hpe/hpe-csi-driver/values.schema.json @@ -9,7 +9,8 @@ "nimble": false, "primera": false, "alletra6000": false, - "alletra9000": false + "alletra9000": false, + "alletraStorageMP": false }, "disableNodeConformance": false, "disableNodeConfiguration": false, @@ -67,13 +68,15 @@ "nimble": false, "primera": false, "alletra6000": false, - "alletra9000": false + "alletra9000": false, + "alletraStorageMP": false }, "required": [ "nimble", "primera", "alletra6000", - "alletra9000" + "alletra9000", + "alletraStorageMP" ], "properties": { "nimble": { @@ -99,6 +102,12 @@ "title": "HPE Alletra 9000", "type": "boolean", "default": false + }, + "alletraStorageMP": { + "$id": "#/properties/disable/properties/alletraStorageMP", + "title": "HPE Alletra Storage MP", + "type": "boolean", + "default": false } }, "additionalProperties": false diff --git a/charts/hpe/hpe-csi-driver/values.yaml b/charts/hpe/hpe-csi-driver/values.yaml index b00bb5855..b69f4105d 100644 --- a/charts/hpe/hpe-csi-driver/values.yaml +++ b/charts/hpe/hpe-csi-driver/values.yaml @@ -8,6 +8,7 @@ disable: primera: false alletra6000: false alletra9000: false + alletraStorageMP: false # For controlling automatic iscsi/multipath package installation disableNodeConformance: false diff --git a/charts/instana/instana-agent/Chart.yaml b/charts/instana/instana-agent/Chart.yaml index d9ab8a089..6e46a1dcf 100644 --- a/charts/instana/instana-agent/Chart.yaml +++ b/charts/instana/instana-agent/Chart.yaml @@ -9,7 +9,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: instana-agent apiVersion: v2 -appVersion: 1.267.0 +appVersion: 1.268.0 description: Instana Agent for Kubernetes home: https://www.instana.com/ icon: https://agents.instana.io/helm/stan-logo-2020.png @@ -23,4 +23,4 @@ maintainers: name: instana-agent sources: - https://github.com/instana/instana-agent-docker -version: 1.2.68 +version: 1.2.71 diff --git a/charts/instana/instana-agent/README.md b/charts/instana/instana-agent/README.md index d6c228612..233411989 100644 --- a/charts/instana/instana-agent/README.md +++ b/charts/instana/instana-agent/README.md @@ -141,6 +141,7 @@ The following table lists the configurable parameters of the Instana chart and t | `service.create` | Whether to create a service that exposes the agents' Prometheus, OpenTelemetry and other APIs inside the cluster. Requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. The `ServiceInternalTrafficPolicy` feature gate needs to be enabled (default: enabled). | `true` | | `serviceAccount.create` | Whether a ServiceAccount should be created | `true` | | `serviceAccount.name` | Name of the ServiceAccount to use | `instana-agent` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | | `zone.name` | Zone that detected technologies will be assigned to | `nil` You must provide either `zone.name` or `cluster.name`, see [above](#installation) for details | | `zones` | Multi-zone daemonset configuration. | `nil` see [below](#multiple-zones) for details | | `k8s_sensor.podDisruptionBudget.enabled` | Whether to create DisruptionBudget for k8sensor to limit the number of concurrent disruptions | `false` | @@ -363,6 +364,10 @@ zones: ## Changelog +### 1.2.69 + +* Add possibility to set annotations for the serviceAccount. + ### 1.2.68 * Add leader elector configuration back to allow for proper deprecation diff --git a/charts/instana/instana-agent/templates/_helpers.tpl b/charts/instana/instana-agent/templates/_helpers.tpl index 6f866ecfd..220bfff07 100644 --- a/charts/instana/instana-agent/templates/_helpers.tpl +++ b/charts/instana/instana-agent/templates/_helpers.tpl @@ -151,7 +151,7 @@ Composes a container image from a dict containing a "name" field (required), "ta {{- $tag := .tag }} {{- $digest := .digest }} {{- if $digest }} -{{- printf "%s@%s" $name $digest }} +{{- printf "%s@sha256:%s" $name $digest }} {{- else if $tag }} {{- printf "%s:%s" $name $tag }} {{- else }} diff --git a/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml b/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml index cfa29ec57..e1af0c7e4 100644 --- a/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml +++ b/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml @@ -39,11 +39,9 @@ spec: {{- if $.Values.agent.pod.annotations }} {{- toYaml $.Values.agent.pod.annotations | nindent 8 }} {{- end }} - {{- if not $.Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ $.Values.agent.configuration_yaml | cat ";" | cat ( join "," $.Values.agent.additionalBackends ) | sha1sum }} - {{- end }} spec: serviceAccountName: {{ template "instana-agent.serviceAccountName" $ }} {{- if $.Values.agent.pod.nodeSelector }} diff --git a/charts/instana/instana-agent/templates/agent-daemonset.yaml b/charts/instana/instana-agent/templates/agent-daemonset.yaml index 8063acb86..95270d49e 100644 --- a/charts/instana/instana-agent/templates/agent-daemonset.yaml +++ b/charts/instana/instana-agent/templates/agent-daemonset.yaml @@ -32,11 +32,9 @@ spec: {{- if .Values.agent.pod.annotations }} {{- toYaml .Values.agent.pod.annotations | nindent 8 }} {{- end }} - {{- if not .Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ .Values.agent.configuration_yaml | cat ";" | cat ( join "," .Values.agent.additionalBackends ) | sha1sum }} - {{- end }} spec: serviceAccountName: {{ template "instana-agent.serviceAccountName" . }} {{- if .Values.agent.pod.nodeSelector }} diff --git a/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml b/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml index 1b0efb1fb..6d225d7e8 100644 --- a/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml +++ b/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml @@ -32,11 +32,9 @@ spec: {{- if .Values.agent.pod.annotations }} {{- toYaml .Values.agent.pod.annotations | nindent 8 }} {{- end }} - {{- if not .Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }} - {{- end }} spec: serviceAccountName: k8sensor {{- if .Values.k8s_sensor.deployment.pod.nodeSelector }} diff --git a/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml b/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml index 36d4ab4d0..7bfe7be5b 100644 --- a/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml +++ b/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml @@ -25,11 +25,9 @@ spec: {{- if .Values.agent.pod.annotations }} {{- toYaml .Values.agent.pod.annotations | nindent 8 }} {{- end }} - {{- if not .Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }} - {{- end }} spec: serviceAccountName: {{ template "instana-agent.serviceAccountName" . }} {{- if .Values.kubernetes.deployment.pod.nodeSelector }} diff --git a/charts/instana/instana-agent/templates/serviceaccount.yaml b/charts/instana/instana-agent/templates/serviceaccount.yaml index 574a67e76..f26642835 100644 --- a/charts/instana/instana-agent/templates/serviceaccount.yaml +++ b/charts/instana/instana-agent/templates/serviceaccount.yaml @@ -7,4 +7,10 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "instana-agent.commonLabels" . | nindent 4 }} + {{- if .Values.serviceAccount.annotations }} + annotations: + {{- if .Values.serviceAccount.annotations }} + {{- toYaml .Values.serviceAccount.annotations | nindent 4}} + {{- end }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/instana/instana-agent/values.yaml b/charts/instana/instana-agent/values.yaml index 9fa6c7fb4..5e68436b2 100644 --- a/charts/instana/instana-agent/values.yaml +++ b/charts/instana/instana-agent/values.yaml @@ -215,6 +215,8 @@ serviceAccount: # The name of the ServiceAccount to use. # If not set and `create` is true, a name is generated using the fullname template # name: instana-agent + # Annotations to add to the service account + annotations: {} podSecurityPolicy: # Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods. diff --git a/charts/jenkins/jenkins/CHANGELOG.md b/charts/jenkins/jenkins/CHANGELOG.md index b52622b1e..81f915929 100644 --- a/charts/jenkins/jenkins/CHANGELOG.md +++ b/charts/jenkins/jenkins/CHANGELOG.md @@ -12,9 +12,42 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.1.0 + +Add `agent.restrictedPssSecurityContext` to automatically inject in the jnlp container a securityContext that is suitable for the use of the restricted Pod Security Standard + +## 5.0.20 + +Update `docker.io/kiwigrid/k8s-sidecar` to version `1.26.1` + +## 5.0.19 + +Introduced helm-docs to automatically generate `values.yaml` documentation. + +## 5.0.18 + +Update `kubernetes` to version `4193.vded98e56cc25` + +## 5.0.17 + +Update `docker.io/kiwigrid/k8s-sidecar` to version `1.26.0` + +## 5.0.16 + +Enable support for deleting plugin configuration files at startup. + +## 5.0.15 + +Fixed changelog entries for previous version bumps + + +## 5.0.14 + +Update `jenkins/jenkins` to version `2.440.1-jdk17` + ## 5.0.13 -Update `docker.io/kiwigrid/k8s-sidecar` to version `docker.io/kiwigrid/k8s-sidecar` +Update `docker.io/kiwigrid/k8s-sidecar` to version `1.25.4` ## 5.0.12 @@ -27,7 +60,7 @@ Fix controller.sidecars.additionalSidecarContainers renaming and add tests ## 5.0.10 -Update `jenkins/inbound-agent` to version `jenkins/inbound-agent` +Update `jenkins/inbound-agent` to version `3206.vb_15dcf73f6a_9-3` ## 5.0.9 diff --git a/charts/jenkins/jenkins/Chart.yaml b/charts/jenkins/jenkins/Chart.yaml index 74d0caa3d..1502d6c9a 100644 --- a/charts/jenkins/jenkins/Chart.yaml +++ b/charts/jenkins/jenkins/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Update `docker.io/kiwigrid/k8s-sidecar` to version `docker.io/kiwigrid/k8s-sidecar` + - Add `agent.restrictedPssSecurityContext` to automatically inject in the jnlp container a securityContext that is suitable for the use of the restricted Pod Security Standard artifacthub.io/images: | - name: jenkins - image: docker.io/jenkins/jenkins:2.426.3-jdk17 + image: docker.io/jenkins/jenkins:2.440.1-jdk17 - name: k8s-sidecar - image: docker.io/kiwigrid/k8s-sidecar:1.25.4 + image: docker.io/kiwigrid/k8s-sidecar:1.26.1 - name: inbound-agent image: jenkins/inbound-agent:3206.vb_15dcf73f6a_9-3 artifacthub.io/license: Apache-2.0 @@ -22,11 +22,11 @@ annotations: catalog.cattle.io/kube-version: '>=1.14-0' catalog.cattle.io/release-name: jenkins apiVersion: v2 -appVersion: 2.426.3 -description: Jenkins - Build great things at any scale! The leading open source automation - server, Jenkins provides over 1800 plugins to support building, deploying and automating - any project. -home: https://jenkins.io/ +appVersion: 2.440.1 +description: 'Jenkins - Build great things at any scale! As the leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. ' +home: https://www.jenkins.io/ icon: https://get.jenkins.io/art/jenkins-logo/logo.svg keywords: - jenkins @@ -49,4 +49,5 @@ sources: - https://github.com/jenkinsci/docker-inbound-agent - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin -version: 5.0.13 +type: application +version: 5.1.0 diff --git a/charts/jenkins/jenkins/README.md b/charts/jenkins/jenkins/README.md index 9b7db0737..df29e0b22 100644 --- a/charts/jenkins/jenkins/README.md +++ b/charts/jenkins/jenkins/README.md @@ -424,7 +424,7 @@ controller: # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', - # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in Jcasc as ${github-username} # When using existingSecret no need to specify the keyName under additionalExistingSecrets. existingSecret: secret-credentials @@ -494,7 +494,7 @@ RBAC is enabled by default. If you want to disable it you will need to set `rbac It is possible to add custom pod templates for the default configured kubernetes cloud. Add a key under `agent.podTemplates` for each pod template. Each key (prior to `|` character) is just a label, and can be any value. -Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. +Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. There's no need to add the _jnlp_ container since the kubernetes plugin will automatically inject it into the pod. For this pod templates configuration to be loaded the following values must be set: diff --git a/charts/jenkins/jenkins/VALUES.md b/charts/jenkins/jenkins/VALUES.md new file mode 100644 index 000000000..a3282295f --- /dev/null +++ b/charts/jenkins/jenkins/VALUES.md @@ -0,0 +1,303 @@ +# Jenkins + +## Configuration + +The following tables list the configurable parameters of the Jenkins chart and their default values. + +## Values + +| Key | Type | Description | Default | +|:----|:-----|:---------|:------------| +| [additionalAgents](./values.yaml#L1138) | object | Configure additional | `{}` | +| [additionalClouds](./values.yaml#L1163) | object | | `{}` | +| [agent.TTYEnabled](./values.yaml#L1058) | bool | Allocate pseudo tty to the side container | `false` | +| [agent.additionalContainers](./values.yaml#L1091) | list | Add additional containers to the agents | `[]` | +| [agent.alwaysPullImage](./values.yaml#L951) | bool | Always pull agent container image before build | `false` | +| [agent.annotations](./values.yaml#L1087) | object | Annotations to apply to the pod | `{}` | +| [agent.args](./values.yaml#L1052) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` | +| [agent.command](./values.yaml#L1050) | string | Command to execute when side container starts | `nil` | +| [agent.componentName](./values.yaml#L919) | string | | `"jenkins-agent"` | +| [agent.connectTimeout](./values.yaml#L1085) | int | Timeout in seconds for an agent to be online | `100` | +| [agent.containerCap](./values.yaml#L1060) | int | Max number of agents to launch | `10` | +| [agent.customJenkinsLabels](./values.yaml#L916) | list | Append Jenkins labels to the agent | `[]` | +| [agent.defaultsProviderTemplate](./values.yaml#L882) | string | The name of the pod template to use for providing default values | `""` | +| [agent.directConnection](./values.yaml#L922) | bool | | `false` | +| [agent.disableDefaultAgent](./values.yaml#L1109) | bool | Disable the default Jenkins Agent configuration | `false` | +| [agent.enabled](./values.yaml#L880) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | +| [agent.envVars](./values.yaml#L1033) | list | Environment variables for the agent Pod | `[]` | +| [agent.hostNetworking](./values.yaml#L930) | bool | Enables the agent to use the host network | `false` | +| [agent.idleMinutes](./values.yaml#L1065) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` | +| [agent.image.repository](./values.yaml#L909) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` | +| [agent.image.tag](./values.yaml#L911) | string | Tag of the image to pull | `"3206.vb_15dcf73f6a_9-3"` | +| [agent.imagePullSecretName](./values.yaml#L918) | string | Name of the secret to be used to pull the image | `nil` | +| [agent.jenkinsTunnel](./values.yaml#L890) | string | Overrides the Kubernetes Jenkins tunnel | `nil` | +| [agent.jenkinsUrl](./values.yaml#L886) | string | Overrides the Kubernetes Jenkins URL | `nil` | +| [agent.jnlpregistry](./values.yaml#L906) | string | Custom registry used to pull the agent jnlp image from | `nil` | +| [agent.kubernetesConnectTimeout](./values.yaml#L892) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` | +| [agent.kubernetesReadTimeout](./values.yaml#L894) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` | +| [agent.livenessProbe](./values.yaml#L941) | object | | `{}` | +| [agent.maxRequestsPerHostStr](./values.yaml#L896) | string | The maximum concurrent connections to Kubernetes API | `"32"` | +| [agent.namespace](./values.yaml#L902) | string | Namespace in which the Kubernetes agents should be launched | `nil` | +| [agent.nodeSelector](./values.yaml#L1044) | object | Node labels for pod assignment | `{}` | +| [agent.nodeUsageMode](./values.yaml#L914) | string | | `"NORMAL"` | +| [agent.podLabels](./values.yaml#L904) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` | +| [agent.podName](./values.yaml#L1062) | string | Agent Pod base name | `"default"` | +| [agent.podRetention](./values.yaml#L960) | string | | `"Never"` | +| [agent.podTemplates](./values.yaml#L1119) | object | Configures extra pod templates for the default kubernetes cloud | `{}` | +| [agent.privileged](./values.yaml#L924) | bool | Agent privileged container | `false` | +| [agent.resources](./values.yaml#L932) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` | +| [agent.restrictedPssSecurityContext](./values.yaml#L957) | bool | Set a restricted securityContext on jnlp containers | `false` | +| [agent.retentionTimeout](./values.yaml#L898) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` | +| [agent.runAsGroup](./values.yaml#L928) | string | Configure container group | `nil` | +| [agent.runAsUser](./values.yaml#L926) | string | Configure container user | `nil` | +| [agent.secretEnvVars](./values.yaml#L1037) | list | Mount a secret as environment variable | `[]` | +| [agent.showRawYaml](./values.yaml#L964) | bool | | `true` | +| [agent.sideContainerName](./values.yaml#L1054) | string | Side container name | `"jnlp"` | +| [agent.volumes](./values.yaml#L971) | list | Additional volumes | `[]` | +| [agent.waitForPodSec](./values.yaml#L900) | int | Seconds to wait for pod to be running | `600` | +| [agent.websocket](./values.yaml#L921) | bool | Enables agent communication via websockets | `false` | +| [agent.workingDir](./values.yaml#L913) | string | Configure working directory for default agent | `"/home/jenkins/agent"` | +| [agent.workspaceVolume](./values.yaml#L1006) | object | Workspace volume (defaults to EmptyDir) | `{}` | +| [agent.yamlMergeStrategy](./values.yaml#L1083) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` | +| [agent.yamlTemplate](./values.yaml#L1072) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` | +| [awsSecurityGroupPolicies.enabled](./values.yaml#L1289) | bool | | `false` | +| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1291) | string | | `""` | +| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1293) | object | | `{}` | +| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1292) | list | | `[]` | +| [checkDeprecation](./values.yaml#L1286) | bool | Checks if any deprecated values are used | `true` | +| [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` | +| [controller.JCasC.authorizationStrategy](./values.yaml#L533) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n allowAnonymousRead: false"` | +| [controller.JCasC.configScripts](./values.yaml#L507) | object | List of Jenkins Config as Code scripts | `{}` | +| [controller.JCasC.configUrls](./values.yaml#L504) | list | Remote URLs for configuration files. | `[]` | +| [controller.JCasC.defaultConfig](./values.yaml#L498) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` | +| [controller.JCasC.overwriteConfiguration](./values.yaml#L502) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` | +| [controller.JCasC.security](./values.yaml#L514) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` | +| [controller.JCasC.securityRealm](./values.yaml#L522) | string | Jenkins Config as Code Security Realm-section | `"local:\n allowsSignup: false\n enableCaptcha: false\n users:\n - id: \"${chart-admin-username}\"\n name: \"Jenkins Admin\"\n password: \"${chart-admin-password}\""` | +| [controller.additionalExistingSecrets](./values.yaml#L459) | list | List of additional existing secrets to mount | `[]` | +| [controller.additionalPlugins](./values.yaml#L409) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` | +| [controller.additionalSecrets](./values.yaml#L468) | list | List of additional secrets to create and mount | `[]` | +| [controller.admin.createSecret](./values.yaml#L91) | bool | Create secret for admin user | `true` | +| [controller.admin.existingSecret](./values.yaml#L94) | string | The name of an existing secret containing the admin credentials | `""` | +| [controller.admin.password](./values.yaml#L81) | string | Admin password created as a secret if `controller.admin.createSecret` is true | `` | +| [controller.admin.passwordKey](./values.yaml#L86) | string | The key in the existing admin secret containing the password | `"jenkins-admin-password"` | +| [controller.admin.userKey](./values.yaml#L84) | string | The key in the existing admin secret containing the username | `"jenkins-admin-user"` | +| [controller.admin.username](./values.yaml#L78) | string | Admin username created as a secret if `controller.admin.createSecret` is true | `"admin"` | +| [controller.affinity](./values.yaml#L638) | object | Affinity settings | `{}` | +| [controller.agentListenerEnabled](./values.yaml#L318) | bool | Create Agent listener service | `true` | +| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L328) | string | Traffic Policy of for the agentListener service | `nil` | +| [controller.agentListenerHostPort](./values.yaml#L322) | string | Host port to listen for agents | `nil` | +| [controller.agentListenerLoadBalancerIP](./values.yaml#L358) | string | Static IP for the agentListener LoadBalancer | `nil` | +| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L330) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` | +| [controller.agentListenerNodePort](./values.yaml#L324) | string | Node port to listen for agents | `nil` | +| [controller.agentListenerPort](./values.yaml#L320) | int | Listening port for agents | `50000` | +| [controller.agentListenerServiceAnnotations](./values.yaml#L353) | object | Annotations for the agentListener service | `{}` | +| [controller.agentListenerServiceType](./values.yaml#L350) | string | Defines how to expose the agentListener service | `"ClusterIP"` | +| [controller.backendconfig.annotations](./values.yaml#L738) | object | backendconfig annotations | `{}` | +| [controller.backendconfig.apiVersion](./values.yaml#L732) | string | backendconfig API version | `"extensions/v1beta1"` | +| [controller.backendconfig.enabled](./values.yaml#L730) | bool | Enables backendconfig | `false` | +| [controller.backendconfig.labels](./values.yaml#L736) | object | backendconfig labels | `{}` | +| [controller.backendconfig.name](./values.yaml#L734) | string | backendconfig name | `nil` | +| [controller.backendconfig.spec](./values.yaml#L740) | object | backendconfig spec | `{}` | +| [controller.cloudName](./values.yaml#L487) | string | Name of default cloud configuration. | `"kubernetes"` | +| [controller.clusterIp](./values.yaml#L217) | string | k8s service clusterIP. Only used if serviceType is ClusterIP | `nil` | +| [controller.componentName](./values.yaml#L34) | string | Used for label app.kubernetes.io/component | `"jenkins-controller"` | +| [controller.containerEnv](./values.yaml#L150) | list | Environment variables for Jenkins Container | `[]` | +| [controller.containerEnvFrom](./values.yaml#L147) | list | Environment variable sources for Jenkins Container | `[]` | +| [controller.containerSecurityContext](./values.yaml#L205) | object | Allow controlling the securityContext for the jenkins container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` | +| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L339) | bool | Enable the default CSRF Crumb issuer | `true` | +| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L341) | bool | Enable proxy compatibility | `true` | +| [controller.customInitContainers](./values.yaml#L537) | list | Custom init-container specification in raw-yaml format | `[]` | +| [controller.customJenkinsLabels](./values.yaml#L68) | list | Append Jenkins labels to the controller | `[]` | +| [controller.disableRememberMe](./values.yaml#L59) | bool | Disable use of remember me | `false` | +| [controller.disabledAgentProtocols](./values.yaml#L333) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` | +| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L429) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` | +| [controller.executorMode](./values.yaml#L65) | string | Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" | `"NORMAL"` | +| [controller.existingSecret](./values.yaml#L456) | string | | `nil` | +| [controller.extraPorts](./values.yaml#L388) | list | Optionally configure other ports to expose in the controller container | `[]` | +| [controller.fsGroup](./values.yaml#L186) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | +| [controller.googlePodMonitor.enabled](./values.yaml#L801) | bool | | `false` | +| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L806) | string | | `"/prometheus"` | +| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L804) | string | | `"60s"` | +| [controller.healthProbes](./values.yaml#L248) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` | +| [controller.hostAliases](./values.yaml#L754) | list | Allows for adding entries to Pod /etc/hosts | `[]` | +| [controller.hostNetworking](./values.yaml#L70) | bool | | `false` | +| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L822) | bool | | `false` | +| [controller.httpsKeyStore.enable](./values.yaml#L813) | bool | Enables HTTPS keystore on jenkins controller | `false` | +| [controller.httpsKeyStore.fileName](./values.yaml#L830) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` | +| [controller.httpsKeyStore.httpPort](./values.yaml#L826) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` | +| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L821) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` | +| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L819) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` | +| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L817) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` | +| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L815) | string | Name of the secret that already has ssl keystore | `""` | +| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L835) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` | +| [controller.httpsKeyStore.password](./values.yaml#L832) | string | Jenkins keystore password | `"password"` | +| [controller.httpsKeyStore.path](./values.yaml#L828) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` | +| [controller.image.pullPolicy](./values.yaml#L47) | string | Controller image pull policy | `"Always"` | +| [controller.image.registry](./values.yaml#L37) | string | Controller image registry | `"docker.io"` | +| [controller.image.repository](./values.yaml#L39) | string | Controller image repository | `"jenkins/jenkins"` | +| [controller.image.tag](./values.yaml#L42) | string | Controller image tag override; i.e., tag: "2.440.1-jdk17" | `nil` | +| [controller.image.tagLabel](./values.yaml#L45) | string | Controller image tag label | `"jdk17"` | +| [controller.imagePullSecretName](./values.yaml#L49) | string | Controller image pull secret | `nil` | +| [controller.ingress.annotations](./values.yaml#L677) | object | Ingress annotations | `{}` | +| [controller.ingress.apiVersion](./values.yaml#L673) | string | Ingress API version | `"extensions/v1beta1"` | +| [controller.ingress.enabled](./values.yaml#L656) | bool | Enables ingress | `false` | +| [controller.ingress.hostName](./values.yaml#L690) | string | Ingress hostname | `nil` | +| [controller.ingress.labels](./values.yaml#L675) | object | Ingress labels | `{}` | +| [controller.ingress.path](./values.yaml#L686) | string | Ingress path | `nil` | +| [controller.ingress.paths](./values.yaml#L660) | list | Override for the default Ingress paths | `[]` | +| [controller.ingress.resourceRootUrl](./values.yaml#L692) | string | Hostname to serve assets from | `nil` | +| [controller.ingress.tls](./values.yaml#L694) | list | Ingress TLS configuration | `[]` | +| [controller.initConfigMap](./values.yaml#L446) | string | Name of the existing ConfigMap that contains init scripts | `nil` | +| [controller.initContainerEnv](./values.yaml#L141) | list | Environment variables for Init Container | `[]` | +| [controller.initContainerEnvFrom](./values.yaml#L137) | list | Environment variable sources for Init Container | `[]` | +| [controller.initContainerResources](./values.yaml#L128) | object | Resources allocation (Requests and Limits) for Init Container | `{}` | +| [controller.initScripts](./values.yaml#L442) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` | +| [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | +| [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` | +| [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | +| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4193.vded98e56cc25","workflow-aggregator:596.v8c21c963d92d","git:5.2.1","configuration-as-code:1775.v810dc950b_514"]` | +| [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` | +| [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | +| [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | +| [controller.jenkinsOpts](./values.yaml#L158) | string | Append to `JENKINS_OPTS` env var | `nil` | +| [controller.jenkinsRef](./values.yaml#L106) | string | Custom Jenkins reference path | `"/usr/share/jenkins/ref"` | +| [controller.jenkinsUriPrefix](./values.yaml#L173) | string | Root URI Jenkins will be served on | `nil` | +| [controller.jenkinsUrl](./values.yaml#L168) | string | Set Jenkins URL if you are not using the ingress definitions provided by the chart | `nil` | +| [controller.jenkinsUrlProtocol](./values.yaml#L165) | string | Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise | `nil` | +| [controller.jenkinsWar](./values.yaml#L109) | string | | `"/usr/share/jenkins/jenkins.war"` | +| [controller.jmxPort](./values.yaml#L385) | string | Open a port, for JMX stats | `nil` | +| [controller.legacyRemotingSecurityEnabled](./values.yaml#L361) | bool | Whether legacy remoting security should be enabled | `false` | +| [controller.lifecycle](./values.yaml#L51) | object | Lifecycle specification for controller-container | `{}` | +| [controller.loadBalancerIP](./values.yaml#L376) | string | Optionally assign a known public LB IP | `nil` | +| [controller.loadBalancerSourceRanges](./values.yaml#L372) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` | +| [controller.markupFormatter](./values.yaml#L433) | string | Yaml of the markup formatter to use | `"plainText"` | +| [controller.nodePort](./values.yaml#L223) | string | k8s node port. Only used if serviceType is NodePort | `nil` | +| [controller.nodeSelector](./values.yaml#L625) | object | Node labels for pod assignment | `{}` | +| [controller.numExecutors](./values.yaml#L62) | int | Set Number of executors | `0` | +| [controller.overwritePlugins](./values.yaml#L418) | bool | Overwrite installed plugins on start | `false` | +| [controller.overwritePluginsFromImage](./values.yaml#L422) | bool | Overwrite plugins that are already installed in the controller image | `true` | +| [controller.podAnnotations](./values.yaml#L646) | object | Annotations for controller pod | `{}` | +| [controller.podDisruptionBudget.annotations](./values.yaml#L312) | object | | `{}` | +| [controller.podDisruptionBudget.apiVersion](./values.yaml#L310) | string | Policy API version | `"policy/v1beta1"` | +| [controller.podDisruptionBudget.enabled](./values.yaml#L305) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` | +| [controller.podDisruptionBudget.labels](./values.yaml#L313) | object | | `{}` | +| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L315) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` | +| [controller.podLabels](./values.yaml#L241) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` | +| [controller.podSecurityContextOverride](./values.yaml#L202) | string | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` | `nil` | +| [controller.priorityClassName](./values.yaml#L643) | string | The name of a `priorityClass` to apply to the controller pod | `nil` | +| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L266) | int | Set the failure threshold for the liveness probe | `5` | +| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L269) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` | +| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L271) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` | +| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L280) | string | Set the initial delay for the liveness probe in seconds | `nil` | +| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L273) | int | Set the time interval between two liveness probes executions in seconds | `10` | +| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L275) | int | Set the timeout for the liveness probe in seconds | `5` | +| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L284) | int | Set the failure threshold for the readiness probe | `3` | +| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L287) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` | +| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L289) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` | +| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L298) | string | Set the initial delay for the readiness probe in seconds | `nil` | +| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L291) | int | Set the time interval between two readiness probes executions in seconds | `10` | +| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L293) | int | Set the timeout for the readiness probe in seconds | `5` | +| [controller.probes.startupProbe.failureThreshold](./values.yaml#L253) | int | Set the failure threshold for the startup probe | `12` | +| [controller.probes.startupProbe.httpGet.path](./values.yaml#L256) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` | +| [controller.probes.startupProbe.httpGet.port](./values.yaml#L258) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` | +| [controller.probes.startupProbe.periodSeconds](./values.yaml#L260) | int | Set the time interval between two startup probes executions in seconds | `10` | +| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L262) | int | Set the timeout for the startup probe in seconds | `5` | +| [controller.projectNamingStrategy](./values.yaml#L425) | string | | `"standard"` | +| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L787) | object | Additional labels to add to the PrometheusRule object | `{}` | +| [controller.prometheus.alertingrules](./values.yaml#L785) | list | Array of prometheus alerting rules | `[]` | +| [controller.prometheus.enabled](./values.yaml#L770) | bool | Enables prometheus service monitor | `false` | +| [controller.prometheus.metricRelabelings](./values.yaml#L797) | list | | `[]` | +| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L789) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` | +| [controller.prometheus.relabelings](./values.yaml#L795) | list | | `[]` | +| [controller.prometheus.scrapeEndpoint](./values.yaml#L780) | string | The endpoint prometheus should get metrics from | `"/prometheus"` | +| [controller.prometheus.scrapeInterval](./values.yaml#L776) | string | How often prometheus should scrape metrics | `"60s"` | +| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L772) | object | Additional labels to add to the service monitor object | `{}` | +| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L774) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` | +| [controller.resources](./values.yaml#L115) | object | Resource allocation (Requests and Limits) | `{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"50m","memory":"256Mi"}}` | +| [controller.route.annotations](./values.yaml#L749) | object | Route annotations | `{}` | +| [controller.route.enabled](./values.yaml#L745) | bool | Enables openshift route | `false` | +| [controller.route.labels](./values.yaml#L747) | object | Route labels | `{}` | +| [controller.route.path](./values.yaml#L751) | string | Route path | `nil` | +| [controller.runAsUser](./values.yaml#L183) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | +| [controller.schedulerName](./values.yaml#L621) | string | Name of the Kubernetes scheduler to use | `""` | +| [controller.scriptApproval](./values.yaml#L437) | list | List of groovy functions to approve | `[]` | +| [controller.secondaryingress.annotations](./values.yaml#L712) | object | | `{}` | +| [controller.secondaryingress.apiVersion](./values.yaml#L710) | string | | `"extensions/v1beta1"` | +| [controller.secondaryingress.enabled](./values.yaml#L704) | bool | | `false` | +| [controller.secondaryingress.hostName](./values.yaml#L719) | string | | `nil` | +| [controller.secondaryingress.labels](./values.yaml#L711) | object | | `{}` | +| [controller.secondaryingress.paths](./values.yaml#L707) | list | | `[]` | +| [controller.secondaryingress.tls](./values.yaml#L720) | string | | `nil` | +| [controller.secretClaims](./values.yaml#L480) | list | List of `SecretClaim` resources to create | `[]` | +| [controller.securityContextCapabilities](./values.yaml#L192) | object | | `{}` | +| [controller.serviceAnnotations](./values.yaml#L230) | object | Jenkins controller service annotations | `{}` | +| [controller.serviceExternalTrafficPolicy](./values.yaml#L227) | string | | `nil` | +| [controller.serviceLabels](./values.yaml#L236) | object | Labels for the Jenkins controller-service | `{}` | +| [controller.servicePort](./values.yaml#L219) | int | k8s service port | `8080` | +| [controller.serviceType](./values.yaml#L214) | string | k8s service type | `"ClusterIP"` | +| [controller.shareProcessNamespace](./values.yaml#L124) | bool | | `false` | +| [controller.sidecars.additionalSidecarContainers](./values.yaml#L603) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` | +| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L598) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | +| [controller.sidecars.configAutoReload.enabled](./values.yaml#L550) | bool | Enables Jenkins Config as Code auto-reload | `true` | +| [controller.sidecars.configAutoReload.env](./values.yaml#L580) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` | +| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L578) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` | +| [controller.sidecars.configAutoReload.folder](./values.yaml#L591) | string | | `"/var/jenkins_home/casc_configs"` | +| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L553) | string | Registry for the image that triggers the reload | `"docker.io"` | +| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L555) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` | +| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L557) | string | Tag for the image that triggers the reload | `"1.26.1"` | +| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L558) | string | | `"IfNotPresent"` | +| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L573) | int | How many connection-related errors to retry on | `10` | +| [controller.sidecars.configAutoReload.resources](./values.yaml#L559) | object | | `{}` | +| [controller.sidecars.configAutoReload.scheme](./values.yaml#L568) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` | +| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L570) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` | +| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L575) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` | +| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L589) | int | | `1044` | +| [controller.statefulSetAnnotations](./values.yaml#L648) | object | Annotations for controller StatefulSet | `{}` | +| [controller.statefulSetLabels](./values.yaml#L232) | object | Jenkins controller custom labels for the StatefulSet | `{}` | +| [controller.targetPort](./values.yaml#L221) | int | k8s target port | `8080` | +| [controller.terminationGracePeriodSeconds](./values.yaml#L631) | string | Set TerminationGracePeriodSeconds | `nil` | +| [controller.terminationMessagePath](./values.yaml#L633) | string | Set the termination message path | `nil` | +| [controller.terminationMessagePolicy](./values.yaml#L635) | string | Set the termination message policy | `nil` | +| [controller.testEnabled](./values.yaml#L809) | bool | Can be used to disable rendering controller test resources when using helm template | `true` | +| [controller.tolerations](./values.yaml#L629) | list | Toleration labels for pod assignment | `[]` | +| [controller.updateStrategy](./values.yaml#L652) | object | Update strategy for StatefulSet | `{}` | +| [controller.usePodSecurityContext](./values.yaml#L176) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` | +| [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` | +| [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` | +| [helmtest.bats.image.registry](./values.yaml#L1302) | string | Registry of the image used to test the framework | `"docker.io"` | +| [helmtest.bats.image.repository](./values.yaml#L1304) | string | Repository of the image used to test the framework | `"bats/bats"` | +| [helmtest.bats.image.tag](./values.yaml#L1306) | string | Tag of the image to test the framework | `"v1.10.0"` | +| [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` | +| [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` | +| [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` | +| [networkPolicy.apiVersion](./values.yaml#L1232) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` | +| [networkPolicy.enabled](./values.yaml#L1227) | bool | Enable the creation of NetworkPolicy resources | `false` | +| [networkPolicy.externalAgents.except](./values.yaml#L1246) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` | +| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1244) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` | +| [networkPolicy.internalAgents.allowed](./values.yaml#L1236) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` | +| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1240) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` | +| [networkPolicy.internalAgents.podLabels](./values.yaml#L1238) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` | +| [persistence.accessMode](./values.yaml#L1202) | string | The PVC access mode | `"ReadWriteOnce"` | +| [persistence.annotations](./values.yaml#L1198) | object | Annotations for the PVC | `{}` | +| [persistence.dataSource](./values.yaml#L1208) | object | Existing data source to clone PVC from | `{}` | +| [persistence.enabled](./values.yaml#L1182) | bool | Enable the use of a Jenkins PVC | `true` | +| [persistence.existingClaim](./values.yaml#L1188) | string | Provide the name of a PVC | `nil` | +| [persistence.labels](./values.yaml#L1200) | object | Labels for the PVC | `{}` | +| [persistence.mounts](./values.yaml#L1220) | list | Additional mounts | `[]` | +| [persistence.size](./values.yaml#L1204) | string | The size of the PVC | `"8Gi"` | +| [persistence.storageClass](./values.yaml#L1196) | string | Storage class for the PVC | `nil` | +| [persistence.subPath](./values.yaml#L1213) | string | SubPath for jenkins-home mount | `nil` | +| [persistence.volumes](./values.yaml#L1215) | list | Additional volumes | `[]` | +| [rbac.create](./values.yaml#L1252) | bool | Whether RBAC resources are created | `true` | +| [rbac.readSecrets](./values.yaml#L1254) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | +| [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` | +| [serviceAccount.annotations](./values.yaml#L1264) | object | Configures annotations for the ServiceAccount | `{}` | +| [serviceAccount.create](./values.yaml#L1258) | bool | Configures if a ServiceAccount with this name should be created | `true` | +| [serviceAccount.extraLabels](./values.yaml#L1266) | object | Configures extra labels for the ServiceAccount | `{}` | +| [serviceAccount.imagePullSecretName](./values.yaml#L1268) | string | Controller ServiceAccount image pull secret | `nil` | +| [serviceAccount.name](./values.yaml#L1262) | string | | `nil` | +| [serviceAccountAgent.annotations](./values.yaml#L1279) | object | Configures annotations for the agent ServiceAccount | `{}` | +| [serviceAccountAgent.create](./values.yaml#L1273) | bool | Configures if an agent ServiceAccount should be created | `false` | +| [serviceAccountAgent.extraLabels](./values.yaml#L1281) | object | Configures extra labels for the agent ServiceAccount | `{}` | +| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1283) | string | Agent ServiceAccount image pull secret | `nil` | +| [serviceAccountAgent.name](./values.yaml#L1277) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` | diff --git a/charts/jenkins/jenkins/VALUES.md.gotmpl b/charts/jenkins/jenkins/VALUES.md.gotmpl new file mode 100644 index 000000000..21080e35a --- /dev/null +++ b/charts/jenkins/jenkins/VALUES.md.gotmpl @@ -0,0 +1,28 @@ +# Jenkins + +## Configuration + +The following tables list the configurable parameters of the Jenkins chart and their default values. + +{{- define "chart.valueDefaultColumnRender" -}} +{{- $defaultValue := (trimAll "`" (default .Default .AutoDefault) | replace "\n" "") -}} +`{{- $defaultValue | replace "\n" "" -}}` +{{- end -}} + +{{- define "chart.typeColumnRender" -}} +{{- .Type -}} +{{- end -}} + +{{- define "chart.valueDescription" -}} +{{- default .Description .AutoDescription }} +{{- end -}} + +{{- define "chart.valuesTable" -}} +| Key | Type | Description | Default | +|:----|:-----|:---------|:------------| +{{- range .Values }} +| [{{ .Key }}](./values.yaml#L{{ .LineNumber }}) | {{ template "chart.typeColumnRender" . }} | {{ template "chart.valueDescription" . }} | {{ template "chart.valueDefaultColumnRender" . }} | +{{- end }} +{{- end }} + +{{ template "chart.valuesSection" . }} diff --git a/charts/jenkins/jenkins/VALUES_SUMMARY.md b/charts/jenkins/jenkins/VALUES_SUMMARY.md deleted file mode 100644 index f18f29dfe..000000000 --- a/charts/jenkins/jenkins/VALUES_SUMMARY.md +++ /dev/null @@ -1,395 +0,0 @@ -# Jenkins - -## Configuration - -The following tables list the configurable parameters of the Jenkins chart and their default values. - -### Jenkins Controller - -| Parameter | Description | Default | -|---------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------| -| `checkDeprecation` | Checks for deprecated values used | `true` | -| `clusterZone` | Override the cluster name for FQDN resolving | `cluster.local` | -| `kubernetesURL` | Override the Kubernetes API server URL | `https://kubernetes.default` | -| `nameOverride` | Override the resource name prefix | `jenkins` | -| `renderHelmLabels` | Enables rendering of the helm.sh/chart label to the annotations | `true` | -| `fullnameOverride` | Override the full resource names | `jenkins-{release-name}` (or `jenkins` if release-name is `jenkins`) | -| `namespaceOverride` | Override the deployment namespace | Not set (`Release.Namespace`) | -| `controller.componentName` | Jenkins controller name | `jenkins-controller` | -| `controller.testEnabled` | Can be used to disable rendering test resources when using helm template | `true` | -| `controller.cloudName` | Name of default cloud configuration | `kubernetes` | -| `controller.legacyRemotingSecurityEnabled` | Is remoting security enabled? | Not set (i.e. not enabled) | - -#### Jenkins Configuration as Code (JCasC) - -| Parameter | Description | Default | -|-----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------| -| `controller.JCasC.defaultConfig` | Enables default Jenkins configuration via configuration as code plugin | `true` | -| `controller.JCasC.configScripts` | List of Jenkins Config as Code scripts | `{}` | -| `controller.JCasC.security` | Jenkins Config as Code for Security section | `legacy` | -| `controller.JCasC.securityRealm` | Jenkins Config as Code for Security Realm | `legacy` | -| `controller.JCasC.authorizationStrategy` | Jenkins Config as Code for Authorization Strategy | `loggedInUsersCanDoAnything` | -| `controller.sidecars.configAutoReload` | Jenkins Config as Code auto-reload settings | | -| `controller.sidecars.configAutoReload.enabled` | Jenkins Config as Code auto-reload settings (Attention: rbac needs to be enabled otherwise the sidecar can't read the config map) | `true` | -| `controller.sidecars.configAutoReload.image.registry` | Registry for the image which triggers the reload | `docker.io` | -| `controller.sidecars.configAutoReload.image.repository` | Image which triggers the reload | `kiwigrid/k8s-sidecar` | -| `controller.sidecars.configAutoReload.image.tag` | Tag for the image which triggers the reload | `1.24.4` | -| `controller.sidecars.configAutoReload.scheme` | The HTTP scheme to use when connecting to the Jenkins configuration as code endpoint | `http` | -| `controller.sidecars.configAutoReload.skipTlsVerify` | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` | -| `controller.sidecars.configAutoReload.reqRetryConnect` | How many connection-related errors to retry on | `10` | -| `controller.sidecars.configAutoReload.sleepTime` | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | Not set | -| `controller.sidecars.configAutoReload.envFrom` | Environment variable sources for the Jenkins Config as Code auto-reload container | Not set | -| `controller.sidecars.configAutoReload.env` | Environment variables for the Jenkins Config as Code auto-reload container | Not set | -| `controller.sidecars.configAutoReload.containerSecurityContext` | Enable container security context | `{readOnlyRootFilesystem: true, allowPrivilegeEscalation: false}` | - -#### Jenkins Configuration Files & Scripts - -| Parameter | Description | Default | -|----------------------------|------------------------------|---------| -| `controller.initScripts` | List of Jenkins init scripts | `{}` | -| `controller.initConfigMap` | Pre-existing init scripts | Not set | - -#### Jenkins Global Security - -| Parameter | Description | Default | -|---------------------------------------------------------|--------------------------------------|------------------------------| -| `controller.adminSecret` | Create secret for admin user | `true` | -| `controller.disableRememberMe` | Disable use of remember me | `false` | -| `controller.enableRawHtmlMarkupFormatter` | Enable HTML parsing using | false | -| `controller.markupFormatter` | Yaml of the markup formatter to use | `plainText` | -| `controller.disabledAgentProtocols` | Disabled agent protocols | `JNLP-connect JNLP2-connect` | -| `controller.csrf.defaultCrumbIssuer.enabled` | Enable the default CSRF Crumb issuer | `true` | -| `controller.csrf.defaultCrumbIssuer.proxyCompatability` | Enable proxy compatibility | `true` | - -#### Jenkins Global Settings - -| Parameter | Description | Default | -|----------------------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------| -| `controller.numExecutors` | Set Number of executors | 0 | -| `controller.executorMode` | Set executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE | NORMAL | -| `controller.customJenkinsLabels` | Append Jenkins labels to the controller | `[]` | -| `controller.jenkinsHome` | Custom Jenkins home path | `/var/jenkins_home` | -| `controller.jenkinsRef` | Custom Jenkins reference path | `/usr/share/jenkins/ref` | -| `controller.jenkinsAdminEmail` | Email address for the administrator of the Jenkins instance | Not set | -| `controller.jenkinsUrl` | Set Jenkins URL if you are not using the ingress definitions provided by the chart | Not set | -| `controller.jenkinsUrlProtocol` | Set protocol for Jenkins URL | Set to `https` if `controller.ingress.tls`, `http` otherwise | -| `controller.jenkinsUriPrefix` | Root Uri Jenkins will be served on | Not set | -| `controller.jenkinsOpts` | Append to `JENKINS_OPTS` env var | Not set | -| `controller.javaOpts` | Append to `JAVA_OPTS` env var | Not set | - -#### Jenkins In-Process Script Approval - -| Parameter | Description | Default | -|-----------------------------|-------------------------------------|---------| -| `controller.scriptApproval` | List of groovy functions to approve | `[]` | - -#### Jenkins Plugins - -| Parameter | Description | Default | -|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------| -| `controller.installPlugins` | List of Jenkins plugins to install. If you don't want to install plugins set it to `false` | `kubernetes:1.31.3 workflow-aggregator:2.6 git:4.10.2 configuration-as-code:1414.v878271fc496f` | -| `controller.additionalPlugins` | List of Jenkins plugins to install in addition to those listed in controller.installPlugins | `[]` | -| `controller.initializeOnce` | Initialize only on first install. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true`. | `false` | -| `controller.overwritePlugins` | Overwrite installed plugins on start. | `false` | -| `controller.overwritePluginsFromImage` | Keep plugins that are already installed in the controller image. | `true` | -| `controller.installLatestPlugins` | Set to false to download the minimum required version of all dependencies. | `true` | -| `controller.installLatestSpecifiedPlugins` | Set to true to download latest dependencies of any plugin that is requested to have the latest version. | `false` | - -#### Jenkins Agent Listener - -| Parameter | Description | Default | -|----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|-------------| -| `controller.agentListenerEnabled` | Create Agent listener service | `true` | -| `controller.agentListenerPort` | Listening port for agents | `50000` | -| `controller.agentListenerHostPort` | Host port to listen for agents | Not set | -| `controller.agentListenerNodePort` | Node port to listen for agents | Not set | -| `controller.agentListenerServiceType` | Defines how to expose the agentListener service | `ClusterIP` | -| `controller.agentListenerServiceAnnotations` | Annotations for the agentListener service | `{}` | -| `controller.agentListenerLoadBalancerIP` | Static IP for the agentListener LoadBalancer | Not set | -| `controller.agentListenerExternalTrafficPolicy` | [Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies) of for the agentListener service | Not set | -| `controller.agentListenerLoadBalancerSourceRanges` | Allowed inbound IP for the agentListener service | `0.0.0.0/0` | - -#### Kubernetes StatefulSet & Service - -| Parameter | Description | Default | -|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------| -| `controller.image.registry` | Controller image registry | `docker.io` | -| `controller.image.repository` | Controller image name | `jenkins/jenkins` | -| `controller.image.tagLabel` | Controller image tag label | `jdk17` | -| `controller.image.tag` | Controller image tag override | Not set | -| `controller.image.pullPolicy` | Controller image pull policy | `Always` | -| `controller.imagePullSecretName` | Controller image pull secret | Not set | -| `controller.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 4096Mi}}` | -| `controller.initContainerResources` | Resources allocation (Requests and Limits) for Init Container | Not set | -| `controller.initContainerEnvFrom` | Environment variable sources for Init Container | Not set | -| `controller.initContainerEnv` | Environment variables for Init Container | Not set | -| `controller.containerEnvFrom` | Environment variable sources for Jenkins Container | Not set | -| `controller.containerEnv` | Environment variables for Jenkins Container | Not set | -| `controller.usePodSecurityContext` | Enable pod security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` | -| `controller.runAsUser` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | -| `controller.fsGroup` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | -| `controller.podSecurityContextOverride` | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set | -| `controller.containerSecurityContext` | Allow to control securityContext for the jenkins container. | `{runAsUser: 1000, runAsGroup: 1000, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false}` | -| `controller.hostAliases` | Aliases for IPs in `/etc/hosts` | `[]` | -| `controller.serviceAnnotations` | Service annotations | `{}` | -| `controller.serviceType` | k8s service type | `ClusterIP` | -| `controller.clusterIP` | k8s service clusterIP | Not set | -| `controller.servicePort` | k8s service port | `8080` | -| `controller.targetPort` | k8s target port | `8080` | -| `controller.nodePort` | k8s node port | Not set | -| `controller.jmxPort` | Open a port, for JMX stats | Not set | -| `controller.extraPorts` | Open extra ports, for other uses | `[]` | -| `controller.loadBalancerSourceRanges` | Allowed inbound IP addresses | `0.0.0.0/0` | -| `controller.loadBalancerIP` | Optional fixed external IP | Not set | -| `controller.statefulSetLabels` | Custom StatefulSet labels | Not set | -| `controller.serviceLabels` | Custom Service labels | Not set | -| `controller.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set | -| `controller.nodeSelector` | Node labels for pod assignment | `{}` | -| `controller.affinity` | Affinity settings | `{}` | -| `controller.schedulerName` | Kubernetes scheduler name | Not set | -| `controller.terminationGracePeriodSeconds` | Set TerminationGracePeriodSeconds | Not set | -| `controller.terminationMessagePath` | Set the termination message path | Not set | -| `controller.terminationMessagePolicy` | Set the termination message policy | Not set | -| `controller.tolerations` | Toleration labels for pod assignment | `[]` | -| `controller.podAnnotations` | Annotations for controller pod | `{}` | -| `controller.statefulSetAnnotations` | Annotations for controller StatefulSet | `{}` | -| `controller.updateStrategy` | Update strategy for StatefulSet | `{}` | -| `controller.lifecycle` | Lifecycle specification for controller-container | Not set | -| `controller.priorityClassName` | The name of a `priorityClass` to apply to the controller pod | Not set | -| `controller.admin.existingSecret` | The name of an existing secret containing the admin credentials. | `""` | -| `controller.admin.userKey` | The key in the existing admin secret containing the username. | `jenkins-admin-user` | -| `controller.admin.passwordKey` | The key in the existing admin secret containing the password. | `jenkins-admin-password` | -| `controller.customInitContainers` | Custom init-container specification in raw-yaml format | Not set | -| `controller.sidecars.additionalSidecarContainers`| Configures additional sidecar container(s) for Jenkins controller | `[]` | - -#### Kubernetes Pod Disruption Budget - -| Parameter | Description | Default | -|-------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------| -| `controller.podDisruptionBudget.enabled` | Enable [Kubernetes Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) configuration from `controller.podDisruptionBudget` (see below) | `false` | -| `controller.podDisruptionBudget.apiVersion` | Policy API version | `policy/v1beta1` | -| `controller.podDisruptionBudget.maxUnavailable` | Number of pods that can be unavailable. Either an absolute number or a percentage. | Not set | - -#### Kubernetes Health Probes - -| Parameter | Description | Default | -|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------| -| `controller.healthProbes` | Enable [Kubernetes Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes) configuration from `controller.probes` (see below) | `true` | -| `controller.probes.livenessProbe.timeoutSeconds` | Set the timeout for the liveness probe in seconds | `5` | -| `controller.probes.livenessProbe.periodSeconds` | Set the time interval (in seconds) between two liveness probes executions | `10` | -| `controller.probes.livenessProbe.failureThreshold` | Set the failure threshold for the liveness probe | `5` | -| `controller.probes.livenessProbe.initialDelaySeconds` | Set the initial delay for the liveness probe | Not set | -| `controller.probes.livenessProbe.httpGet.port` | Set the Pod's HTTP port to use for the liveness probe | `http` | -| `controller.probes.livenessProbe.httpGet.path` | Set the HTTP's path for the liveness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | -| `controller.probes.readinessProbe.timeoutSeconds` | Set the timeout for the readiness probe in seconds | `5` | -| `controller.probes.readinessProbe.periodSeconds` | Set the time interval (in seconds) between two readiness probes executions | `10` | -| `controller.probes.readinessProbe.failureThreshold` | Set the failure threshold for the readiness probe | `3` | -| `controller.probes.readinessProbe.initialDelaySeconds` | Set the initial delay for the readiness probe | Not set | -| `controller.probes.readinessProbe.httpGet.port` | Set the Pod's HTTP port to use for the readiness probe | `http` | -| `controller.probes.readinessProbe.httpGet.path` | Set the HTTP's path for the readiness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | -| `controller.probes.startupProbe.timeoutSeconds` | Set the timeout for the startup probe in seconds | `5` | -| `controller.probes.startupProbe.periodSeconds` | Set the time interval (in seconds) between two startup probes executions | `10` | -| `controller.probes.startupProbe.failureThreshold` | Set the failure threshold for the startup probe | `12` | -| `controller.probes.startupProbe.initialDelaySeconds` | Set the initial delay for the startup probe | Not set | -| `controller.probes.startupProbe.httpGet.port` | Set the Pod's HTTP port to use for the startup probe | `http` | -| `controller.probes.startupProbe.httpGet.path` | Set the HTTP's path for the startup probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | - -#### Kubernetes Ingress - -| Parameter | Description | Default | -|--------------------------------------|----------------------------------------|----------------------| -| `controller.ingress.enabled` | Enables ingress | `false` | -| `controller.ingress.apiVersion` | Ingress API version | `extensions/v1beta1` | -| `controller.ingress.hostName` | Ingress hostname | Not set | -| `controller.ingress.resourceRootUrl` | Hostname to serve assets from | Not set | -| `controller.ingress.annotations` | Ingress annotations | `{}` | -| `controller.ingress.labels` | Ingress labels | `{}` | -| `controller.ingress.path` | Ingress path | Not set | -| `controller.ingress.paths` | Override for the default Ingress paths | `[]` | -| `controller.ingress.tls` | Ingress TLS configuration | `[]` | - -#### GKE BackendConfig - -| Parameter | Description | Default | -|----------------------------------------|---------------------------|----------------------| -| `controller.backendconfig.enabled` | Enables backendconfig | `false` | -| `controller.backendconfig.apiVersion` | backendconfig API version | `extensions/v1beta1` | -| `controller.backendconfig.name` | backendconfig name | Not set | -| `controller.backendconfig.annotations` | backendconfig annotations | `{}` | -| `controller.backendconfig.labels` | backendconfig labels | `{}` | -| `controller.backendconfig.spec` | backendconfig spec | `{}` | - -#### OpenShift Route - -| Parameter | Description | Default | -|--------------------------------|-------------------------|---------| -| `controller.route.enabled` | Enables openshift route | `false` | -| `controller.route.annotations` | Route annotations | `{}` | -| `controller.route.labels` | Route labels | `{}` | -| `controller.route.path` | Route path | Not set | - -#### Prometheus - -| Parameter | Description | Default | -|--------------------------------------------------------|--------------------------------------------------------|---------------------------------------------------| -| `controller.prometheus.enabled` | Enables prometheus service monitor | `false` | -| `controller.prometheus.serviceMonitorAdditionalLabels` | Additional labels to add to the service monitor object | `{}` | -| `controller.prometheus.serviceMonitorNamespace` | Custom namespace for serviceMonitor | Not set (same ns where is Jenkins being deployed) | -| `controller.prometheus.scrapeInterval` | How often prometheus should scrape metrics | `60s` | -| `controller.prometheus.scrapeEndpoint` | The endpoint prometheus should get metrics from | `/prometheus` | -| `controller.prometheus.alertingrules` | Array of prometheus alerting rules | `[]` | -| `controller.prometheus.alertingRulesAdditionalLabels` | Additional labels to add to the prometheus rule object | `{}` | -| `controller.prometheus.prometheusRuleNamespace` | Custom namespace for PrometheusRule | `""` (same ns where Jenkins being deployed) | - -#### HTTPS Keystore - -| Parameter | Description | Default | -|--------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| -| `controller.httpsKeyStore.enable` | Enables HTTPS keystore on jenkins controller | `false` | -| `controller.httpsKeyStore.jenkinsHttpsJksSecretName` | Name of the secret that already has ssl keystore | `` | -| `controller.httpsKeyStore.jenkinsHttpsJksSecretKey` | Name of the key in the secret that already has ssl keystore | `jenkins-jks-file` | -| `controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName` | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `` | -| `controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey` | Name of the key in the secret that contains the JKS password | `https-jks-password` | -| `controller.httpsKeyStore.httpPort` | HTTP Port that Jenkins should listen on along with HTTPS, it also serves liveness and readiness probs port. When HTTPS keystore is enabled servicePort and targetPort will be used as HTTPS port | `8081` | -| `controller.httpsKeyStore.path` | Path of HTTPS keystore file | `/var/jenkins_keystore` | -| `controller.httpsKeyStore.fileName` | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `keystore.jks` | -| `controller.httpsKeyStore.password` | Jenkins keystore password | `password` | -| `controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded` | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | a self signed cert | - -#### Kubernetes Secret - -| Parameter | Description | Default | -|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| -| `controller.admin.username` | Admin username (and password) created as a secret if `controller.admin.createSecret` is true | `admin` | -| `controller.admin.password` | Admin password (and user) created as a secret if `controller.admin.createSecret` is true | Random value | -| `controller.admin.existingSecret` | The name of an existing secret containing keys credentials. | `""` | -| `controller.additionalSecrets` | List of additional secrets to create and mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | -| `controller.additionalExistingSecrets` | List of additional existing secrets to mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | -| `controller.secretClaims` | List of `SecretClaim` resources to create | `[]` | - -#### Kubernetes NetworkPolicy - -| Parameter | Description | Default | -|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|------------------------| -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | -| `networkPolicy.apiVersion` | NetworkPolicy ApiVersion | `networking.k8s.io/v1` | -| `networkPolicy.internalAgents.allowed` | Allow internal agents (from the same cluster) to connect to controller. Agent pods would be filtered based on PodLabels. | `false` | -| `networkPolicy.internalAgents.podLabels` | A map of labels (keys/values) that agents pods must have to be able to connect to controller. | `{}` | -| `networkPolicy.internalAgents.namespaceLabels` | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller. | `{}` | -| `networkPolicy.externalAgents.ipCIDR` | The IP range from which external agents are allowed to connect to controller. | `` | -| `networkPolicy.externalAgents.except` | A list of IP sub-ranges to be excluded from the whitelisted IP range. | `[]` | - -#### Kubernetes RBAC - -| Parameter | Description | Default | -|--------------------|-------------------------------------------------------------------------------|---------| -| `rbac.create` | Whether RBAC resources are created | `true` | -| `rbac.readSecrets` | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | - -#### Kubernetes ServiceAccount - Controller - -| Parameter | Description | Default | -|--------------------------------------|----------------------------------------------------------------------|---------------| -| `serviceAccount.name` | name of the ServiceAccount to be used by access-controlled resources | autogenerated | -| `serviceAccount.create` | Configures if a ServiceAccount with this name should be created | `true` | -| `serviceAccount.annotations` | Configures annotation for the ServiceAccount | `{}` | -| `serviceAccount.extraLabels` | Configures extra labels for the ServiceAccount | `{}` | -| `serviceAccount.imagePullSecretName` | Controller ServiceAccount image pull secret | Not set | - -#### Kubernetes ServiceAccount - Agent - -| Parameter | Description | Default | -|-------------------------------------------|----------------------------------------------------------------------------|---------------| -| `serviceAccountAgent.name` | name of the agent ServiceAccount to be used by access-controlled resources | autogenerated | -| `serviceAccountAgent.create` | Configures if an agent ServiceAccount with this name should be created | `false` | -| `serviceAccountAgent.annotations` | Configures annotation for the agent ServiceAccount | `{}` | -| `serviceAccountAgent.extraLabels` | Configures extra labels for the agent ServiceAccount | `{}` | -| `serviceAccountAgent.imagePullSecretName` | Agent ServiceAccount image pull secret | Not set | - -### Jenkins Agent(s) - -| Parameter | Description | Default | -|----------------------------------|----------------------------------------------------------------------------------------------------------------------|---------| -| `agent.enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | -| `agent.namespace` | Namespace in which the Kubernetes agents should be launched | Not set | -| `agent.containerCap` | Maximum number of agent | 10 | -| `agent.defaultsProviderTemplate` | The name of the pod template to use for providing default values | Not set | -| `agent.jenkinsUrl` | Overrides the Kubernetes Jenkins URL | Not set | -| `agent.jenkinsTunnel` | Overrides the Kubernetes Jenkins tunnel | Not set | -| `agent.kubernetesConnectTimeout` | The connection timeout in seconds for connections to Kubernetes API. Minimum value is 5. | 5 | -| `agent.kubernetesReadTimeout` | The read timeout in seconds for connections to Kubernetes API. Minimum value is 15. | 15 | -| `agent.maxRequestsPerHostStr` | The maximum concurrent connections to Kubernetes API | 32 | -| `agent.retentionTimeout` | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | 5 | -| `agent.waitForPodSec` | Seconds to wait for pod to be running | 600 | -| `agent.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set | -| `agent.jnlpregistry` | Custom docker registry used for to get agent jnlp image | Not set | - -#### Pod Configuration - -| Parameter | Description | Default | -|------------------------------|-----------------------------------------------------------------------------------------------|------------| -| `agent.websocket` | Enables agent communication via websockets | false | -| `agent.podName` | Agent Pod base name | Not set | -| `agent.customJenkinsLabels` | Append Jenkins labels to the agent | `[]` | -| `agent.envVars` | Environment variables for the agent Pod | `[]` | -| `agent.idleMinutes` | Allows the Pod to remain active for reuse | 0 | -| `agent.imagePullSecretName` | Agent image pull secret | Not set | -| `agent.hostNetworking` | Enabled agent to use hostnetwork | false | -| `agent.nodeSelector` | Node labels for pod assignment | `{}` | -| `agent.connectTimeout` | Timeout in seconds for an agent to be online | 100 | -| `agent.volumes` | Additional volumes | `[]` | -| `agent.workspaceVolume` | Workspace volume (defaults to EmptyDir) | `{}` | -| `agent.yamlTemplate` | The raw yaml of a Pod API Object to merge into the agent spec | Not set | -| `agent.yamlMergeStrategy` | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates | `override` | -| `agent.annotations` | Annotations to apply to the pod | `{}` | -| `agent.additionalContainers` | Add additional containers to the agents. | `[]` | - -#### Side Container Configuration - -| Parameter | Description | Default | -|---------------------------| ----------------------------------------------- |--------------------------------------------------------------------------------| -| `agent.sideContainerName` | Side container name in agent | jnlp | -| `agent.image.repository` | Agent image name | `jenkins/inbound-agent` | -| `agent.image.tag` | Agent image tag | `3192.v713e3b_039fb_e-5` | -| `agent.alwaysPullImage` | Always pull agent container image before build | `false` | -| `agent.privileged` | Agent privileged container | `false` | -| `agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 512m, memory: 512Mi}, limits: {cpu: 512m, memory: 512Mi}}` | -| `agent.runAsUser` | Configure container user | Not set | -| `agent.runAsGroup` | Configure container group | Not set | -| `agent.command` | Executed command when side container starts | Not set | -| `agent.args` | Arguments passed to executed command | `${computer.jnlpmac} ${computer.name}` | -| `agent.TTYEnabled` | Allocate pseudo tty to the side container | false | -| `agent.workingDir` | Configure working directory for default agent | `/home/jenkins/agent` | - - -#### Other - -| Parameter | Description | Default | -|-----------------------------|-----------------------------------------------------------------|---------| -| `agent.disableDefaultAgent` | Ignore the default Jenkins Agent configuration | false | -| `agent.podTemplates` | Configures extra pod templates for the default kubernetes cloud | `{}` | -| `additionalAgents` | Configure additional agents which inherit values from `agent` | `{}` | - -### Persistence - -| Parameter | Description | Default | -|-----------------------------|----------------------------------------|-----------------| -| `persistence.enabled` | Enable the use of a Jenkins PVC | `true` | -| `persistence.existingClaim` | Provide the name of a PVC | `nil` | -| `persistence.storageClass` | Storage class for the PVC | `nil` | -| `persistence.annotations` | Annotations for the PVC | `{}` | -| `persistence.labels` | Labels for the PVC | `{}` | -| `persistence.accessMode` | The PVC access mode | `ReadWriteOnce` | -| `persistence.size` | The size of the PVC | `8Gi` | -| `persistence.dataSource` | Existing data source to clone PVC from | `nil` | -| `persistence.subPath` | SubPath for jenkins-home mount | `nil` | -| `persistence.volumes` | Additional volumes | `nil` | -| `persistence.mounts` | Additional mounts | `nil` | - -### Helm Tests - -| Parameter | Description | Default | -|----------------------------------|-------------------------------------|-------------| -| `helmtest.bats.image.registry` | Registry used to test the framework | `docker.io` | -| `helmtest.bats.image.repository` | Image used to test the framework | `bats/bats` | -| `helmtest.bats.image.tag` | Test framework image tag override | `1.2.1` | diff --git a/charts/jenkins/jenkins/templates/_helpers.tpl b/charts/jenkins/jenkins/templates/_helpers.tpl index ef7f1ef82..8301a8421 100644 --- a/charts/jenkins/jenkins/templates/_helpers.tpl +++ b/charts/jenkins/jenkins/templates/_helpers.tpl @@ -169,6 +169,7 @@ jenkins: waitForPodSec: {{ .Values.agent.waitForPodSec | quote }} name: "{{ .Values.controller.cloudName }}" namespace: "{{ template "jenkins.agent.namespace" . }}" + restrictedPssSecurityContext: {{ .Values.agent.restrictedPssSecurityContext }} serverUrl: "{{ .Values.kubernetesURL }}" credentialsId: "{{ .Values.credentialsId }}" {{- if .Values.agent.enabled }} @@ -252,6 +253,7 @@ jenkins: waitForPodSec: {{ .Values.agent.waitForPodSec | quote }} name: {{ $name | quote }} namespace: "{{ template "jenkins.agent.namespace" . }}" + restrictedPssSecurityContext: {{ .Values.agent.restrictedPssSecurityContext }} serverUrl: "{{ .Values.kubernetesURL }}" credentialsId: "{{ .Values.credentialsId }}" {{- if .Values.agent.enabled }} diff --git a/charts/jenkins/jenkins/templates/config.yaml b/charts/jenkins/jenkins/templates/config.yaml index b94c79f5d..5de0b9f72 100644 --- a/charts/jenkins/jenkins/templates/config.yaml +++ b/charts/jenkins/jenkins/templates/config.yaml @@ -28,6 +28,12 @@ data: # remove all plugins from shared volume rm -rf {{ .Values.controller.jenkinsHome }}/plugins/* {{- end }} +{{- if .Values.controller.JCasC.overwriteConfiguration }} + echo "deleting all XML config files" + rm -f {{ .Values.controller.jenkinsHome }}/config.xml + rm -f {{ .Values.controller.jenkinsHome }}/*plugins*.xml + find {{ .Values.controller.jenkinsHome }} -maxdepth 1 -type f -iname '*configuration*.xml' -exec rm -f {} \; +{{- end }} {{- if .Values.controller.installPlugins }} echo "download plugins" # Install missing plugins diff --git a/charts/jenkins/jenkins/templates/jenkins-controller-networkpolicy.yaml b/charts/jenkins/jenkins/templates/jenkins-controller-networkpolicy.yaml index 91cf6db11..82835f2bd 100644 --- a/charts/jenkins/jenkins/templates/jenkins-controller-networkpolicy.yaml +++ b/charts/jenkins/jenkins/templates/jenkins-controller-networkpolicy.yaml @@ -39,7 +39,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.networkPolicy.externalAgents }} + {{- if or .Values.networkPolicy.externalAgents.ipCIDR .Values.networkPolicy.externalAgents.except }} - ipBlock: cidr: {{ required "ipCIDR is required if you wish to allow external agents to connect to Jenkins Controller." .Values.networkPolicy.externalAgents.ipCIDR }} {{- if .Values.networkPolicy.externalAgents.except }} diff --git a/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml b/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml index 364debb9e..ca0edc651 100644 --- a/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml +++ b/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml @@ -78,7 +78,7 @@ spec: {{- end }} {{- if .Values.controller.usePodSecurityContext }} securityContext: - {{- if hasKey .Values.controller "podSecurityContextOverride" }} + {{- if kindIs "map" .Values.controller.podSecurityContextOverride }} {{- tpl (toYaml .Values.controller.podSecurityContextOverride | nindent 8) . -}} {{- else }} {{/* The rest of this section should be replaced with the contents of this comment one the runAsUser, fsGroup, and securityContextCapabilities Helm chart values have been removed: diff --git a/charts/jenkins/jenkins/values.yaml b/charts/jenkins/jenkins/values.yaml index a70faeeb1..424028ae8 100644 --- a/charts/jenkins/jenkins/values.yaml +++ b/charts/jenkins/jenkins/values.yaml @@ -5,74 +5,113 @@ ## Overrides for generated resource names # See templates/_helpers.tpl -# nameOverride: -# fullnameOverride: -# namespaceOverride: +# -- Override the resource name prefix +# @default -- `Chart.Name` +nameOverride: +# -- Override the full resource names +# @default -- `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` +fullnameOverride: +# -- Override the deployment namespace +# @default -- `Release.Namespace` +namespaceOverride: # For FQDN resolving of the controller service. Change this value to match your existing configuration. # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md +# -- Override the cluster name for FQDN resolving clusterZone: "cluster.local" -# The URL of the Kubernetes API server +# -- The URL of the Kubernetes API server kubernetesURL: "https://kubernetes.default" -# The Jenkins credentials to access the Kubernetes API server. For the the default cluster it is not needed. +# -- The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. credentialsId: +# -- Enables rendering of the helm.sh/chart label to the annotations renderHelmLabels: true controller: - # Used for label app.kubernetes.io/component + # -- Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: + # -- Controller image registry registry: "docker.io" + # -- Controller image repository repository: "jenkins/jenkins" - # tag: "2.426.3-jdk17" + + # -- Controller image tag override; i.e., tag: "2.440.1-jdk17" + tag: + + # -- Controller image tag label tagLabel: jdk17 + # -- Controller image pull policy pullPolicy: "Always" + # -- Controller image pull secret imagePullSecretName: - # Optionally configure lifetime for controller-container - lifecycle: + # -- Lifecycle specification for controller-container + lifecycle: {} # postStart: # exec: # command: # - "uname" # - "-a" + + # -- Disable use of remember me disableRememberMe: false + + # -- Set Number of executors numExecutors: 0 - # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE + + # -- Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" executorMode: "NORMAL" - # This is ignored if enableRawHtmlMarkupFormatter is true - markupFormatter: plainText + + # -- Append Jenkins labels to the controller customJenkinsLabels: [] hostNetworking: false + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, # you should revert controller.admin.username to your preferred admin user: admin: - username: "admin" - # password: + # -- Admin username created as a secret if `controller.admin.createSecret` is true + username: "admin" + # -- Admin password created as a secret if `controller.admin.createSecret` is true + # @default -- + password: + + # -- The key in the existing admin secret containing the username userKey: jenkins-admin-user + # -- The key in the existing admin secret containing the password passwordKey: jenkins-admin-password # The default configuration uses this secret to configure an admin user - # If you don't need that user or use a different security realm then you can disable it + # If you don't need that user or use a different security realm, then you can disable it + # -- Create secret for admin user createSecret: true - existingSecret: "" - # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use - # Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" + # -- The name of an existing secret containing the admin credentials + existingSecret: "" + # -- Email address for the administrator of the Jenkins instance + jenkinsAdminEmail: + + # This value should not be changed unless you use your custom image of jenkins or any derived from. + # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" + # -- Custom Jenkins home path jenkinsHome: "/var/jenkins_home" - # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use - # Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" + + # This value should not be changed unless you use your custom image of jenkins or any derived from. + # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" + # -- Custom Jenkins reference path jenkinsRef: "/usr/share/jenkins/ref" + # Path to the jenkins war file which is used by jenkins-plugin-cli. jenkinsWar: "/usr/share/jenkins/jenkins.war" - # Overrides the default arguments passed to the war + # Override the default arguments passed to the war # overrideArgs: # - --httpPort=8080 + + # -- Resource allocation (Requests and Limits) resources: requests: cpu: "50m" @@ -80,9 +119,13 @@ controller: limits: cpu: "2000m" memory: "4096Mi" + # Share process namespace to allow sidecar containers to interact with processes in other containers in the same pod shareProcessNamespace: false + # Overrides the init container default values + # -- Resources allocation (Requests and Limits) for Init Container + initContainerResources: {} # initContainerResources: # requests: # cpu: "50m" @@ -90,142 +133,234 @@ controller: # limits: # cpu: "2000m" # memory: "4096Mi" - # Environment variables that get added to the init container (useful for e.g. http_proxy) + # -- Environment variable sources for Init Container + initContainerEnvFrom: [] + + # useful for i.e., http_proxy + # -- Environment variables for Init Container + initContainerEnv: [] # initContainerEnv: # - name: http_proxy # value: "http://192.168.64.1:3128" - # containerEnv: + + # -- Environment variable sources for Jenkins Container + containerEnvFrom: [] + + # -- Environment variables for Jenkins Container + containerEnv: [] # - name: http_proxy # value: "http://192.168.64.1:3128" - # Set min/max heap here if needed with: - # javaOpts: "-Xms512m -Xmx512m" - # jenkinsOpts: "" - # If you are using the ingress definitions provided by this chart via the `controller.ingress` block the configured hostname will be the ingress hostname starting with `https://` or `http://` depending on the `tls` configuration. + + # Set min/max heap here if needed with "-Xms512m -Xmx512m" + # -- Append to `JAVA_OPTS` env var + javaOpts: + # -- Append to `JENKINS_OPTS` env var + jenkinsOpts: + + # If you are using the ingress definitions provided by this chart via the `controller.ingress` block, + # the configured hostname will be the ingress hostname starting with `https://` + # or `http://` depending on the `tls` configuration. # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. - # jenkinsUrlProtocol: "https" - # If you are not using the provided ingress you can specify `controller.jenkinsUrl` to change the url definition. - # jenkinsUrl: "" - # If you set this prefix and use ingress controller then you might want to set the ingress path below - # jenkinsUriPrefix: "/jenkins" - # Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) + # -- Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise + jenkinsUrlProtocol: + + # -- Set Jenkins URL if you are not using the ingress definitions provided by the chart + jenkinsUrl: + + # If you set this prefix and use ingress controller, then you might want to set the ingress path below + # I.e., "/jenkins" + # -- Root URI Jenkins will be served on + jenkinsUriPrefix: + + # -- Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) usePodSecurityContext: true + # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are # being deprecated and replaced by `podSecurityContextOverride`. - # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image. - # When setting runAsUser to a different value than 0 also set fsGroup to the same value: + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins', which exists in 'jenkins/jenkins' docker image. + # When configuring runAsUser to a different value than 0 also set fsGroup to the same value: + # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. runAsUser: 1000 + + # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. fsGroup: 1000 + # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here - securityContextCapabilities: {} + # securityContextCapabilities: # drop: # - NET_RAW - # Completely overwrites the contents of the `securityContext`, ignoring the - # values provided for the deprecated fields: `runAsUser`, `fsGroup`, and - # `securityContextCapabilities`. In the case of mounting an ext4 filesystem, - # it might be desirable to use `supplementalGroups` instead of `fsGroup` in + securityContextCapabilities: {} + + # In the case of mounting an ext4 filesystem, it might be desirable to use `supplementalGroups` instead of `fsGroup` in # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 # podSecurityContextOverride: # runAsUser: 1000 # runAsNonRoot: true # supplementalGroups: [1000] - # # capabilities: {} - # Container securityContext + # capabilities: {} + # -- Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` + podSecurityContextOverride: ~ + + # -- Allow controlling the securityContext for the jenkins container containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false - servicePort: 8080 - targetPort: 8080 - # For minikube, set this to NodePort, elsewhere use LoadBalancer + + # For minikube, set this to NodePort, elsewhere uses LoadBalancer # Use ClusterIP if your setup includes ingress controller + # -- k8s service type serviceType: ClusterIP - # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, + + # -- k8s service clusterIP. Only used if serviceType is ClusterIP + clusterIp: + # -- k8s service port + servicePort: 8080 + # -- k8s target port + targetPort: 8080 + # -- k8s node port. Only used if serviceType is NodePort + nodePort: + + # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and NodePort type services, # but risks potentially imbalanced traffic spreading. serviceExternalTrafficPolicy: - # Jenkins controller service annotations + + # -- Jenkins controller service annotations serviceAnnotations: {} - # Jenkins controller custom labels + # -- Jenkins controller custom labels for the StatefulSet statefulSetLabels: {} # foo: bar # bar: foo - # Jenkins controller service labels + # -- Labels for the Jenkins controller-service serviceLabels: {} # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + # Put labels on Jenkins controller pod + # -- Custom Pod labels (an object with `label-key: label-value` pairs) podLabels: {} - # Used to create Ingress record (should be used with ServiceType: ClusterIP) - # nodePort: # -Dcom.sun.management.jmxremote.port=4000 # -Dcom.sun.management.jmxremote.authenticate=false # -Dcom.sun.management.jmxremote.ssl=false # jmxPort: 4000 - # Optionally configure other ports to expose in the controller container + # -- Open a port, for JMX stats + jmxPort: + + # -- Optionally configure other ports to expose in the controller container extraPorts: [] # - name: BuildInfoProxy # port: 9000 # targetPort: 9010 (Optional: Use to explicitly set targetPort if different from port) - # List of plugins to be install during Jenkins controller start + # Plugins will be installed during Jenkins controller start + # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - - kubernetes:4186.v1d804571d5d4 + - kubernetes:4193.vded98e56cc25 - workflow-aggregator:596.v8c21c963d92d - git:5.2.1 - configuration-as-code:1775.v810dc950b_514 - # Set to false to download the minimum required version of all dependencies. + # If set to false, Jenkins will download the minimum required version of all dependencies. + # -- Download the minimum required version or latest version of all dependencies installLatestPlugins: true - # Set to true to download latest dependencies of any plugin that is requested to have the latest version. + # -- Set to true to download the latest version of any plugin that is requested to have the latest version installLatestSpecifiedPlugins: false - # List of plugins to install in addition to those listed in controller.installPlugins + # -- List of plugins to install in addition to those listed in controller.installPlugins additionalPlugins: [] - # Enable to initialize the Jenkins controller only once on initial installation. - # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. + # Without this; whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates that have the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` + # -- Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` initializeOnce: false # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. - # overwritePlugins: true + # -- Overwrite installed plugins on start + overwritePlugins: false # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. + # -- Overwrite plugins that are already installed in the controller image overwritePluginsFromImage: true # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. projectNamingStrategy: standard - # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. - # The plugin is not installed by default, please update controller.installPlugins. + # Useful with ghprb plugin. The OWASP plugin is not installed by default, please update controller.installPlugins. + # -- Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) enableRawHtmlMarkupFormatter: false + + # This is ignored if enableRawHtmlMarkupFormatter is true + # -- Yaml of the markup formatter to use + markupFormatter: plainText + # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval + # -- List of groovy functions to approve scriptApproval: [] # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" # - "new groovy.json.JsonSlurperClassic" - # List of groovy init scripts to be executed during Jenkins controller start + + # -- Map of groovy init scripts to be executed during Jenkins controller start initScripts: {} # test: |- # print 'adding global pipeline libraries, register properties, bootstrap jobs...' + # -- Name of the existing ConfigMap that contains init scripts + initConfigMap: - # 'name' is a name of an existing secret in same namespace as jenkins, - # 'keyName' is the name of one of the keys inside current secret. + # 'name' is a name of an existing secret in the same namespace as jenkins, + # 'keyName' is the name of one of the keys inside the current secret. # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: - # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} + # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in JCasC as ${secret-credentials-github-password} # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', - # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') - # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in Jcasc as ${github-username} + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in JCasC as ${github-username} # When using existingSecret no need to specify the keyName under additionalExistingSecrets. existingSecret: + # -- List of additional existing secrets to mount additionalExistingSecrets: [] + # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets + # additionalExistingSecrets: # - name: secret-name-1 # keyName: username # - name: secret-name-1 # keyName: password + # -- List of additional secrets to create and mount additionalSecrets: [] + # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets + # additionalSecrets: # - name: nameOfSecret # value: secretText - # Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. - # 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. + # Generate SecretClaim resources to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. + # 'name' is the name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. # 'path' is the fully qualified path to the secret in Vault - # 'type' is an optional Kubernetes secret type. Defaults to 'Opaque' + # 'type' is an optional Kubernetes secret type. The default is 'Opaque' # 'renew' is an optional secret renewal time in seconds + # -- List of `SecretClaim` resources to create secretClaims: [] # - name: secretName # required # path: testPath # required # type: kubernetes.io/tls # optional # renew: 60 # optional - # Name of default cloud configuration. + # -- Name of default cloud configuration. cloudName: "kubernetes" - # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, - # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. - # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label - # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in - # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | - # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, - # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: + # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, e.g., jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: JCasC: + # -- Enables default Jenkins configuration via configuration as code plugin defaultConfig: true + + # If true, the init container deletes all the plugin config files and Jenkins Config as Code overwrites any existing configuration + # -- Whether Jenkins Config as Code should overwrite any existing configuration + overwriteConfiguration: false + # -- Remote URLs for configuration files. configUrls: [] # - https://acme.org/jenkins.yaml - # Remote URL:s for configuration files. + # -- List of Jenkins Config as Code scripts configScripts: {} # welcome-message: | # jenkins: - # systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. - # Allows adding to the top-level security JCasC section. For legacy, default the chart includes apiToken configurations + # systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. + + # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations + # -- Jenkins Config as Code security-section security: apiToken: creationOfLegacyTokenEnabled: false tokenGenerationOnCreationEnabled: false usageStatisticsEnabled: true + # Ignored if securityRealm is defined in controller.JCasC.configScripts + # -- Jenkins Config as Code Security Realm-section securityRealm: |- local: allowsSignup: false @@ -357,11 +527,13 @@ controller: - id: "${chart-admin-username}" name: "Jenkins Admin" password: "${chart-admin-password}" + # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts + # -- Jenkins Config as Code Authorization Strategy-section authorizationStrategy: |- loggedInUsersCanDoAnything: allowAnonymousRead: false - # Optionally specify additional init-containers + # -- Custom init-container specification in raw-yaml format customInitContainers: [] # - name: custom-init # image: "alpine:3" @@ -370,14 +542,19 @@ controller: sidecars: configAutoReload: - # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, - # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the - # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. + # If false or not-specified, JCasC changes will cause a reboot and will only be applied at the subsequent start-up. + # Auto-reload uses the http:///reload-configuration-as-code endpoint to reapply config when changes to + # the configScripts are detected. + # -- Enables Jenkins Config as Code auto-reload enabled: true image: + # -- Registry for the image that triggers the reload registry: docker.io + # -- Repository of the image that triggers the reload repository: kiwigrid/k8s-sidecar - tag: 1.25.4 + # -- Tag for the image that triggers the reload + tag: 1.26.1 imagePullPolicy: IfNotPresent resources: {} # limits: @@ -386,34 +563,49 @@ controller: # requests: # cpu: 50m # memory: 50Mi - # How many connection-related errors to retry on + + # -- The scheme to use when connecting to the Jenkins configuration as code endpoint + scheme: http + # -- Skip TLS verification when connecting to the Jenkins configuration as code endpoint + skipTlsVerify: false + + # -- How many connection-related errors to retry on reqRetryConnect: 10 - # env: + # -- How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) + sleepTime: + + # -- Environment variable sources for the Jenkins Config as Code auto-reload container + envFrom: [] + # -- Environment variables for the Jenkins Config as Code auto-reload container + env: {} # - name: REQ_TIMEOUT # value: "30" - # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. - # Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod. + + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # This is only used to reload JCasC config from the sidecar container running in the Jenkins controller pod. # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be - # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), + # accessible via SSH from outside the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), # this must be > 1024: sshTcpPort: 1044 # folder in the pod that should hold the collected dashboards: folder: "/var/jenkins_home/casc_configs" + # If specified, the sidecar will search for JCasC config-maps inside this namespace. - # Otherwise the namespace in which the sidecar is running will be used. + # Otherwise, the namespace in which the sidecar is running will be used. # It's also possible to specify ALL to search in all namespaces: # searchNamespace: + # -- Enable container security context containerSecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false - # Allows you to inject additional sidecars + # -- Configures additional sidecar container(s) for the Jenkins controller additionalSidecarContainers: [] ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, - ## that allows to trigger build behind a secure firewall. + ## that allows triggering build behind a secure firewall. ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall ## - ## Note: To use it you should go to https://smee.io/new and update the url to the generete one. + ## Note: To use it you should go to https://smee.io/new and update the url to the generated one. # - name: smee # image: docker.io/twalter/smee-client:1.0.2 # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] @@ -424,36 +616,47 @@ controller: # requests: # cpu: 10m # memory: 32Mi - # Name of the Kubernetes scheduler to use + + # -- Name of the Kubernetes scheduler to use schedulerName: "" - # Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + # -- Node labels for pod assignment nodeSelector: {} + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + # -- Toleration labels for pod assignment + tolerations: [] + # -- Set TerminationGracePeriodSeconds terminationGracePeriodSeconds: - + # -- Set the termination message path terminationMessagePath: + # -- Set the termination message policy terminationMessagePolicy: - tolerations: [] - + # -- Affinity settings affinity: {} + # Leverage a priorityClass to ensure your pods survive resource shortages # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + # -- The name of a `priorityClass` to apply to the controller pod priorityClassName: + # -- Annotations for controller pod podAnnotations: {} - # Add StatefulSet annotations + # -- Annotations for controller StatefulSet statefulSetAnnotations: {} - # StatefulSet updateStrategy # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + # -- Update strategy for StatefulSet updateStrategy: {} ingress: + # -- Enables ingress enabled: false + # Override for the default paths that map requests to the backend + # -- Override for the default Ingress paths paths: [] # - backend: # serviceName: ssl-redirect @@ -463,29 +666,40 @@ controller: # {{ template "jenkins.fullname" . }} # # Don't use string here, use only integer value! # servicePort: 8080 + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + # -- Ingress API version apiVersion: "extensions/v1beta1" + # -- Ingress labels labels: {} + # -- Ingress annotations annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx + # Set this path to jenkinsUriPrefix above or use annotations to rewrite path - # path: "/jenkins" + # -- Ingress path + path: + # configures the hostname e.g. jenkins.example.com + # -- Ingress hostname hostName: - tls: + # -- Hostname to serve assets from + resourceRootUrl: + # -- Ingress TLS configuration + tls: [] # - secretName: jenkins.cluster.local # hosts: # - jenkins.cluster.local - # often you want to have your controller all locked down and private + # often you want to have your controller all locked down and private, # but you still want to get webhooks from your SCM # A secondary ingress will let you expose different urls - # with a differnt configuration + # with a different configuration secondaryingress: enabled: false # paths you want forwarded to the backend @@ -501,7 +715,7 @@ controller: # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx - # configures the hostname e.g. jenkins-external.example.com + # configures the hostname e.g., jenkins-external.example.com hostName: tls: # - secretName: jenkins-external.example.com @@ -512,23 +726,34 @@ controller: # to finish ingress setup, use the following values. # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig backendconfig: + # -- Enables backendconfig enabled: false + # -- backendconfig API version apiVersion: "extensions/v1beta1" + # -- backendconfig name name: + # -- backendconfig labels labels: {} + # -- backendconfig annotations annotations: {} + # -- backendconfig spec spec: {} # Openshift route route: + # -- Enables openshift route enabled: false + # -- Route labels labels: {} + # -- Route annotations annotations: {} - # path: "/jenkins" + # -- Route path + path: - # controller.hostAliases allows for adding entries to Pod /etc/hosts: - # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + # -- Allows for adding entries to Pod /etc/hosts hostAliases: [] + # ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + # hostAliases: # - ip: 192.168.50.50 # hostnames: # - something.local @@ -540,21 +765,27 @@ controller: prometheus: # If enabled, add the prometheus plugin to the list of plugins to install # https://plugins.jenkins.io/prometheus + + # -- Enables prometheus service monitor enabled: false - # Additional labels to add to the ServiceMonitor object + # -- Additional labels to add to the service monitor object serviceMonitorAdditionalLabels: {} - # Set a custom namespace where to deploy ServiceMonitor resource - # serviceMonitorNamespace: monitoring + # -- Set a custom namespace where to deploy ServiceMonitor resource + serviceMonitorNamespace: + # -- How often prometheus should scrape metrics scrapeInterval: 60s - # This is the default endpoint used by the prometheus plugin + + # Defaults to the default endpoint used by the prometheus plugin + # -- The endpoint prometheus should get metrics from scrapeEndpoint: /prometheus - # Additional labels to add to the PrometheusRule object - alertingRulesAdditionalLabels: {} - # An array of prometheus alerting rules + # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ - # The `groups` root object is added by default, simply add the rule entries + # The `groups` root object is added by default, add the rule entries + # -- Array of prometheus alerting rules alertingrules: [] - # Set a custom namespace where to deploy PrometheusRule resource + # -- Additional labels to add to the PrometheusRule object + alertingRulesAdditionalLabels: {} + # -- Set a custom namespace where to deploy PrometheusRule resource prometheusRuleNamespace: "" # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds @@ -574,93 +805,130 @@ controller: # This is the default endpoint used by the prometheus plugin scrapeEndpoint: /prometheus - # Can be used to disable rendering controller test resources when using helm template + # -- Can be used to disable rendering controller test resources when using helm template testEnabled: true httpsKeyStore: - jenkinsHttpsJksSecretName: '' - jenkinsHttpsJksSecretKey: "jenkins-jks-file" - jenkinsHttpsJksPasswordSecretName: "" - jenkinsHttpsJksPasswordSecretKey: "https-jks-password" + # -- Enables HTTPS keystore on jenkins controller enable: false + # -- Name of the secret that already has ssl keystore + jenkinsHttpsJksSecretName: "" + # -- Name of the key in the secret that already has ssl keystore + jenkinsHttpsJksSecretKey: "jenkins-jks-file" + # -- Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file + jenkinsHttpsJksPasswordSecretName: "" + # -- Name of the key in the secret that contains the JKS password + jenkinsHttpsJksPasswordSecretKey: "https-jks-password" disableSecretMount: false + + # When HTTPS keystore is enabled, servicePort and targetPort will be used as HTTPS port + # -- HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. httpPort: 8081 + # -- Path of HTTPS keystore file path: "/var/jenkins_keystore" + # -- Jenkins keystore filename which will appear under controller.httpsKeyStore.path fileName: "keystore.jks" + # -- Jenkins keystore password password: "password" - # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here - jenkinsKeyStoreBase64Encoded: | - /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq - AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z - gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe - TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x - QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy - 2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR - pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB - Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l - Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG - Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi - HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI - OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO - NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi - Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg - UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te - fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi - Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT - EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ - y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU - iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl - t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ - gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa - jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H - bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn - xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV - BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p - bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx - MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y - b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb - BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC - AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w - Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF - 9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP - F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i - d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe - 4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl - m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h - /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q - 6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog - hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0= + + # -- Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here + jenkinsKeyStoreBase64Encoded: + # Convert keystore.jks files content to base64 > $ cat keystore.jks | base64 +# /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq +# AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z +# gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe +# TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x +# QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy +# 2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR +# pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB +# Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l +# Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG +# Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi +# HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI +# OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO +# NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi +# Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg +# UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te +# fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi +# Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT +# EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ +# y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU +# iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl +# t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ +# gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa +# jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H +# bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn +# xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV +# BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p +# bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx +# MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y +# b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb +# BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +# AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w +# Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF +# 9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP +# F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i +# d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe +# 4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl +# m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h +# /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q +# 6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog +# hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0= agent: + # -- Enable Kubernetes plugin jnlp-agent podTemplate enabled: true + # -- The name of the pod template to use for providing default values defaultsProviderTemplate: "" - # URL for connecting to the Jenkins controller + + # For connecting to the Jenkins controller + # -- Overrides the Kubernetes Jenkins URL jenkinsUrl: - # connect to the specified host and port, instead of connecting directly to the Jenkins controller + + # connects to the specified host and port, instead of connecting directly to the Jenkins controller + # -- Overrides the Kubernetes Jenkins tunnel jenkinsTunnel: + # -- The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 kubernetesConnectTimeout: 5 + # -- The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 kubernetesReadTimeout: 15 + # -- The maximum concurrent connections to Kubernetes API maxRequestsPerHostStr: "32" + # -- Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated retentionTimeout: 5 + # -- Seconds to wait for pod to be running waitForPodSec: 600 + # -- Namespace in which the Kubernetes agents should be launched namespace: - # private registry for agent image + # -- Custom Pod labels (an object with `label-key: label-value` pairs) + podLabels: {} + # -- Custom registry used to pull the agent jnlp image from jnlpregistry: image: + # -- Repository to pull the agent jnlp image from repository: "jenkins/inbound-agent" + # -- Tag of the image to pull tag: "3206.vb_15dcf73f6a_9-3" + # -- Configure working directory for default agent workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" + # -- Append Jenkins labels to the agent customJenkinsLabels: [] - # name of the secret to be used for image pulling + # -- Name of the secret to be used to pull the image imagePullSecretName: componentName: "jenkins-agent" + # -- Enables agent communication via websockets websocket: false directConnection: false + # -- Agent privileged container privileged: false + # -- Configure container user runAsUser: + # -- Configure container group runAsGroup: + # -- Enables the agent to use the host network hostNetworking: false + # -- Resources allocation (Requests and Limits) resources: requests: cpu: "512m" @@ -677,8 +945,16 @@ agent: # periodSeconds: 10 # successThreshold: 1 # timeoutSeconds: 1 + # You may want to change this to true while testing a new image + # -- Always pull agent container image before build alwaysPullImage: false + # When using Pod Security Admission in the Agents namespace with the restricted Pod Security Standard, + # the jnlp container cannot be scheduled without overriding its container definition with a securityContext. + # This option allows to automatically inject in the jnlp container a securityContext + # that is suitable for the use of the restricted Pod Security Standard. + # -- Set a restricted securityContext on jnlp containers + restrictedPssSecurityContext: false # Controls how agent pods are retained after the Jenkins build completes # Possible values: Always, Never, OnFailure podRetention: "Never" @@ -686,10 +962,12 @@ agent: # in the job Console Output. This can be helpful for either security reasons # or simply to clean up the output to make it easier to read. showRawYaml: true + # You can define the volumes that you want to mount for this container # Allowed types are: ConfigMap, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC, Secret # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes + # -- Additional volumes volumes: [] # - type: ConfigMap # configMapName: myconfigmap @@ -724,62 +1002,73 @@ agent: # Allowed types are: DynamicPVC, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace + # -- Workspace volume (defaults to EmptyDir) workspaceVolume: {} ## DynamicPVC example - # type: DynamicPVC - # configMapName: myconfigmap + # - type: DynamicPVC + # configMapName: myconfigmap ## EmptyDir example - # type: EmptyDir - # memory: false + # - type: EmptyDir + # memory: false ## EphemeralVolume example - # type: EphemeralVolume - # accessModes: ReadWriteOnce - # requestsSize: 10Gi - # storageClassName: mystorageclass + # - type: EphemeralVolume + # accessModes: ReadWriteOnce + # requestsSize: 10Gi + # storageClassName: mystorageclass ## HostPath example - # type: HostPath - # hostPath: /var/lib/containers + # - type: HostPath + # hostPath: /var/lib/containers ## NFS example - # type: Nfs - # readOnly: false - # serverAddress: "192.0.2.0" - # serverPath: /var/lib/containers + # - type: Nfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers ## PVC example - # type: PVC - # claimName: mypvc - # readOnly: false - # + # - type: PVC + # claimName: mypvc + # readOnly: false + # Pod-wide environment, these vars are visible to any container in the agent pod + # -- Environment variables for the agent Pod envVars: [] # - name: PATH # value: /usr/local/bin - # Mount a secret as environment variable + # -- Mount a secret as environment variable secretEnvVars: [] # - key: PATH # optional: false # default: false # secretKey: MY-K8S-PATH # secretName: my-k8s-secret + + # -- Node labels for pod assignment nodeSelector: {} # Key Value selectors. Ex: - # jenkins-agent: v1 + # nodeSelector + # jenkins-agent: v1 - # Executed command when side container gets started + # -- Command to execute when side container starts command: + # -- Arguments passed to command to execute args: "${computer.jnlpmac} ${computer.name}" - # Side container name + # -- Side container name sideContainerName: "jnlp" + # Doesn't allocate pseudo TTY by default + # -- Allocate pseudo tty to the side container TTYEnabled: false - # Max number of spawned agent + # -- Max number of agents to launch containerCap: 10 - # Pod name + # -- Agent Pod base name podName: "default" - # Allows the Pod to remain active for reuse until the configured number of - # minutes has passed since the last step was executed on it. + + # -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it idleMinutes: 0 - # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods. + + + # The raw yaml of a Pod API Object, for example, this allows usage of toleration for agent pods. # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + # -- The raw yaml of a Pod API Object to merge into the agent spec yamlTemplate: "" # yamlTemplate: |- # apiVersion: v1 @@ -789,15 +1078,16 @@ agent: # - key: "key" # operator: "Equal" # value: "value" - # Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override + + # -- Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" yamlMergeStrategy: "override" - # Timeout in seconds for an agent to be online + # -- Timeout in seconds for an agent to be online connectTimeout: 100 - # Annotations to apply to the pod. + # -- Annotations to apply to the pod annotations: {} - # Add additional containers to the agents. # Containers specified here are added to all agents. Set key empty to remove container from additional agents. + # -- Add additional containers to the agents additionalContainers: [] # - sideContainerName: dind # image: @@ -814,17 +1104,18 @@ agent: # cpu: 1 # memory: 2Gi - # Disable the default Jenkins Agent configuration. # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. + # -- Disable the default Jenkins Agent configuration disableDefaultAgent: false # Below is the implementation of custom pod templates for the default configured kubernetes cloud. # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. - # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. - # For this pod templates configuration to be loaded the following values must be set: + # For this pod templates configuration to be loaded, the following values must be set: # controller.JCasC.defaultConfig: true # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. + # -- Configures extra pod templates for the default kubernetes cloud podTemplates: {} # python: | # - name: python @@ -842,8 +1133,8 @@ agent: # resourceLimitCpu: "1" # resourceLimitMemory: "1024Mi" -# Here you can add additional agents -# They inherit all values from `agent` so you only need to specify values which differ +# Inherits all values from `agent` so you only need to specify values which differ +# -- Configure additional additionalAgents: {} # maven: # podName: maven @@ -887,77 +1178,111 @@ additionalClouds: {} # kubernetesURL: https://api.remote-cloud.com persistence: + # -- Enable the use of a Jenkins PVC enabled: true - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound + + # A manually managed Persistent Volume and Claim + # Requires persistence.enabled: true + # If defined, PVC must be created manually before volume will be bound + # -- Provide the name of a PVC existingClaim: - ## jenkins data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## + + # jenkins data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack) + # -- Storage class for the PVC storageClass: + # -- Annotations for the PVC annotations: {} + # -- Labels for the PVC labels: {} + # -- The PVC access mode accessMode: "ReadWriteOnce" + # -- The size of the PVC size: "8Gi" - # Existing data source to clone PVC from + # ref: https://kubernetes.io/docs/concepts/storage/volume-pvc-datasource/ - dataSource: + # -- Existing data source to clone PVC from + dataSource: {} # name: PVC-NAME # kind: PersistentVolumeClaim - volumes: + + # -- SubPath for jenkins-home mount + subPath: + # -- Additional volumes + volumes: [] # - name: nothing # emptyDir: {} - mounts: + + # -- Additional mounts + mounts: [] # - mountPath: /var/nothing # name: nothing # readOnly: true networkPolicy: - # Enable creation of NetworkPolicy resources. + # -- Enable the creation of NetworkPolicy resources enabled: false + # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' # For Kubernetes v1.7, use 'networking.k8s.io/v1' + # -- NetworkPolicy ApiVersion apiVersion: networking.k8s.io/v1 # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range internalAgents: + # -- Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels allowed: true + # -- A map of labels (keys/values) that agent pods must have to be able to connect to controller podLabels: {} + # -- A map of labels (keys/values) that agents namespaces must have to be able to connect to controller namespaceLabels: {} # project: myproject - externalAgents: {} - # ipCIDR: 172.17.0.0/16 - # except: - # - 172.17.1.0/24 + externalAgents: + # -- The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 + ipCIDR: + # -- A list of IP sub-ranges to be excluded from the allowlisted IP range + except: [] + # - 172.17.1.0/24 ## Install Default RBAC roles and bindings rbac: + # -- Whether RBAC resources are created create: true + # -- Whether the Jenkins service account should be able to read Kubernetes secrets readSecrets: false serviceAccount: + # -- Configures if a ServiceAccount with this name should be created create: true - # The name of the service account is autogenerated by default + + # The name of the ServiceAccount is autogenerated by default + # -- The name of the ServiceAccount to be used by access-controlled resources name: + # -- Configures annotations for the ServiceAccount annotations: {} + # -- Configures extra labels for the ServiceAccount extraLabels: {} + # -- Controller ServiceAccount image pull secret imagePullSecretName: serviceAccountAgent: - # Specifies whether a ServiceAccount should be created + # -- Configures if an agent ServiceAccount should be created create: false - # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + # -- The name of the agent ServiceAccount to be used by access-controlled resources name: + # -- Configures annotations for the agent ServiceAccount annotations: {} + # -- Configures extra labels for the agent ServiceAccount extraLabels: {} + # -- Agent ServiceAccount image pull secret imagePullSecretName: +# -- Checks if any deprecated values are used checkDeprecation: true awsSecurityGroupPolicies: @@ -973,6 +1298,9 @@ helmtest: bats: # Bash Automated Testing System (BATS) image: + # -- Registry of the image used to test the framework registry: "docker.io" + # -- Repository of the image used to test the framework repository: "bats/bats" + # -- Tag of the image to test the framework tag: "v1.10.0" diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index a36e0b66c..0391e5207 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,12 +1,13 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.77.0] - Dec 21, 2023 +## [107.77.7] - Feb 20, 2024 * Removed integration service * Added recommended postgresql sizing configurations under sizing directory * Updated artifactory-federation (probes, port, embedded mode) +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) -## [107.77.5] - Dec 13, 2023 +## [107.76.0] - Dec 13, 2023 * Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section * Reduced nginx startupProbe initialDelaySeconds diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index 90619f508..75cefc785 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.77.5 +appVersion: 7.77.7 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.77.5 +version: 107.77.7 diff --git a/charts/jfrog/artifactory-ha/values.yaml b/charts/jfrog/artifactory-ha/values.yaml index e36b3600e..5b35ef337 100644 --- a/charts/jfrog/artifactory-ha/values.yaml +++ b/charts/jfrog/artifactory-ha/values.yaml @@ -1740,6 +1740,10 @@ nginx: if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; } + set $host_port {{ .Values.nginx.https.externalPort }}; + if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; + } ## Application specific logs ## access_log /var/log/nginx/artifactory-access.log timing; ## error_log /var/log/nginx/artifactory-error.log; @@ -1749,7 +1753,6 @@ nginx: } chunked_transfer_encoding on; client_max_body_size 0; - location / { proxy_read_timeout 900; proxy_pass_header Server; @@ -1758,7 +1761,7 @@ nginx: {{- if .Values.nginx.service.ssloffload}} proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; {{- else }} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; proxy_set_header X-Forwarded-Port $server_port; {{- end }} proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; @@ -1822,6 +1825,8 @@ nginx: # targetPort: 8066 # protocol: TCP # name: docker + + annotations: {} ## Renamed nginx internalPort 80,443 to 8080,8443 to support openshift http: enabled: true diff --git a/charts/jfrog/artifactory-jcr/CHANGELOG.md b/charts/jfrog/artifactory-jcr/CHANGELOG.md index 3bb429572..774daedf1 100644 --- a/charts/jfrog/artifactory-jcr/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.77.5] - Nov 23, 2023 +## [107.77.7] - Nov 23, 2023 * **IMPORTANT** * Added min kubeVersion ">= 1.19.0-0" in chart.yaml diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index f907a4ea5..5f80e9877 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -4,11 +4,11 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.77.5 +appVersion: 7.77.7 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.77.5 + version: 107.77.7 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.77.5 +version: 107.77.7 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index 45a70356b..45cdb8e74 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,11 +1,12 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.77.5] - Jan 16, 2024 +## [107.77.7] - Feb 20, 2024 * Removed integration service * Added recommended postgresql sizing configurations under sizing directory * Updated artifactory-federation (probes, port, embedded mode) * Fixed - Removed duplicate keys of the sizing yaml file +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) ## [107.76.0] - Dec 13, 2023 * Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index 90b1dea4c..62560d9fc 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.77.5 +appVersion: 7.77.7 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.77.5 +version: 107.77.7 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml index ab7c1d12c..4b21be599 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml @@ -1612,6 +1612,10 @@ nginx: if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; } + set $host_port {{ .Values.nginx.https.externalPort }}; + if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; + } ## Application specific logs ## access_log /var/log/nginx/artifactory-access.log timing; ## error_log /var/log/nginx/artifactory-error.log; @@ -1630,7 +1634,7 @@ nginx: {{- if .Values.nginx.service.ssloffload}} proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; {{- else }} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; proxy_set_header X-Forwarded-Port $server_port; {{- end }} proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; @@ -1642,7 +1646,6 @@ nginx: proxy_buffering off; {{- end }} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - location /artifactory/ { if ( $request_uri ~ ^/artifactory/(.*)$ ) { proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; diff --git a/charts/kasten/k10/Chart.lock b/charts/kasten/k10/Chart.lock index f297148a6..ba278885d 100644 --- a/charts/kasten/k10/Chart.lock +++ b/charts/kasten/k10/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: grafana repository: "" - version: 7.1.0 + version: 7.3.2 - name: prometheus repository: "" - version: 25.8.0 -digest: sha256:965a5b858b9f5cb82e571ace5fad6e131a05ab8db434e6ccb7bd7795f0eded54 -generated: "2024-01-27T02:06:37.089487439Z" + version: 25.12.0 +digest: sha256:f3e6926f6a711f61ab0e6598105cbee8806113bb02992529f05c3645fe99161c +generated: "2024-02-23T17:36:20.968673984Z" diff --git a/charts/kasten/k10/Chart.yaml b/charts/kasten/k10/Chart.yaml index 41c08de9a..ce732ff6c 100644 --- a/charts/kasten/k10/Chart.yaml +++ b/charts/kasten/k10/Chart.yaml @@ -4,16 +4,16 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 6.5.3 +appVersion: 6.5.5 dependencies: - condition: grafana.enabled name: grafana repository: file://./charts/grafana - version: 7.1.0 + version: 7.3.2 - condition: prometheus.server.enabled name: prometheus repository: file://./charts/prometheus - version: 25.8.0 + version: 25.12.0 description: Kasten’s K10 Data Management Platform home: https://kasten.io/ icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png @@ -21,4 +21,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 6.5.301 +version: 6.5.501 diff --git a/charts/kasten/k10/README.md b/charts/kasten/k10/README.md index d5cddf826..e5b1596a3 100644 --- a/charts/kasten/k10/README.md +++ b/charts/kasten/k10/README.md @@ -148,6 +148,7 @@ Parameter | Description | Default `auth.openshift.enabled` | Enables access to the K10 dashboard by authenticating with the OpenShift OAuth server | `false` `auth.openshift.serviceAccount` | Name of the service account that represents an OAuth client | `None` `auth.openshift.clientSecret` | The token corresponding to the service account | `None` +`auth.openshift.clientSecretName` | The secret that contains the token corresponding to the service account | `None` `auth.openshift.dashboardURL` | The URL used for accessing K10's dashboard | `None` `auth.openshift.openshiftURL` | The URL for accessing OpenShift's API server | `None` `auth.openshift.insecureCA` | To turn off SSL verification of connections to OpenShift | `false` @@ -190,6 +191,7 @@ Parameter | Description | Default `gateway.insecureDisableSSLVerify` | Specifies whether to disable SSL verification for gateway pods | `false` `gateway.exposeAdminPort` | Specifies whether to expose Admin port for gateway service | `true` `gateway.resources.[requests\|limits].[cpu\|memory]` | Resource requests and limits for gateway pod | `{}` +`gateway.service.externalPort` | Specifies the gateway services external port | `80` `genericVolumeSnapshot.resources.[requests\|limits].[cpu\|memory]` | Resource requests and limits for Generic Volume Snapshot restore pods | `{}` `prometheus.k10image.registry` | (optional) Set Prometheus image registry. | `gcr.io` `prometheus.k10image.repository` | (optional) Set Prometheus image repository. | `kasten-images` @@ -257,8 +259,11 @@ Parameter | Description | Default `kanisterPodMetricSidecar.enabled` | Enable the sidecar container to gather metrics from ephemeral pods | `true` `kanisterPodMetricSidecar.metricLifetime` | Check periodically for metrics that should be removed | `2m` `kanisterPodMetricSidecar.pushGatewayInterval` | Set the interval for sending metrics into the Prometheus | `30s` +`kanisterPodMetricSidecar.resources.[requests\|limits].[cpu\|memory]` | Resource requests and limits for the Kanister pod metric sidecar | `{}` `maxJobWaitDuration` | Set a maximum duration of waiting for child jobs. If the execution of the subordinate jobs exceeds this value, the parent job will be canceled. If no value is set, a default of 10 hours will be used | `None` `forceRootInKanisterHooks` | Forces Kanister Execution Hooks to run with root privileges | `true` +`defaultPriorityClassName` | Specifies the default [priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) name for all K10 deployments and ephemeral pods | `None` +`priorityClassName.` | Overrides the default [priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) name for the specified deployment | `{}` ## Helm tips and tricks diff --git a/charts/kasten/k10/charts/grafana/Chart.yaml b/charts/kasten/k10/charts/grafana/Chart.yaml index 9eaae7a61..6de043be9 100644 --- a/charts/kasten/k10/charts/grafana/Chart.yaml +++ b/charts/kasten/k10/charts/grafana/Chart.yaml @@ -1,12 +1,12 @@ annotations: - artifacthub.io/license: AGPL-3.0-only + artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Chart Source url: https://github.com/grafana/helm-charts - name: Upstream Project url: https://github.com/grafana/grafana apiVersion: v2 -appVersion: 10.2.3 +appVersion: 10.3.3 description: The leading tool for querying and visualizing time series and metrics. home: https://grafana.com icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116 @@ -30,4 +30,4 @@ sources: - https://github.com/grafana/grafana - https://github.com/grafana/helm-charts type: application -version: 7.1.0 +version: 7.3.2 diff --git a/charts/kasten/k10/charts/grafana/templates/_helpers.tpl b/charts/kasten/k10/charts/grafana/templates/_helpers.tpl index 44c00f357..790d5a293 100644 --- a/charts/kasten/k10/charts/grafana/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/grafana/templates/_helpers.tpl @@ -263,7 +263,9 @@ sensitiveKeys: {{- range $index, $elem := $secret.path -}} {{- if and $shouldContinue (hasKey $currentMap $elem) -}} {{- if eq (len $secret.path) (add1 $index) -}} - {{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead." (join "." $secret.path)) -}} + {{- if not (regexMatch "\\$(?:__(?:env|file|vault))?{[^}]+}" (index $currentMap $elem)) -}} + {{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead. You can disable this client-side validation by changing the value of assertNoLeakedSecrets." (join "." $secret.path)) -}} + {{- end -}} {{- else -}} {{- $currentMap = index $currentMap $elem -}} {{- end -}} diff --git a/charts/kasten/k10/charts/grafana/templates/_pod.tpl b/charts/kasten/k10/charts/grafana/templates/_pod.tpl index 29bd83cfa..ca2a7f888 100644 --- a/charts/kasten/k10/charts/grafana/templates/_pod.tpl +++ b/charts/kasten/k10/charts/grafana/templates/_pod.tpl @@ -434,6 +434,11 @@ containers: - name: "{{ $key }}" value: "{{ $value }}" {{- end }} + {{- range $key, $value := .Values.sidecar.datasources.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} {{- if .Values.sidecar.dashboards.ignoreAlreadyProcessed }} - name: IGNORE_ALREADY_PROCESSED value: "true" @@ -1079,11 +1084,17 @@ containers: - secretRef: name: {{ tpl .name $ }} optional: {{ .optional | default false }} + {{- if .prefix }} + prefix: {{ tpl .prefix $ }} + {{- end }} {{- end }} {{- range .Values.envFromConfigMaps }} - configMapRef: name: {{ tpl .name $ }} optional: {{ .optional | default false }} + {{- if .prefix }} + prefix: {{ tpl .prefix $ }} + {{- end }} {{- end }} {{- end }} {{- with .Values.livenessProbe }} @@ -1268,6 +1279,9 @@ volumes: {{- else if .configMap }} configMap: {{- toYaml .configMap | nindent 6 }} + {{- else if .emptyDir }} + emptyDir: + {{- toYaml .emptyDir | nindent 6 }} {{- else }} emptyDir: {} {{- end }} diff --git a/charts/kasten/k10/charts/grafana/templates/configSecret.yaml b/charts/kasten/k10/charts/grafana/templates/configSecret.yaml index f8937ccc7..55574b9bb 100644 --- a/charts/kasten/k10/charts/grafana/templates/configSecret.yaml +++ b/charts/kasten/k10/charts/grafana/templates/configSecret.yaml @@ -25,13 +25,13 @@ stringData: {{- range $key, $value := .Values.datasources }} {{- if (hasKey $value "secret") }} {{- $key | nindent 2 }}: | - {{- tpl (toYaml $value | nindent 4) $root }} + {{- tpl (toYaml $value.secret | nindent 4) $root }} {{- end }} {{- end }} {{- range $key, $value := .Values.notifiers }} {{- if (hasKey $value "secret") }} {{- $key | nindent 2 }}: | - {{- tpl (toYaml $value | nindent 4) $root }} + {{- tpl (toYaml $value.secret | nindent 4) $root }} {{- end }} {{- end }} {{- range $key, $value := .Values.alerting }} @@ -40,4 +40,4 @@ stringData: {{- tpl (toYaml $value.secret | nindent 4) $root }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/kasten/k10/charts/grafana/values.yaml b/charts/kasten/k10/charts/grafana/values.yaml index 7820d3de9..c39ea874c 100644 --- a/charts/kasten/k10/charts/grafana/values.yaml +++ b/charts/kasten/k10/charts/grafana/values.yaml @@ -41,7 +41,7 @@ serviceAccount: ## Service account annotations. Can be templated. # annotations: # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here - autoMount: true + autoMount: false replicas: 1 @@ -490,6 +490,7 @@ envRenderSecret: {} ## Name is templated. envFromSecrets: [] ## - name: secret-name +## prefix: prefix ## optional: true ## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment @@ -498,6 +499,7 @@ envFromSecrets: [] ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core envFromConfigMaps: [] ## - name: configmap-name +## prefix: prefix ## optional: true # Inject Kubernetes services as environment variables. @@ -964,6 +966,7 @@ sidecar: enabled: false # Additional environment variables for the datasourcessidecar env: {} + envValueFrom: {} # Do not reprocess already processed unchanged resources on k8s API reconnect. # ignoreAlreadyProcessed: true # label that the configmaps with datasources are marked with diff --git a/charts/kasten/k10/charts/prometheus/Chart.yaml b/charts/kasten/k10/charts/prometheus/Chart.yaml index 2de86f50a..db8964b16 100644 --- a/charts/kasten/k10/charts/prometheus/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/Chart.yaml @@ -6,7 +6,7 @@ annotations: - name: Upstream Project url: https://github.com/prometheus/prometheus apiVersion: v2 -appVersion: v2.48.0 +appVersion: v2.49.1 dependencies: - condition: alertmanager.enabled name: alertmanager @@ -15,15 +15,15 @@ dependencies: - condition: kube-state-metrics.enabled name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts - version: 5.15.* + version: 5.16.* - condition: prometheus-node-exporter.enabled name: prometheus-node-exporter repository: https://prometheus-community.github.io/helm-charts - version: 4.24.* + version: 4.26.* - condition: prometheus-pushgateway.enabled name: prometheus-pushgateway repository: https://prometheus-community.github.io/helm-charts - version: 2.4.* + version: 2.6.* description: Prometheus is a monitoring system and time series database. home: https://prometheus.io/ icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png @@ -50,4 +50,4 @@ sources: - https://github.com/prometheus/node_exporter - https://github.com/kubernetes/kube-state-metrics type: application -version: 25.8.0 +version: 25.12.0 diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml index 4342ac861..8ae62ebb6 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml @@ -23,4 +23,4 @@ name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 5.15.2 +version: 5.16.0 diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml index 2aedc9201..373f7dcc5 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml @@ -49,10 +49,10 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} containers: - {{- $httpPort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}} + {{- $servicePort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}} {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} - name: {{ template "kube-state-metrics.name" . }} - {{- if .Values.autosharding.enabled }} + {{- if .Values.autosharding.enabled }} env: - name: POD_NAME valueFrom: @@ -67,7 +67,7 @@ spec: {{- if .Values.extraArgs }} {{- .Values.extraArgs | toYaml | nindent 8 }} {{- end }} - - --port={{ $httpPort }} + - --port={{ $servicePort }} {{- if .Values.collectors }} - --resources={{ .Values.collectors | join "," }} {{- end }} @@ -147,17 +147,41 @@ spec: {{- end }} {{- end }} livenessProbe: + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} httpGet: + {{- if .Values.kubeRBACProxy.enabled }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} path: /healthz - port: {{ $httpPort }} - initialDelaySeconds: 5 - timeoutSeconds: 5 + port: {{ $servicePort }} + scheme: {{ upper .Values.livenessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} readinessProbe: + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} httpGet: + {{- if .Values.kubeRBACProxy.enabled }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} path: / - port: {{ $httpPort }} - initialDelaySeconds: 5 - timeoutSeconds: 5 + port: {{ $servicePort }} + scheme: {{ upper .Values.readinessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} {{- if .Values.resources }} resources: {{ toYaml .Values.resources | indent 10 }} @@ -173,7 +197,7 @@ spec: {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} {{- end }} - --secure-listen-address=:{{ .Values.service.port | default 8080}} - - --upstream=http://127.0.0.1:{{ $httpPort }}/ + - --upstream=http://127.0.0.1:{{ $servicePort }}/ - --proxy-endpoints-port=8888 - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml volumeMounts: diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml index a7ff4dd3d..38a93b31d 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml @@ -10,6 +10,8 @@ metadata: annotations: {{ toYaml .Values.serviceAccount.annotations | indent 4 }} {{- end }} +{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }} +{{- end }} {{- end -}} diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml index ee6e1a9f7..7f312961d 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml @@ -454,3 +454,27 @@ containers: [] initContainers: [] # - name: crd-sidecar # image: kiwigrid/k8s-sidecar:latest + +## Liveness probe +## +livenessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + +## Readiness probe +## +readinessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml index ae934c9fb..5c8d45453 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml @@ -22,4 +22,4 @@ name: prometheus-node-exporter sources: - https://github.com/prometheus/node_exporter/ type: application -version: 4.24.0 +version: 4.26.0 diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml index a5116a89e..82dba5cab 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml @@ -41,7 +41,7 @@ spec: {{- end }} serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }} containers: - {{- $servicePort := ternary 8100 .Values.service.port .Values.kubeRBACProxy.enabled }} + {{- $servicePort := ternary .Values.kubeRBACProxy.port .Values.service.port .Values.kubeRBACProxy.enabled }} - name: node-exporter image: {{ include "prometheus-node-exporter.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -50,7 +50,7 @@ spec: - --path.sysfs=/host/sys {{- if .Values.hostRootFsMount.enabled }} - --path.rootfs=/host/root - {{- if semverCompare ">=1.4.0" (default .Chart.AppVersion .Values.image.tag) }} + {{- if semverCompare ">=1.4.0" (coalesce .Values.version .Values.image.tag .Chart.AppVersion) }} - --path.udev.data=/host/root/run/udev/data {{- end }} {{- end }} @@ -200,7 +200,10 @@ spec: {{- end }} ports: - containerPort: {{ .Values.service.port}} - name: "http" + name: {{ .Values.kubeRBACProxy.portName }} + {{- if .Values.kubeRBACProxy.enableHostPort }} + hostPort: {{ .Values.service.port }} + {{- end }} - containerPort: 8888 name: "http-healthz" readinessProbe: diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml index 6e4665c13..fad11ea0e 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml @@ -56,6 +56,13 @@ kubeRBACProxy: ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} + # Specify the port used for the Node exporter container (upstream port) + port: 8100 + # Specify the name of the container port + portName: http + # Configure a hostPort. If true, hostPort will be enabled in the container and set to service.port. + enableHostPort: false + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -478,3 +485,6 @@ extraManifests: [] # name: prometheus-extra # data: # extra-data: "value" + +# Override version of app, required if image.tag is defined and does not follow semver +version: "" diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml index 3351215cb..30a07ef38 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml @@ -4,7 +4,7 @@ annotations: - name: Chart Source url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: v1.6.2 +appVersion: v1.7.0 description: A Helm chart for prometheus pushgateway home: https://github.com/prometheus/pushgateway keywords: @@ -21,4 +21,4 @@ name: prometheus-pushgateway sources: - https://github.com/prometheus/pushgateway type: application -version: 2.4.2 +version: 2.6.0 diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl index b56a2dadd..6182e074d 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl @@ -119,6 +119,10 @@ serviceAccountName: {{ include "prometheus-pushgateway.serviceAccountName" . }} {{- with .Values.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} +{{- with .Values.hostAliases }} +hostAliases: +{{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 2 }} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml index 02e5c0bfd..4eb0b9108 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml @@ -175,6 +175,16 @@ nodeSelector: {} replicaCount: 1 +hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # - ip: "10.1.2.3" + # hostnames: + # - "foo.remote" + # - "bar.remote" + ## When running more than one replica alongside with persistence, different volumes are needed ## per replica, since sharing a `persistence.file` across replicas does not keep metrics synced. ## For this purpose, you can enable the `runAsStatefulSet` to deploy the pushgateway as a diff --git a/charts/kasten/k10/charts/prometheus/templates/cm.yaml b/charts/kasten/k10/charts/prometheus/templates/cm.yaml index c67066663..59440475c 100644 --- a/charts/kasten/k10/charts/prometheus/templates/cm.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/cm.yaml @@ -2,6 +2,10 @@ apiVersion: v1 kind: ConfigMap metadata: +{{- with .Values.server.configMapAnnotations }} + annotations: + {{- toYaml .Values.server.configMapAnnotations | nindent 4 }} +{{- end }} labels: {{- include "prometheus.server.labels" . | nindent 4 }} {{- with .Values.server.extraConfigmapLabels }} diff --git a/charts/kasten/k10/charts/prometheus/templates/sts.yaml b/charts/kasten/k10/charts/prometheus/templates/sts.yaml index 63851c4db..79ba18426 100644 --- a/charts/kasten/k10/charts/prometheus/templates/sts.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/sts.yaml @@ -101,6 +101,9 @@ spec: - name: config-volume mountPath: /etc/config readOnly: true + {{- with .Values.configmapReload.prometheus.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} mountPath: {{ .mountPath }} diff --git a/charts/kasten/k10/charts/prometheus/values.schema.json b/charts/kasten/k10/charts/prometheus/values.schema.json index 1828064ed..aba767d88 100644 --- a/charts/kasten/k10/charts/prometheus/values.schema.json +++ b/charts/kasten/k10/charts/prometheus/values.schema.json @@ -200,6 +200,9 @@ "command": { "type": "array" }, + "configMapAnnotations": { + "type": "object" + }, "configMapOverrideName": { "type": "string" }, diff --git a/charts/kasten/k10/charts/prometheus/values.yaml b/charts/kasten/k10/charts/prometheus/values.yaml index 9ae23251d..d792b6443 100644 --- a/charts/kasten/k10/charts/prometheus/values.yaml +++ b/charts/kasten/k10/charts/prometheus/values.yaml @@ -60,7 +60,7 @@ configmapReload: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.67.0 + tag: v0.71.2 # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). digest: "" pullPolicy: IfNotPresent @@ -533,6 +533,10 @@ server: ## revisionHistoryLimit: 10 + ## Annotations to be added to ConfigMap + ## + configMapAnnotations: {} + ## Annotations to be added to deployment ## deploymentAnnotations: {} diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index 73b49030b..24261beb1 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -35,8 +35,8 @@ crypto: dashboardbff: - vbrintegrationapi state: -- events - admin +- events {{- end -}} {{- define "k10.aggregatedAPIs" -}}actions apps repositories vault{{- end -}} {{- define "k10.configAPIs" -}}config{{- end -}} @@ -214,7 +214,9 @@ state-svc: {{- define "k10.siemAuditLogFileSize" -}}100{{- end -}} {{- define "k10.kanisterToolsImageTag" -}}0.105.0{{- end -}} {{- define "k10.disabledServicesEnvVar" -}}K10_DISABLED_SERVICES{{- end -}} -{{- define "k10.gatewayPrefixVarName" -}}GATEWAY_PREFIX{{- end -}} -{{- define "k10.gatewayRequestHeadersVarName" -}}GATEWAY_REQUEST_HEADERS{{- end -}} -{{- define "k10.gatewayAuthHeadersVarName" -}}GATEWAY_AUTH_HEADERS{{- end -}} -{{- define "k10.gatewayPortVarName" -}}GATEWAY_PORT{{- end -}} +{{- define "k10.openShiftClientSecretEnvVar" -}}K10_OPENSHIFT_CLIENT_SECRET{{- end -}} +{{- define "k10.defaultK10DefaultPriorityClassName" -}}{{- end -}} +{{- define "k10.gatewayPrefixVarName" -}}PREFIX_PATH{{- end -}} +{{- define "k10.gatewayRequestHeadersVarName" -}}EXTAUTH_REQUEST_HEADERS{{- end -}} +{{- define "k10.gatewayAuthHeadersVarName" -}}EXTAUTH_AUTH_HEADERS{{- end -}} +{{- define "k10.gatewayPortVarName" -}}PORT{{- end -}} diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 7cbfc28ff..8f18ae2b5 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -721,6 +721,24 @@ resources: {{- end }} {{- end -}} +{{/* +Adds priorityClassName field according to helm values. +*/}} +{{- define "k10.priorityClassName" }} +{{- $deploymentName := .k10_deployment_name }} +{{- $defaultPriorityClassName := default "" .main.Values.defaultPriorityClassName }} +{{- $priorityClassName := $defaultPriorityClassName }} + +{{- if and (hasKey .main.Values "priorityClassName") (hasKey .main.Values.priorityClassName $deploymentName) }} + {{- $priorityClassName = index .main.Values.priorityClassName $deploymentName }} +{{- end -}} + +{{- if $priorityClassName }} +priorityClassName: {{ $priorityClassName }} +{{- end }} + +{{- end }}{{/* define "k10.priorityClassName" */}} + {{- define "kanisterToolsResources" }} {{- if .Values.genericVolumeSnapshot.resources.requests.memory }} KanisterToolsMemoryRequests: {{ .Values.genericVolumeSnapshot.resources.requests.memory | quote }} @@ -736,6 +754,21 @@ KanisterToolsCPULimits: {{ .Values.genericVolumeSnapshot.resources.limits.cpu | {{- end }} {{- end }} +{{- define "kanisterPodMetricSidecarResources" }} +{{- if .Values.kanisterPodMetricSidecar.resources.requests.memory }} +KanisterPodMetricSidecarMemoryRequest: {{ .Values.kanisterPodMetricSidecar.resources.requests.memory | quote }} +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.resources.requests.cpu }} +KanisterPodMetricSidecarCPURequest: {{ .Values.kanisterPodMetricSidecar.resources.requests.cpu | quote }} +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.resources.limits.memory }} +KanisterPodMetricSidecarMemoryLimit: {{ .Values.kanisterPodMetricSidecar.resources.limits.memory | quote }} +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.resources.limits.cpu }} +KanisterPodMetricSidecarCPULimit: {{ .Values.kanisterPodMetricSidecar.resources.limits.cpu | quote }} +{{- end }} +{{- end }} + {{- define "get.kanisterPodCustomLabels" -}} {{- if .Values.kanisterPodCustomLabels }} KanisterPodCustomLabels: {{ .Values.kanisterPodCustomLabels | quote }} diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index e9401da6e..48c2690da 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -319,6 +319,34 @@ stating that types are not same for the equality check configMapKeyRef: name: k10-config key: KanisterPodPushgatewayMetricsInterval +{{- if .Values.kanisterPodMetricSidecar.resources.requests.memory }} + - name: K10_KANISTER_POD_METRIC_SIDECAR_MEMORY_REQUEST + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodMetricSidecarMemoryRequest +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.resources.requests.cpu }} + - name: K10_KANISTER_POD_METRIC_SIDECAR_CPU_REQUEST + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodMetricSidecarCPURequest +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.resources.limits.memory }} + - name: K10_KANISTER_POD_METRIC_SIDECAR_MEMORY_LIMIT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodMetricSidecarMemoryLimit +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.resources.limits.cpu }} + - name: K10_KANISTER_POD_METRIC_SIDECAR_CPU_LIMIT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodMetricSidecarCPULimit +{{- end }} {{- end }} - name: LOG_LEVEL @@ -579,7 +607,12 @@ stating that types are not same for the equality check - name: K10_MUTATING_WEBHOOK_PORT value: {{ .Values.injectKanisterSidecar.webhookServer.port | quote }} {{- end }} -{{- if (list "controllermanager" "kanister" "executor" "dashboardbff" | has $service) }} +{{- if (list "controllermanager" "kanister" "executor" "dashboardbff" "repositories" | has $service) }} + - name: K10_DEFAULT_PRIORITY_CLASS_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: K10DefaultPriorityClassName {{- if .Values.genericVolumeSnapshot.resources.requests.memory }} - name: KANISTER_TOOLS_MEMORY_REQUESTS valueFrom: @@ -627,13 +660,15 @@ stating that types are not same for the equality check value: {{ .Values.global.prometheus.external.baseURL }} {{- end -}} {{- end }} - - name: K10_GRAFANA_ENABLED - value: {{ .Values.grafana.enabled | quote }} + {{- if .Values.grafana.enabled }} + - name: GRAFANA_URL + value: {{ include "k10.prefixPath" . }}/grafana/ + {{- end }} {{- end }} {{- if eq $service "dashboardbff" }} - {{- with .Values.global.persistence.diskSpaceAlertPercent }} + {{- if ne .Values.global.persistence.diskSpaceAlertPercent nil }} - name: K10_DISK_SPACE_ALERT_PERCENT - value: {{ . | quote }} + value: {{ .Values.global.persistence.diskSpaceAlertPercent | quote }} {{- end -}} {{- end -}} {{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} @@ -732,6 +767,22 @@ stating that types are not same for the equality check image: {{ include "get.dexImage" . }} {{- if .Values.auth.ldap.enabled }} command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"] +{{- else if .Values.auth.openshift.enabled }} + {{- /* + In the case of OpenShift, a template config is used instead of a plain config for Dex. + It requires a different command to be processed correctly. + */}} + command: ["/usr/local/bin/docker-entrypoint", "dex", "serve", "/etc/dex/cfg/config.yaml"] + env: + - name: {{ include "k10.openShiftClientSecretEnvVar" . }} +{{- if .Values.auth.openshift.clientSecretName }} + valueFrom: + secretKeyRef: + name: {{ .Values.auth.openshift.clientSecretName }} + key: token +{{- else }} + value: {{ .Values.auth.openshift.clientSecret }} +{{- end }} {{- else }} command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] {{- end }} diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index 958200d79..ffb9d596f 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}6.5.3{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}6.5.5{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_metering.tpl b/charts/kasten/k10/templates/_k10_metering.tpl index 95243c022..4ddc870ff 100644 --- a/charts/kasten/k10/templates/_k10_metering.tpl +++ b/charts/kasten/k10/templates/_k10_metering.tpl @@ -128,6 +128,7 @@ spec: securityContext: {{ toYaml .Values.services.securityContext | indent 8 }} serviceAccountName: {{ template "meteringServiceAccountName" . }} + {{- dict "main" . "k10_deployment_name" $podName | include "k10.priorityClassName" | indent 6}} {{- include "k10.imagePullSecrets" . | indent 6 }} {{- if $.stateful }} initContainers: diff --git a/charts/kasten/k10/templates/_k10_template.tpl b/charts/kasten/k10/templates/_k10_template.tpl index 568c4d82a..5d22e9717 100644 --- a/charts/kasten/k10/templates/_k10_template.tpl +++ b/charts/kasten/k10/templates/_k10_template.tpl @@ -1,6 +1,7 @@ {{/* Generate service spec */}} {{- define "k10-default" }} {{- $service := .k10_service }} +{{- $deploymentName := (printf "%s-svc" $service) }} {{- with .main }} {{- $main_context := . }} {{- range $skip, $statefulContainer := compact (dict "main" $main_context "k10_service_pod" $service | include "get.statefulRestServicesInPod" | splitList " ") }} @@ -31,7 +32,7 @@ apiVersion: apps/v1 kind: Deployment metadata: namespace: {{ .Release.Namespace }} - name: {{ $service }}-svc + name: {{ $deploymentName }} labels: {{ include "helm.labels" . | indent 4 }} component: {{ $service }} @@ -43,7 +44,7 @@ spec: matchLabels: {{ include "k10.common.matchLabels" . | indent 6 }} component: {{ $service }} - run: {{ $service }}-svc + run: {{ $deploymentName }} template: metadata: annotations: @@ -56,7 +57,7 @@ spec: labels: {{ include "helm.labels" . | indent 8 }} component: {{ $service }} - run: {{ $service }}-svc + run: {{ $deploymentName }} spec: {{- if eq $service "executor" }} {{- if .Values.services.executor.hostNetwork }} @@ -76,6 +77,7 @@ spec: securityContext: {{ toYaml .Values.services.securityContext | indent 8 }} serviceAccountName: {{ template "serviceAccountName" . }} + {{- dict "main" . "k10_deployment_name" $deploymentName | include "k10.priorityClassName" | indent 6}} {{- include "k10.imagePullSecrets" . | indent 6 }} {{- /* initContainers: */}} {{- (dict "main" . "k10_pod" $service | include "k10-init-container-header") }} diff --git a/charts/kasten/k10/templates/gateway.yaml b/charts/kasten/k10/templates/gateway.yaml index 1dd2f9d31..4d26109a5 100644 --- a/charts/kasten/k10/templates/gateway.yaml +++ b/charts/kasten/k10/templates/gateway.yaml @@ -127,6 +127,7 @@ spec: {{- if $.Values.gateway.next_gen }} spec: serviceAccountName: {{ template "serviceAccountName" . }} + {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}} {{- include "k10.imagePullSecrets" . | indent 6 }} containers: - name: gateway @@ -173,6 +174,7 @@ spec: {{- else }} spec: serviceAccountName: {{ template "serviceAccountName" . }} + {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}} {{- include "k10.imagePullSecrets" . | indent 6 }} containers: - name: ambassador @@ -191,6 +193,8 @@ spec: fieldPath: metadata.namespace - name: AMBASSADOR_SINGLE_NAMESPACE value: "true" + - name: SCOUT_DISABLE + value: "1" - name: "AMBASSADOR_VERIFY_SSL_FALSE" value: {{ .Values.gateway.insecureDisableSSLVerify | quote }} - name: AMBASSADOR_ID diff --git a/charts/kasten/k10/templates/k10-config.yaml b/charts/kasten/k10/templates/k10-config.yaml index 2b8d386f7..a6688d67d 100644 --- a/charts/kasten/k10/templates/k10-config.yaml +++ b/charts/kasten/k10/templates/k10-config.yaml @@ -39,6 +39,7 @@ data: KanisterPodMetricSidecarEnabled: {{ .Values.kanisterPodMetricSidecar.enabled | quote }} KanisterPodMetricSidecarMetricLifetime: {{ .Values.kanisterPodMetricSidecar.metricLifetime | quote }} KanisterPodPushgatewayMetricsInterval: {{ .Values.kanisterPodMetricSidecar.pushGatewayInterval | quote }} +{{- include "kanisterPodMetricSidecarResources" . | indent 2 }} KanisterToolsImage: {{ include "get.kanisterToolsImage" . | quote }} K10MutatingWebhookTLSCertDir: "/etc/ssl/certs/webhook" @@ -56,6 +57,8 @@ data: K10GCKeepMaxActions: {{ default (include "k10.defaultK10GCKeepMaxActions" .) .Values.garbagecollector.keepMaxActions | quote }} K10GCActionsEnabled: {{ default (include "k10.defaultK10GCActionsEnabled" .) .Values.garbagecollector.actions.enabled | quote }} + K10DefaultPriorityClassName: {{ default (include "k10.defaultK10DefaultPriorityClassName" .) .Values.defaultPriorityClassName | quote }} + kubeVirtVMsUnFreezeTimeout: {{ default (include "k10.defaultKubeVirtVMsUnfreezeTimeout" .) .Values.kubeVirtVMs.snapshot.unfreezeTimeout | quote }} k10JobMaxWaitDuration: {{ .Values.maxJobWaitDuration | quote }} @@ -170,7 +173,7 @@ data: config: issuer: {{ .Values.auth.openshift.openshiftURL }} clientID: {{printf "system:serviceaccount:%s:%s" .Release.Namespace .Values.auth.openshift.serviceAccount }} - clientSecret: {{ .Values.auth.openshift.clientSecret }} + clientSecret: {{ printf "{{ getenv \"%s\" }}" (include "k10.openShiftClientSecretEnvVar" . ) }} redirectURI: {{ printf "%s/dex/callback" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} insecureCA: {{ .Values.auth.openshift.insecureCA }} {{- if and (eq (include "check.cacertconfigmap" .) "false") .Values.auth.openshift.useServiceAccountCA }} diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index 59c2d7fa1..da54ca1ce 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -1372,6 +1372,12 @@ "title": "Service account token", "description": "The token corresponding to the service account" }, + "clientSecretName": { + "type": "string", + "default": "", + "title": "Service account token secret", + "description": "The secret that contains the token corresponding to the service account" + }, "dashboardURL": { "type": "string", "default": "", @@ -1752,6 +1758,19 @@ "title": "Kanister pod custom annotations", "description": "Custom annotations added to pods managed by Kanister" }, + "features": { + "type": "object", + "title": "Feature flags", + "description": "Feature flags to be set by K10", + "properties": { + "backgroundMaintenanceRun": { + "type": "boolean", + "default": true, + "title": "Background maintenance feature", + "description": "Enable background maintenance runs by the repositories service" + } + } + }, "kanisterPodMetricSidecar": { "type": "object", "title": "Metric sidecar for ephemeral pods", @@ -1774,6 +1793,63 @@ "default": "30s", "title": "Pushgateway metrics interval", "description": "The interval of sending metrics into the Pushgateway" + }, + "resources": { + "type": "object", + "title": "Kanister pod metric sidecar resource config", + "description": "Configure resource requests and limits for kanister pod metric sidecar", + "properties": { + "requests": { + "type": "object", + "title": "Kanister pod metric sidecar resource requests", + "description": "Kanister pod metric sidecar resource requests configuration", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecar memory request", + "description": "Kanister pod metric sidecar memory request", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecars cpu request", + "description": "Kanister pod metric sidecars cpu request", + "examples": [ + "1" + ] + } + } + }, + "limits": { + "type": "object", + "title": "Kanister pod metric sidecar resource limits", + "description": "Kanister pod metric sidecar resource limits configuration", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecars memory limit", + "description": "Kanister pod metric sidecars memory limit", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecars cpu limit", + "description": "Kanister pod metric sidecars cpu limit", + "examples": [ + "1" + ] + } + } + } + } } } }, @@ -1781,12 +1857,12 @@ "type": "object", "title": "Generic Storage backup activation config", "properties": { - "token": { - "type": "string", - "title": "Generic volume snapshot activation token", - "description": "Token to enable generic volume snapshot", - "default":"" - } + "token": { + "type": "string", + "title": "Generic volume snapshot activation token", + "description": "Token to enable generic volume snapshot", + "default": "" + } } }, "genericVolumeSnapshot": { @@ -1891,6 +1967,18 @@ "title": "K10 pods resource config", "description": "Resource management for K10 pods" }, + "defaultPriorityClassName": { + "type": "string", + "default": "", + "title": "Default priorityClassName", + "description": "Set the default priorityClassName for all K10 pods" + }, + "priorityClassName": { + "type": "object", + "default": {}, + "title": "K10 pods priorityClassName config", + "description": "Set priorityClassName for specific K10 pods" + }, "services": { "type": "object", "title": "K10 services config", @@ -2277,38 +2365,38 @@ "title": "Google config", "description": "Google auth config", "properties": { - "workloadIdentityFederation": { + "workloadIdentityFederation": { + "type": "object", + "title": "Google Workload Identity Federation config", + "description": "config for Google Workload Identity Federation", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable Google Workload Identity Federation (GWIF) for K10", + "description": "Set to true - Google Workload Identity Federation is enabled for K10" + }, + "idp": { "type": "object", - "title": "Google Workload Identity Federation config" , - "description": "config for Google Workload Identity Federation", + "title": "Identity Provider config", + "description": "Identity Provider config", "properties": { - "enabled": { - "type": "boolean", - "default": false, - "title": "Enable Google Workload Identity Federation (GWIF) for K10", - "description": "Set to true - Google Workload Identity Federation is enabled for K10" - }, - "idp": { - "type": "object", - "title": "Identity Provider config" , - "description": "Identity Provider config", - "properties": { - "type": { - "type": "string", - "default": "", - "title": "Type of the Identity Provider for GWIF", - "description": "Set the type of IdP for GWIF" - }, - "aud": { - "type": "string", - "default": "", - "title": "The audience that ID token is intended for", - "description": "Set the name of the audience that ID token is intended for" - } - } - } + "type": { + "type": "string", + "default": "", + "title": "Type of the Identity Provider for GWIF", + "description": "Set the type of IdP for GWIF" + }, + "aud": { + "type": "string", + "default": "", + "title": "The audience that ID token is intended for", + "description": "Set the name of the audience that ID token is intended for" + } } + } } + } } }, "grafana": { diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index 1fe6ae477..2c327e3e7 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -274,6 +274,7 @@ auth: enabled: false serviceAccount: "" #service account used as the OAuth client clientSecret: "" #The token from the service account + clientSecretName: "" #The secret with the token from the service account dashboardURL: "" #The URL for accessing K10's dashboard openshiftURL: "" #The URL of the Openshift API server insecureCA: false @@ -344,10 +345,20 @@ kanisterPodCustomLabels : "" kanisterPodCustomAnnotations : "" +features: + backgroundMaintenanceRun: true # Key must be deleted to deactivate. Setting to false will not work. + kanisterPodMetricSidecar: enabled: true metricLifetime: "2m" pushGatewayInterval: "30s" + resources: + requests: + memory: "" + cpu: "" + limits: + memory: "" + cpu: "" genericVolumeSnapshot: resources: @@ -366,6 +377,9 @@ garbagecollector: resources: {} +defaultPriorityClassName: "" +priorityClassName: {} + services: executor: hostNetwork: false diff --git a/charts/kong/kong/CHANGELOG.md b/charts/kong/kong/CHANGELOG.md index 3e5f8d64f..7d06c93e8 100644 --- a/charts/kong/kong/CHANGELOG.md +++ b/charts/kong/kong/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## 2.38.0 + +### Changes + +* Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields + for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP. + [#1018](https://github.com/Kong/charts/pull/1018) + ## 2.37.1 * Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor. diff --git a/charts/kong/kong/Chart.yaml b/charts/kong/kong/Chart.yaml index 9d09f62be..3805e9790 100644 --- a/charts/kong/kong/Chart.yaml +++ b/charts/kong/kong/Chart.yaml @@ -18,4 +18,4 @@ maintainers: name: kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.37.1 +version: 2.38.0 diff --git a/charts/kong/kong/README.md b/charts/kong/kong/README.md index 48483e7aa..3c5f3da05 100644 --- a/charts/kong/kong/README.md +++ b/charts/kong/kong/README.md @@ -666,40 +666,42 @@ nodes. mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`, or `ingress` sections, as it is used only for stream listens. -| Parameter | Description | Default | -|------------------------------------|---------------------------------------------------------------------------------------|--------------------------| -| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | | -| SVC.http.enabled | Enables http on the service | | -| SVC.http.servicePort | Service port to use for http | | -| SVC.http.containerPort | Container port to use for http | | -| SVC.http.nodePort | Node port to use for http | | -| SVC.http.hostPort | Host port to use for http | | -| SVC.http.parameters | Array of additional listen parameters | `[]` | -| SVC.tls.enabled | Enables TLS on the service | | -| SVC.tls.containerPort | Container port to use for TLS | | -| SVC.tls.servicePort | Service port to use for TLS | | -| SVC.tls.nodePort | Node port to use for TLS | | -| SVC.tls.hostPort | Host port to use for TLS | | -| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | | -| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` | -| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | | -| SVC.clusterIP | k8s service clusterIP | | -| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | | -| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` | -| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | | -| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` | -| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | | -| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` | -| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | | -| SVC.ingress.hostname | Ingress hostname | `""` | -| SVC.ingress.path | Ingress path. | `/` | -| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` | -| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` | -| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | | -| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` | -| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` | -| SVC.annotations | Service annotations | `{}` | -| SVC.labels | Service labels | `{}` | +| Parameter | Description | Default | +|-----------------------------------|-------------------------------------------------------------------------------------------|--------------------------| +| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | | +| SVC.http.enabled | Enables http on the service | | +| SVC.http.servicePort | Service port to use for http | | +| SVC.http.containerPort | Container port to use for http | | +| SVC.http.nodePort | Node port to use for http | | +| SVC.http.hostPort | Host port to use for http | | +| SVC.http.parameters | Array of additional listen parameters | `[]` | +| SVC.http.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | | +| SVC.tls.enabled | Enables TLS on the service | | +| SVC.tls.containerPort | Container port to use for TLS | | +| SVC.tls.servicePort | Service port to use for TLS | | +| SVC.tls.nodePort | Node port to use for TLS | | +| SVC.tls.hostPort | Host port to use for TLS | | +| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | | +| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` | +| SVC.tls.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | | +| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | | +| SVC.clusterIP | k8s service clusterIP | | +| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | | +| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` | +| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | | +| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` | +| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | | +| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` | +| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | | +| SVC.ingress.hostname | Ingress hostname | `""` | +| SVC.ingress.path | Ingress path. | `/` | +| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` | +| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` | +| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | | +| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` | +| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` | +| SVC.annotations | Service annotations | `{}` | +| SVC.labels | Service labels | `{}` | #### Admin Service mTLS diff --git a/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap b/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap index 13b56ef05..f7853bdc5 100644 --- a/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap +++ b/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -34,7 +34,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -275,7 +275,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-custom-dbless-config namespace: default - object: @@ -287,7 +287,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-admin namespace: default spec: @@ -310,7 +310,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -338,7 +338,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -365,7 +365,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap index ae2387908..70b631e1d 100644 --- a/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap +++ b/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -85,7 +85,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -109,7 +109,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -409,7 +409,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -690,7 +690,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -710,7 +710,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -775,7 +775,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -799,7 +799,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -816,7 +816,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -830,7 +830,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -859,7 +859,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -887,7 +887,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -903,7 +903,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -914,7 +914,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/default-values.snap b/charts/kong/kong/ci/__snapshots__/default-values.snap index a8bf224b9..0733fed1f 100644 --- a/charts/kong/kong/ci/__snapshots__/default-values.snap +++ b/charts/kong/kong/ci/__snapshots__/default-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -411,7 +411,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -691,7 +691,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -710,7 +710,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -774,7 +774,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -797,7 +797,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -813,7 +813,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -826,7 +826,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -854,7 +854,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -881,7 +881,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -896,7 +896,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -906,7 +906,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap index fb5b88f05..3de415c6f 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -405,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -431,7 +431,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -711,7 +711,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -730,7 +730,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -794,7 +794,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -817,7 +817,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -833,7 +833,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -855,7 +855,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -883,7 +883,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -910,7 +910,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -925,7 +925,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -935,7 +935,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap index 57ddf459f..456a42147 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -405,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -433,7 +433,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -713,7 +713,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -732,7 +732,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -796,7 +796,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -819,7 +819,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -835,7 +835,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -857,7 +857,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -885,7 +885,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -912,7 +912,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -927,7 +927,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -937,7 +937,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap index 699eda3af..7c37f2363 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -405,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -429,7 +429,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -709,7 +709,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -728,7 +728,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -792,7 +792,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -815,7 +815,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -831,7 +831,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -844,7 +844,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -872,7 +872,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -899,7 +899,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -914,7 +914,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -924,7 +924,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap index 6dabcfe52..0a8f0fb27 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -405,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -464,7 +464,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -744,7 +744,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -763,7 +763,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -827,7 +827,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -850,7 +850,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -866,7 +866,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -897,7 +897,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -925,7 +925,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -952,7 +952,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -967,7 +967,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -977,7 +977,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap index c36470149..4eb6e9861 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -411,7 +411,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -691,7 +691,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -710,7 +710,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -774,7 +774,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -797,7 +797,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -813,7 +813,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -826,7 +826,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -854,7 +854,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -881,7 +881,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -896,7 +896,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -906,7 +906,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/proxy-appprotocol-values.snap b/charts/kong/kong/ci/__snapshots__/proxy-appprotocol-values.snap new file mode 100644 index 000000000..c53f0066f --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/proxy-appprotocol-values.snap @@ -0,0 +1,908 @@ +[proxy-appprotocol-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + version: \"3.6\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + - containerPort: 10254 + name: cstatus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.6 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.6 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - appProtocol: http + name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - appProtocol: https + name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.6\" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/service-account.snap b/charts/kong/kong/ci/__snapshots__/service-account.snap index 9a5c829e5..acfde1ef4 100644 --- a/charts/kong/kong/ci/__snapshots__/service-account.snap +++ b/charts/kong/kong/ci/__snapshots__/service-account.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -405,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -685,7 +685,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -704,7 +704,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -768,7 +768,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -791,7 +791,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -807,7 +807,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -820,7 +820,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -848,7 +848,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -875,7 +875,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -890,7 +890,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -900,7 +900,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: my-kong-sa namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap b/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap index 0c9627d19..2f242db10 100644 --- a/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap +++ b/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -411,7 +411,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -691,7 +691,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -710,7 +710,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -774,7 +774,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -797,7 +797,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -813,7 +813,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -826,7 +826,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -854,7 +854,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -881,7 +881,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -896,7 +896,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -906,7 +906,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap b/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap index 1b3bfebe1..f16c309cb 100644 --- a/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -33,7 +33,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -250,7 +250,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -278,7 +278,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -305,7 +305,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test1-values.snap b/charts/kong/kong/ci/__snapshots__/test1-values.snap index 12ff409bd..8f5070eb0 100644 --- a/charts/kong/kong/ci/__snapshots__/test1-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test1-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" environment: test - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -448,7 +448,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -474,7 +474,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -498,7 +498,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -778,7 +778,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -797,7 +797,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -861,7 +861,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -884,7 +884,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -900,7 +900,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -913,7 +913,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -941,7 +941,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -968,7 +968,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -983,7 +983,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: ServiceAccount @@ -993,7 +993,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test2-values.snap b/charts/kong/kong/ci/__snapshots__/test2-values.snap index 023c66266..641245925 100644 --- a/charts/kong/kong/ci/__snapshots__/test2-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test2-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -84,7 +84,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -112,7 +112,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -725,7 +725,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-init-migrations namespace: default spec: @@ -741,7 +741,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: kong-init-migrations spec: automountServiceAccountToken: false @@ -978,7 +978,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-post-upgrade-migrations namespace: default spec: @@ -994,7 +994,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: kong-post-upgrade-migrations spec: automountServiceAccountToken: false @@ -1233,7 +1233,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-pre-upgrade-migrations namespace: default spec: @@ -1249,7 +1249,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: kong-pre-upgrade-migrations spec: automountServiceAccountToken: false @@ -1482,7 +1482,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -1506,7 +1506,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -1565,7 +1565,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -1584,7 +1584,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -1648,7 +1648,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-default namespace: default rules: @@ -1882,7 +1882,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -1902,7 +1902,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-default namespace: default roleRef: @@ -1928,7 +1928,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-bash-wait-for-postgres namespace: default - object: @@ -1950,7 +1950,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -1966,7 +1966,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -1994,7 +1994,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -2022,7 +2022,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -2057,7 +2057,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -2072,7 +2072,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: Service @@ -2132,7 +2132,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test3-values.snap b/charts/kong/kong/ci/__snapshots__/test3-values.snap index 60b8d5fb1..07233ea33 100644 --- a/charts/kong/kong/ci/__snapshots__/test3-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test3-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -34,7 +34,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -296,7 +296,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-custom-dbless-config namespace: default - object: @@ -308,7 +308,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -336,7 +336,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -363,7 +363,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test4-values.snap b/charts/kong/kong/ci/__snapshots__/test4-values.snap index b8d0c5c07..31f738f57 100644 --- a/charts/kong/kong/ci/__snapshots__/test4-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test4-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -34,7 +34,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -272,7 +272,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -305,7 +305,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-custom-dbless-config namespace: default - object: @@ -317,7 +317,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -345,7 +345,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -380,7 +380,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test5-values.snap b/charts/kong/kong/ci/__snapshots__/test5-values.snap index 77de83643..2d3f4ba41 100644 --- a/charts/kong/kong/ci/__snapshots__/test5-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test5-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default spec: @@ -111,7 +111,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 version: \"3.6\" spec: automountServiceAccountToken: false @@ -695,7 +695,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-init-migrations namespace: default spec: @@ -711,7 +711,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: kong-init-migrations spec: automountServiceAccountToken: false @@ -933,7 +933,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-post-upgrade-migrations namespace: default spec: @@ -949,7 +949,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: kong-post-upgrade-migrations spec: automountServiceAccountToken: false @@ -1173,7 +1173,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-pre-upgrade-migrations namespace: default spec: @@ -1189,7 +1189,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: kong-pre-upgrade-migrations spec: automountServiceAccountToken: false @@ -1407,7 +1407,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -1431,7 +1431,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong rules: - apiGroups: @@ -1711,7 +1711,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -1730,7 +1730,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default rules: @@ -1794,7 +1794,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default roleRef: @@ -1820,7 +1820,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-bash-wait-for-postgres namespace: default - object: @@ -1835,7 +1835,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -1851,7 +1851,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -1879,7 +1879,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-manager namespace: default spec: @@ -1907,7 +1907,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" enable-metrics: \"true\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-proxy namespace: default spec: @@ -1934,7 +1934,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -1949,7 +1949,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 - object: apiVersion: v1 kind: Service @@ -2009,7 +2009,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.6\" - helm.sh/chart: kong-2.37.1 + helm.sh/chart: kong-2.38.0 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/proxy-appprotocol-values.yaml b/charts/kong/kong/ci/proxy-appprotocol-values.yaml new file mode 100644 index 000000000..ad042424c --- /dev/null +++ b/charts/kong/kong/ci/proxy-appprotocol-values.yaml @@ -0,0 +1,7 @@ +# This values test that the `proxy.*.appProtocol` can be set to a custom value. + +proxy: + http: + appProtocol: "http" + tls: + appProtocol: "https" diff --git a/charts/kong/kong/templates/_helpers.tpl b/charts/kong/kong/templates/_helpers.tpl index 89d574586..2dab58695 100644 --- a/charts/kong/kong/templates/_helpers.tpl +++ b/charts/kong/kong/templates/_helpers.tpl @@ -213,6 +213,9 @@ spec: - name: kong-{{ .serviceName }} port: {{ .http.servicePort }} targetPort: {{ .http.containerPort }} + {{- if .http.appProtocol }} + appProtocol: {{ .http.appProtocol }} + {{- end }} {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }} nodePort: {{ .http.nodePort }} {{- end }} @@ -223,6 +226,9 @@ spec: - name: kong-{{ .serviceName }}-tls port: {{ .tls.servicePort }} targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }} + {{- if .tls.appProtocol }} + appProtocol: {{ .tls.appProtocol }} + {{- end }} {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }} nodePort: {{ .tls.nodePort }} {{- end }} diff --git a/charts/kong/kong/values.yaml b/charts/kong/kong/values.yaml index a8b699cd1..cb1bb6493 100644 --- a/charts/kong/kong/values.yaml +++ b/charts/kong/kong/values.yaml @@ -317,6 +317,10 @@ proxy: parameters: - http2 + # Specify the Service's TLS port's appProtocol. This can be useful when integrating with + # external load balancers that require the `appProtocol` field to be set (e.g. GCP). + appProtocol: "" + # Define stream (TCP) listen # To enable, remove "[]", uncomment the section below, and select your desired # ports and parameters. Listens are dynamically named after their containerPort, diff --git a/charts/kubecost/cost-analyzer/Chart.yaml b/charts/kubecost/cost-analyzer/Chart.yaml index f2908fc2f..b4dde801a 100644 --- a/charts/kubecost/cost-analyzer/Chart.yaml +++ b/charts/kubecost/cost-analyzer/Chart.yaml @@ -7,9 +7,9 @@ annotations: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 -appVersion: 2.0.2 +appVersion: 2.1.1 description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor cloud costs. icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer -version: 2.0.2 +version: 2.1.1 diff --git a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json b/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json index 7467e2ede..8a39e09ce 100644 --- a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json +++ b/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json @@ -1,8 +1,8 @@ { "__inputs": [ { - "name": "DS_PROMETHEUS", - "label": "Prometheus", + "name": "DS_THANOS", + "label": "Thanos", "description": "", "type": "datasource", "pluginId": "prometheus", @@ -15,7 +15,7 @@ "type": "grafana", "id": "grafana", "name": "Grafana", - "version": "9.5.2" + "version": "10.3.1" }, { "type": "datasource", @@ -23,12 +23,6 @@ "name": "Prometheus", "version": "1.0.0" }, - { - "type": "panel", - "id": "table", - "name": "Table", - "version": "" - }, { "type": "panel", "id": "timeseries", @@ -58,7 +52,7 @@ } ] }, - "description": "Visualize your kubernetes costs at the pod level.", + "description": "", "editable": true, "fiscalYearStartMonth": 0, "gnetId": 9063, @@ -70,322 +64,16 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "${DS_THANOS}" }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "custom": { - "align": "auto", - "cellOptions": { - "type": "auto" - }, - "inspect": false - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "container" - }, - "properties": [ - { - "id": "displayName", - "value": "Container" - }, - { - "id": "unit", - "value": "currencyUSD" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - }, - { - "id": "thresholds", - "value": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(245, 54, 54, 0.9)", - "value": null - }, - { - "color": "rgba(50, 172, 45, 0.97)", - "value": 30 - }, - { - "color": "#c15c17", - "value": 80 - } - ] - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Value #memory_requests" - }, - "properties": [ - { - "id": "displayName", - "value": "Memory Request" - }, - { - "id": "unit", - "value": "bytes" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Value #cpu_requests" - }, - "properties": [ - { - "id": "displayName", - "value": "CPU Request" - }, - { - "id": "unit", - "value": "none" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Time" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Value #C" - }, - "properties": [ - { - "id": "displayName", - "value": "Memory ($/hour)" - }, - { - "id": "unit", - "value": "currencyUSD" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Value #D" - }, - "properties": [ - { - "id": "displayName", - "value": "Spot/PE RAM" - }, - { - "id": "unit", - "value": "currencyUSD" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Value #E" - }, - "properties": [ - { - "id": "displayName", - "value": "Total" - }, - { - "id": "unit", - "value": "currencyUSD" - }, - { - "id": "decimals", - "value": 2 - }, - { - "id": "custom.align" - }, - { - "id": "thresholds", - "value": { - "mode": "absolute", - "steps": [ - { - "color": "#bf1b00", - "value": null - }, - { - "color": "rgba(50, 172, 45, 0.97)" - } - ] - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "cluster_id" - }, - "properties": [ - { - "id": "custom.width", - "value": 226 - } - ] - } - ] - }, - "gridPos": { - "h": 8, - "w": 24, - "x": 0, - "y": 0 - }, - "hideTimeOverride": true, - "id": 98, - "links": [], - "options": { - "cellHeight": "sm", - "footer": { - "countRows": false, - "fields": "", - "reducer": [ - "sum" - ], - "show": false - }, - "showHeader": true, - "sortBy": [ - { - "desc": true, - "displayName": "Memory Request" - } - ] - }, - "pluginVersion": "9.5.2", - "repeatDirection": "v", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "expr": "sum(\n avg_over_time(kube_pod_container_resource_requests{resource=\"memory\",cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\"}[$__range])\n) by (cluster_id, namespace, container)", - "format": "table", - "instant": true, - "intervalFactor": 1, - "refId": "memory_requests" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "expr": "sum(\n avg_over_time(kube_pod_container_resource_requests{resource=\"cpu\",cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\"}[$__range])\n or up * 0 \n) by (cluster_id, namespace, container)", - "format": "table", - "hide": false, - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "", - "refId": "cpu_requests" - } - ], - "timeFrom": "1M", - "title": "Container allocation analysis", - "transformations": [ - { - "id": "merge", - "options": { - "reducers": [] - } - } - ], - "type": "table" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "description": "CPU usage vs requests", + "description": "Maximum CPU Core Usage vs avg Requested", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -399,14 +87,15 @@ "tooltip": false, "viz": false }, - "lineInterpolation": "stepAfter", + "insertNulls": false, + "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, "scaleDistribution": { "type": "linear" }, - "showPoints": "never", - "spanNulls": true, + "showPoints": "auto", + "spanNulls": 3600000, "stacking": { "group": "A", "mode": "none" @@ -430,21 +119,24 @@ } ] }, - "unit": "none" + "unit": "none", + "unitScale": true }, "overrides": [] }, "gridPos": { "h": 7, - "w": 24, + "w": 12, "x": 0, - "y": 8 + "y": 0 }, "id": 94, "links": [], "options": { "legend": { - "calcs": [], + "calcs": [ + "max" + ], "displayMode": "list", "placement": "bottom", "showLegend": true @@ -454,137 +146,21 @@ "sort": "desc" } }, - "pluginVersion": "9.1.0-beta1", + "pluginVersion": "9.4.7", "targets": [ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "${DS_THANOS}" }, "editorMode": "code", - "expr": "avg(rate(container_cpu_usage_seconds_total{cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\",container!=\"\"}[10m])) by (cluster_id, namespace, container)", + "expr": "max(irate(container_cpu_usage_seconds_total\r\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container=~\"$container\", container!=\"POD\",container!=\"\"}\r\n [$__rate_interval])) \r\n by (cluster_id, namespace, pod, container)", "format": "time_series", "hide": false, "instant": false, "interval": "", "intervalFactor": 1, - "legendFormat": "{{cluster_id}}/{{namespace}}/{{container}} (usage)", - "metric": "container_cpu", - "refId": "usage", - "step": 10 - }, - { - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "editorMode": "code", - "exemplar": true, - "expr": "avg(kube_pod_container_resource_requests{resource=\"cpu\", unit=\"core\", cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\"}) by (cluster_id, namespace, container)", - "legendFormat": "{{cluster_id}}/{{namespace}}/{{ container }} (request)", - "range": true, - "refId": "requests" - } - ], - "timeFrom": "", - "title": "CPU Usage vs Requested", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "description": "Memory usage vs. requests", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineInterpolation": "stepAfter", - "lineWidth": 2, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": true, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "bytes" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 24, - "x": 0, - "y": 15 - }, - "id": 96, - "links": [], - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "9.1.0-beta1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "editorMode": "code", - "expr": "avg(avg_over_time(container_memory_working_set_bytes{cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\",container!=\"\"}[5m])) by (cluster_id, namespace, container)", - "format": "time_series", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{cluster_id}}/{{namespace}}/{{ container }} (usage)", + "legendFormat": "{{cluster_id}} {{namespace}}/{{pod}}/{{container}} (usage max)", "metric": "container_cpu", "refId": "A", "step": 10 @@ -592,34 +168,33 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "${DS_THANOS}" }, "editorMode": "code", - "expr": "avg(kube_pod_container_resource_requests{resource=\"memory\", unit=\"byte\", cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\"}) by (cluster_id, namespace, container)", - "format": "time_series", - "hide": false, - "instant": false, - "intervalFactor": 1, - "legendFormat": "{{cluster_id}}/{{namespace}}/{{ container }} (requested)", + "exemplar": true, + "expr": "avg(kube_pod_container_resource_requests\r\n {cluster_id=\"$cluster\",resource=\"cpu\",unit=\"core\",namespace=~\"$namespace\",pod=~\"$pod\",container=~\"$container\",container!=\"POD\"}\r\n ) \r\nby (cluster_id,namespace,pod,container)", + "legendFormat": "{{cluster_id}} {{namespace}}/{{pod}}/{{container}} (requested)", + "range": true, "refId": "B" } ], "timeFrom": "", - "title": "RAM Usage vs Requested", + "title": "CPU Core Usage vs Requested", "type": "timeseries" }, { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "${DS_THANOS}" }, - "description": "Percentage of time a pod is being throttled. Values range from 0-100", + "description": "Max memory used vs avg requested", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -633,14 +208,15 @@ "tooltip": false, "viz": false }, - "lineInterpolation": "stepAfter", + "insertNulls": false, + "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, "scaleDistribution": { "type": "linear" }, - "showPoints": "never", - "spanNulls": true, + "showPoints": "auto", + "spanNulls": 3600000, "stacking": { "group": "A", "mode": "none" @@ -664,21 +240,146 @@ } ] }, - "unit": "none" + "unit": "bytes", + "unitScale": true }, "overrides": [] }, "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 22 + "h": 7, + "w": 12, + "x": 12, + "y": 0 }, - "id": 99, + "id": 96, "links": [], "options": { "legend": { - "calcs": [], + "calcs": [ + "max" + ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "asc" + } + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "editorMode": "code", + "expr": "max(max_over_time(container_memory_working_set_bytes\r\n {namespace=~\"$namespace\",pod=~\"$pod\",cluster_id=\"$cluster\",container=~\"$container\",container!=\"POD\",container!=\"\"}\r\n [$__rate_interval])) \r\nby (cluster_id,namespace,pod,container)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{cluster_id}} {{namespace}}/{{pod}}/{{container}} (usage max)", + "metric": "container_cpu", + "refId": "MEMORY_USAGE", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "editorMode": "code", + "expr": "avg(kube_pod_container_resource_requests\n {resource=\"memory\",unit=\"byte\",cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container=~\"$container\",container!=\"POD\"}\n )\nby (cluster_id,namespace,pod,container)", + "format": "time_series", + "hide": false, + "instant": false, + "intervalFactor": 1, + "legendFormat": "{{cluster_id}} {{namespace}}/{{pod}}/{{container}} (requested)", + "refId": "MEMORY_REQUESTED" + } + ], + "timeFrom": "", + "title": "Memory Usage vs Requested", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "description": "Network traffic by pod", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": 3600000, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "Bps", + "unitScale": true + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 95, + "links": [], + "options": { + "legend": { + "calcs": [ + "mean" + ], "displayMode": "list", "placement": "bottom", "showLegend": true @@ -688,20 +389,267 @@ "sort": "desc" } }, - "pluginVersion": "9.1.0-beta1", + "pluginVersion": "9.4.7", "targets": [ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "${DS_THANOS}" }, "editorMode": "code", - "expr": "100\n * sum by(cluster_id, namespace, container) (increase(container_cpu_cfs_throttled_periods_total{container!=\"\",cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\"}[5m]))\n / sum by(cluster_id, namespace, container) (increase(container_cpu_cfs_periods_total{container!=\"\",cluster_id=~\"$cluster\", namespace=~\"$namespace\", container=~\"$container\", container!=\"POD\"}[5m]))", + "expr": "sum(irate(container_network_receive_bytes_total\n {cluster_id=~\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\"}\n [$__rate_interval])) \nby (cluster_id, namespace, pod)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{cluster_id}} {{namespace}}/{{pod}}<- in", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "editorMode": "code", + "expr": "- sum(irate(container_network_transmit_bytes_total\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\"}\n [$__rate_interval])) \nby (cluster_id, namespace, pod)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{cluster_id}} {{namespace}}/{{pod}}-> out", + "refId": "B" + } + ], + "timeFrom": "", + "title": "Network IO", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "description": "Disk read writes", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": 3600000, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "Bps", + "unitScale": true + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 97, + "links": [], + "options": { + "legend": { + "calcs": [ + "mean" + ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "editorMode": "code", + "expr": "sum(irate(container_fs_writes_bytes_total\r\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",container!=\"POD\",pod!=\"\",pod=~\"$pod\",container=~\"$container\"}\r\n [$__rate_interval])) \r\nby (cluster_id,namespace,pod,container)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{cluster_id}} {{pod}}/{{container}}<- write", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "editorMode": "code", + "expr": "- sum(irate(container_fs_reads_bytes_total\r\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",container!=\"POD\",pod!=\"\",pod=~\"$pod\",container=~\"$container\"}\r\n [$__rate_interval])) \r\nby (cluster_id,namespace,pod,container)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{cluster_id}} {{pod}}/{{container}}-> read", + "refId": "B" + } + ], + "timeFrom": "", + "title": "Disk IO", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "description": "This graph shows the % of periods where a pod is being throttled. Values range from 0-100", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": 1800000, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percent", + "unitScale": true + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 99, + "links": [], + "options": { + "legend": { + "calcs": [ + "mean" + ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_THANOS}" + }, + "editorMode": "code", + "expr": "100\n * sum by(cluster_id, namespace, pod, container) (increase(container_cpu_cfs_throttled_periods_total{container!=\"\",cluster_id=\"$cluster\", namespace=~\"$namespace\", pod=~\"$pod\", container=~\"$container\", container!=\"POD\"}[$__rate_interval]))\n / sum by(cluster_id,namespace,pod,container) (increase(container_cpu_cfs_periods_total{container!=\"\",cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\",container=~\"$container\",container!=\"POD\"}[$__rate_interval]))", "format": "time_series", "instant": false, "interval": "", "intervalFactor": 1, - "legendFormat": "{{cluster_id}}/{{namespace}}/{{ container }}", + "legendFormat": "", "refId": "B" } ], @@ -712,66 +660,31 @@ ], "refresh": "", "revision": 1, - "schemaVersion": 38, - "style": "dark", - "tags": [ - "utilization", - "metrics", - "kubecost" - ], + "schemaVersion": 39, + "tags": [], "templating": { "list": [ { - "current": { - "selected": false, - "text": "Prometheus", - "value": "Prometheus" - }, + "current": {}, + "definition": "label_values(cluster_id)", "hide": 0, "includeAll": false, "multi": false, - "name": "datasource", - "options": [], - "query": "prometheus", - "queryValue": "", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "definition": "label_values(kube_namespace_labels, cluster_id)", - "hide": 0, - "includeAll": true, - "label": "", - "multi": false, "name": "cluster", "options": [], "query": { - "query": "label_values(kube_namespace_labels, cluster_id)", + "query": "label_values(cluster_id)", "refId": "StandardVariableQuery" }, "refresh": 2, "regex": "", "skipUrlSync": false, "sort": 5, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false + "type": "query" }, { "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${datasource}" - }, - "definition": "label_values(kube_namespace_labels{cluster_id=~\"$cluster\"}, namespace) ", + "definition": "label_values(kube_namespace_labels{cluster_id=\"$cluster\"}, namespace) ", "hide": 0, "includeAll": true, "label": "", @@ -779,7 +692,7 @@ "name": "namespace", "options": [], "query": { - "query": "label_values(kube_namespace_labels{cluster_id=~\"$cluster\"}, namespace) ", + "query": "label_values(kube_namespace_labels{cluster_id=\"$cluster\"}, namespace) ", "refId": "StandardVariableQuery" }, "refresh": 2, @@ -793,18 +706,36 @@ }, { "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${datasource}" + "definition": "label_values(kube_pod_labels{cluster_id=\"$cluster\",namespace=~\"$namespace\"}, pod) ", + "hide": 0, + "includeAll": true, + "label": "pod", + "multi": false, + "name": "pod", + "options": [], + "query": { + "query": "label_values(kube_pod_labels{cluster_id=\"$cluster\",namespace=~\"$namespace\"}, pod) ", + "refId": "StandardVariableQuery" }, - "definition": "label_values(container_memory_working_set_bytes{cluster_id=~\"$cluster\",namespace=~\"$namespace\", container!=\"POD\"}, container) ", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "definition": "label_values(container_memory_working_set_bytes{cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container!=\"POD\"}, container) ", "hide": 0, "includeAll": true, "multi": false, "name": "container", "options": [], "query": { - "query": "label_values(container_memory_working_set_bytes{cluster_id=~\"$cluster\",namespace=~\"$namespace\", container!=\"POD\"}, container) ", + "query": "label_values(container_memory_working_set_bytes{cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container!=\"POD\"}, container) ", "refId": "StandardVariableQuery" }, "refresh": 2, @@ -816,7 +747,7 @@ ] }, "time": { - "from": "now-7d", + "from": "now-2d", "to": "now" }, "timepicker": { @@ -845,8 +776,8 @@ ] }, "timezone": "browser", - "title": "Kubecost - container CPU & Memory usage(multi-cluster)", - "uid": "kubecost-container-stats", + "title": "Pod utilization metrics (multi-cluster)", + "uid": "at-cost-analysis-pod2", "version": 1, "weekStart": "" } \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/old-grafana-values.yaml b/charts/kubecost/cost-analyzer/old-grafana-values.yaml index 7843bc9a3..1d5e1d026 100644 --- a/charts/kubecost/cost-analyzer/old-grafana-values.yaml +++ b/charts/kubecost/cost-analyzer/old-grafana-values.yaml @@ -172,7 +172,7 @@ smtp: sidecar: image: repository: kiwigrid/k8s-sidecar - tag: 1.25.3 + tag: 1.25.4 pullPolicy: IfNotPresent resources: {} dashboards: diff --git a/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json b/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json index 6839559e3..3eb5184bb 100644 --- a/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json +++ b/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json @@ -26,14 +26,14 @@ "fiscalYearStartMonth": 0, "gnetId": 9063, "graphTooltip": 0, - "id": 13, + "id": 4, "links": [], "liveNow": false, "panels": [ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "description": "Maximum CPU Core Usage vs avg Requested", "fieldConfig": { @@ -42,6 +42,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -55,6 +56,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, @@ -86,7 +88,8 @@ } ] }, - "unit": "none" + "unit": "none", + "unitScale": true }, "overrides": [] }, @@ -117,7 +120,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "editorMode": "code", "expr": "max(irate(container_cpu_usage_seconds_total\r\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container=~\"$container\", container!=\"POD\",container!=\"\"}\r\n [$__rate_interval])) \r\n by (cluster_id, namespace, pod, container)", @@ -134,7 +137,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "editorMode": "code", "exemplar": true, @@ -151,7 +154,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "description": "Max memory used vs avg requested", "fieldConfig": { @@ -160,6 +163,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -173,6 +177,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, @@ -204,7 +209,8 @@ } ] }, - "unit": "bytes" + "unit": "bytes", + "unitScale": true }, "overrides": [] }, @@ -234,7 +240,8 @@ "targets": [ { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "max(max_over_time(container_memory_working_set_bytes\r\n {namespace=~\"$namespace\",pod=~\"$pod\",cluster_id=\"$cluster\",container=~\"$container\",container!=\"POD\",container!=\"\"}\r\n [$__rate_interval])) \r\nby (cluster_id,namespace,pod,container)", @@ -250,7 +257,8 @@ }, { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "avg(kube_pod_container_resource_requests\n {resource=\"memory\",unit=\"byte\",cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container=~\"$container\",container!=\"POD\"}\n )\nby (cluster_id,namespace,pod,container)", @@ -269,7 +277,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "description": "Network traffic by pod", "fieldConfig": { @@ -278,6 +286,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -291,6 +300,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, @@ -321,7 +331,8 @@ } ] }, - "unit": "Bps" + "unit": "Bps", + "unitScale": true }, "overrides": [] }, @@ -351,7 +362,8 @@ "targets": [ { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "sum(irate(container_network_receive_bytes_total\n {cluster_id=~\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\"}\n [$__rate_interval])) \nby (cluster_id, namespace, pod)", @@ -367,7 +379,8 @@ }, { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "- sum(irate(container_network_transmit_bytes_total\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\"}\n [$__rate_interval])) \nby (cluster_id, namespace, pod)", @@ -387,7 +400,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "description": "Disk read writes", "fieldConfig": { @@ -396,6 +409,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -409,6 +423,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, @@ -439,7 +454,8 @@ } ] }, - "unit": "Bps" + "unit": "Bps", + "unitScale": true }, "overrides": [] }, @@ -469,7 +485,8 @@ "targets": [ { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "sum(irate(container_fs_writes_bytes_total\r\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",container!=\"POD\",pod!=\"\",pod=~\"$pod\",container=~\"$container\"}\r\n [$__rate_interval])) \r\nby (cluster_id,namespace,pod,container)", @@ -485,7 +502,8 @@ }, { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "- sum(irate(container_fs_reads_bytes_total\r\n {cluster_id=\"$cluster\",namespace=~\"$namespace\",container!=\"POD\",pod!=\"\",pod=~\"$pod\",container=~\"$container\"}\r\n [$__rate_interval])) \r\nby (cluster_id,namespace,pod,container)", @@ -505,7 +523,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "description": "This graph shows the % of periods where a pod is being throttled. Values range from 0-100", "fieldConfig": { @@ -514,6 +532,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -527,6 +546,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 2, "pointSize": 5, @@ -558,7 +578,8 @@ } ] }, - "unit": "percent" + "unit": "percent", + "unitScale": true }, "overrides": [] }, @@ -588,7 +609,8 @@ "targets": [ { "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "editorMode": "code", "expr": "100\n * sum by(cluster_id, namespace, pod, container) (increase(container_cpu_cfs_throttled_periods_total{container!=\"\",cluster_id=\"$cluster\", namespace=~\"$namespace\", pod=~\"$pod\", container=~\"$container\", container!=\"POD\"}[$__rate_interval]))\n / sum by(cluster_id,namespace,pod,container) (increase(container_cpu_cfs_periods_total{container!=\"\",cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\",container=~\"$container\",container!=\"POD\"}[$__rate_interval]))", @@ -607,20 +629,19 @@ ], "refresh": "", "revision": 1, - "schemaVersion": 38, - "style": "dark", + "schemaVersion": 39, "tags": [], "templating": { "list": [ { "current": { "selected": false, - "text": "All", - "value": "$__all" + "text": "CostManagement", + "value": "CostManagement" }, "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "definition": "label_values(cluster_id)", "hide": 0, @@ -640,10 +661,13 @@ }, { "current": { - "selected": false + "selected": false, + "text": "kubecost", + "value": "kubecost" }, "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "definition": "label_values(kube_namespace_labels{cluster_id=\"$cluster\"}, namespace) ", "hide": 0, @@ -672,7 +696,8 @@ "value": "$__all" }, "datasource": { - "uid": "${datasource}" + "type": "prometheus", + "uid": "Thanos" }, "definition": "label_values(kube_pod_labels{cluster_id=\"$cluster\",namespace=~\"$namespace\"}, pod) ", "hide": 0, @@ -702,7 +727,7 @@ }, "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "Thanos" }, "definition": "label_values(container_memory_working_set_bytes{cluster_id=\"$cluster\",namespace=~\"$namespace\",pod=~\"$pod\", container!=\"POD\"}, container) ", "hide": 0, diff --git a/charts/kubecost/cost-analyzer/templates/NOTES.txt b/charts/kubecost/cost-analyzer/templates/NOTES.txt index 0288f012c..5e9aa2476 100644 --- a/charts/kubecost/cost-analyzer/templates/NOTES.txt +++ b/charts/kubecost/cost-analyzer/templates/NOTES.txt @@ -3,6 +3,10 @@ {{- include "cloudIntegrationSourceCheck" . -}} {{- include "eksCheck" . -}} {{- include "cloudIntegrationSecretCheck" . -}} +{{- include "gcpCloudIntegrationCheck" . -}} +{{- include "azureCloudIntegrationCheck" . -}} +{{- include "federatedStorageConfigSecretCheck" . -}} + {{- $servicePort := .Values.service.port | default 9090 }} Kubecost {{ .Chart.Version }} has been successfully installed. diff --git a/charts/kubecost/cost-analyzer/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/templates/_helpers.tpl index 9ab1459b9..217e15ec2 100644 --- a/charts/kubecost/cost-analyzer/templates/_helpers.tpl +++ b/charts/kubecost/cost-analyzer/templates/_helpers.tpl @@ -51,12 +51,14 @@ Kubecost 2.0 preconditions {{/*https://github.com/helm/helm/issues/8026#issuecomment-881216078*/}} {{- if ((.Values.thanos).store).enabled -}} - {{- fail "\n\nYou are attempting to upgrade to Kubecost 2.0.\nKubecost no longer includes Thanos by default. \nPlease see https://docs.kubecost.com/install-and-configure/install/kubecostv2 for more information.\nIf you have any questions or concerns, please reach out to us at product@kubecost.com" -}} + {{- fail "\n\nYou are attempting to upgrade to Kubecost 2.x.\nKubecost no longer includes Thanos by default. \nPlease see https://docs.kubecost.com/install-and-configure/install/kubecostv2 for more information.\nIf you have any questions or concerns, please reach out to us at product@kubecost.com" -}} {{- end -}} {{- if or (((.Values.global).amp).enabled) (((.Values.global).gmp).enabled) (((.Values.global).thanos).queryService) (((.Values.global).mimirProxy).enabled) -}} - {{- if or (not (.Values.federatedETL).federatedCluster) (not (.Values.upgrade).toV2) -}} + {{- if (not (.Values.federatedETL).federatedCluster) -}} + {{- if (not (.Values.upgrade).toV2) -}} {{- fail "\n\nMulti-Cluster-Prometheus Error:\nYou are attempting to upgrade to Kubecost 2.x\nSupport for multi-cluster Prometheus (Thanos/AMP/GMP/mimir/etc) without using `Kubecost Federated ETL Object Storage` will be added in future release. \nIf this is a single cluster Kubecost environment, upgrading is supported using a flag to acknowledge this change.\nMore information can be found here: \nhttps://docs.kubecost.com/install-and-configure/install/kubecostv2\nIf you have any questions or concerns, please reach out to us at product@kubecost.com\n\nWhen ready to upgrade, add `--set upgrade.toV2=true`." -}} + {{- end -}} {{- end -}} {{- end -}} @@ -91,10 +93,19 @@ Kubecost 2.0 preconditions {{- fail "Kubecost no longer includes PodSecurityPolicy by default. Please take steps to preserve your existing PSPs before attempting the installation/upgrade again with the podSecurityPolicy values removed." }} {{- end }} + {{- if ((.Values.kubecostDeployment).leaderFollower).enabled -}} + {{- fail "\nIn Kubecost 2.0, kubecostDeployment does not support running as leaderFollower. Please reach out to support to discuss upgrade paths." -}} + {{- end -}} + + {{- if ((.Values.kubecostDeployment).statefulSet).enabled -}} + {{- fail "\nIn Kubecost 2.0, kubecostDeployment does not support running as a statefulSet. Please reach out to support to discuss upgrade paths." -}} + {{- end -}} + {{- end -}} {{- define "cloudIntegrationFromProductConfigs" }} { + {{- if ((.Values.kubecostProductConfigs).athenaBucketName) }} "aws": [ { "athenaBucketName": "{{ .Values.kubecostProductConfigs.athenaBucketName }}", @@ -102,12 +113,21 @@ Kubecost 2.0 preconditions "athenaDatabase": "{{ .Values.kubecostProductConfigs.athenaDatabase }}", "athenaTable": "{{ .Values.kubecostProductConfigs.athenaTable }}", "projectID": "{{ .Values.kubecostProductConfigs.athenaProjectID }}" + {{ if (.Values.kubecostProductConfigs).athenaWorkgroup }} + , "athenaWorkgroup": "{{ .Values.kubecostProductConfigs.athenaWorkgroup }}" + {{ else }} + , "athenaWorkgroup": "primary" + {{ end }} + {{ if (.Values.kubecostProductConfigs).masterPayerARN }} + , "masterPayerARN": "{{ .Values.kubecostProductConfigs.masterPayerARN }}" + {{ end }} {{- if and ((.Values.kubecostProductConfigs).awsServiceKeyName) ((.Values.kubecostProductConfigs).awsServiceKeyPassword) }}, "serviceKeyName": "{{ .Values.kubecostProductConfigs.awsServiceKeyName }}", "serviceKeySecret": "{{ .Values.kubecostProductConfigs.awsServiceKeyPassword }}" {{- end }} } ] + {{- end }} } {{- end }} @@ -118,10 +138,13 @@ will result in failure. Users are asked to select one of the two presently-avail */}} {{- define "cloudIntegrationSourceCheck" -}} {{- if and (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON -}} - {{- fail "\ncloudIntegrationSecret and cloudIntegrationJSON are mutually exclusive. Please specify only one." -}} + {{- fail "\nkubecostProductConfigs.cloudIntegrationSecret and kubecostProductConfigs.cloudIntegrationJSON are mutually exclusive. Please specify only one." -}} {{- end -}} -{{- if and (.Values.kubecostProductConfigs).cloudIntegrationSecret ((.Values.kubecostProductConfigs).athenaProjectID) }} - {{- fail "\nUsing a cloud-integration secret and kubecostProductConfigs.athena* values are mutually exclusive. Please specifiy only one." -}} + {{- if and (.Values.kubecostProductConfigs).cloudIntegrationSecret ((.Values.kubecostProductConfigs).athenaBucketName) }} + {{- fail "\nkubecostProductConfigs.cloudIntegrationSecret and kubecostProductConfigs.athena* values are mutually exclusive. Please specifiy only one." -}} + {{- end -}} +{{- if and (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaBucketName) }} + {{- fail "\nkubecostProductConfigs.cloudIntegrationJSON and kubecostProductConfigs.athena* values are mutually exclusive. Please specifiy only one." -}} {{- end -}} {{- end -}} @@ -143,17 +166,39 @@ ERROR: MISSING EBS-CSI DRIVER WHICH IS REQUIRED ON EKS v1.23+ TO MANAGE PERSISTE {{/* Verify the cloud integration secret exists with the expected key when cloud integration is enabled. +Skip the check if CI/CD is enabled and skipSanityChecks is set. Argo CD, for example, does not +support templating a chart which uses the lookup function. */}} {{- define "cloudIntegrationSecretCheck" -}} {{- if (.Values.kubecostProductConfigs).cloudIntegrationSecret }} +{{- if not (and .Values.global.platforms.cicd.enabled .Values.global.platforms.cicd.skipSanityChecks) }} {{- if .Capabilities.APIVersions.Has "v1/Secret" }} {{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.kubecostProductConfigs.cloudIntegrationSecret }} {{- if or (not $secret) (not (index $secret.data "cloud-integration.json")) }} - {{- fail (printf "The cloud integration secret '%s' does not exist or does not contain the expected key 'cloud-integration.json'" .Values.kubecostProductConfigs.cloudIntegrationSecret) }} + {{- fail (printf "The cloud integration secret '%s' does not exist or does not contain the expected key 'cloud-integration.json'\nIf you are using `--dry-run`, please add `--dry-run=server`. This requires Helm 3.13+." .Values.kubecostProductConfigs.cloudIntegrationSecret) }} {{- end }} {{- end -}} {{- end -}} {{- end -}} +{{- end -}} + +{{/* +Verify the federated storage config secret exists with the expected key when cloud integration is enabled. +Skip the check if CI/CD is enabled and skipSanityChecks is set. Argo CD, for example, does not +support templating a chart which uses the lookup function. +*/}} +{{- define "federatedStorageConfigSecretCheck" -}} +{{- if (.Values.kubecostModel).federatedStorageConfigSecret }} +{{- if not (and .Values.global.platforms.cicd.enabled .Values.global.platforms.cicd.skipSanityChecks) }} +{{- if .Capabilities.APIVersions.Has "v1/Secret" }} + {{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.kubecostModel.federatedStorageConfigSecret }} + {{- if or (not $secret) (not (index $secret.data "federated-store.yaml")) }} + {{- fail (printf "The federated storage config secret '%s' does not exist or does not contain the expected key 'federated-store.yaml'" .Values.kubecostModel.federatedStorageConfigSecret) }} + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} {{/* Expand the name of the chart. @@ -254,7 +299,16 @@ Create the fully qualified name for Prometheus alertmanager service. {{- end -}} {{- define "cost-analyzer.serviceName" -}} -{{- printf "%s-%s" .Release.Name "cost-analyzer" | trunc 63 | trimSuffix "-" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} {{- end -}} {{- define "diagnostics.serviceName" -}} @@ -874,6 +928,10 @@ Begin Kubecost 2.0 templates name: {{ .Values.prometheus.server.clusterIDConfigmap }} key: CLUSTER_ID {{- end }} + {{- if (gt (int .Values.kubecostAggregator.numDBCopyPartitions) 0) }} + - name: NUM_DB_COPY_CHUNKS + value: {{ .Values.kubecostAggregator.numDBCopyPartitions | quote }} + {{- end }} {{- if .Values.kubecostAggregator.jaeger.enabled }} - name: TRACING_URL value: "http://localhost:14268/api/traces" @@ -1032,13 +1090,12 @@ Begin Kubecost 2.0 templates - name: federated-storage-config mountPath: /var/configs/etl/federated readOnly: true - {{- end }} - {{- if .Values.kubecostModel.etlBucketConfigSecret }} + {{- else if .Values.kubecostModel.etlBucketConfigSecret }} - name: etl-bucket-config mountPath: /var/configs/etl readOnly: true {{- end }} - {{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + {{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaBucketName) }} - name: cloud-integration mountPath: /var/configs/cloud-integration {{- end }} @@ -1102,10 +1159,76 @@ SSO enabled flag for nginx configmap {{- end -}} {{- end -}} +{{/* +Backups configured flag for nginx configmap +*/}} +{{- define "dataBackupConfigured" -}} + {{- if or (.Values.kubecostModel).etlBucketConfigSecret (.Values.kubecostModel).federatedStorageConfigSecret -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + {{- define "cost-analyzer.grafanaEnabled" -}} {{- if and (.Values.global.grafana.enabled) (not .Values.federatedETL.agentOnly) -}} {{- printf "true" -}} {{- else -}} {{- printf "false" -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "gcpCloudIntegrationJSON" }} +Kubecost 2.x requires a change to the method that cloud-provider billing integrations are configured. +Please use this output to create a cloud-integration.json config. See: + +for more information + + { + "gcp": + { + [ + { + "bigQueryBillingDataDataset": "{{ .Values.kubecostProductConfigs.bigQueryBillingDataDataset }}", + "bigQueryBillingDataProject": "{{ .Values.kubecostProductConfigs.bigQueryBillingDataProject }}", + "bigQueryBillingDataTable": "{{ .Values.kubecostProductConfigs.bigQueryBillingDataTable }}", + "projectID": "{{ .Values.kubecostProductConfigs.projectID }}" + } + ] + } + } +{{- end }} + +{{- define "gcpCloudIntegrationCheck" }} +{{- if ((.Values.kubecostProductConfigs).bigQueryBillingDataDataset) }} +{{- fail (include "gcpCloudIntegrationJSON" .) }} +{{- end }} +{{- end }} + + +{{- define "azureCloudIntegrationJSON" }} + +Kubecost 2.x requires a change to the method that cloud-provider billing integrations are configured. +Please use this output to create a cloud-integration.json config. See: + +for more information + { + "azure": + [ + { + "azureStorageContainer": "{{ .Values.kubecostProductConfigs.azureStorageContainer }}", + "azureSubscriptionID": "{{ .Values.kubecostProductConfigs.azureSubscriptionID }}", + "azureStorageAccount": "{{ .Values.kubecostProductConfigs.azureStorageAccount }}", + "azureStorageAccessKey": "{{ .Values.kubecostProductConfigs.azureStorageKey }}", + "azureContainerPath": "{{ .Values.kubecostProductConfigs.azureContainerPath }}", + "azureCloud": "{{ .Values.kubecostProductConfigs.azureCloud }}" + } + ] + } +{{- end }} + +{{- define "azureCloudIntegrationCheck" }} +{{- if ((.Values.kubecostProductConfigs).azureStorageContainer) }} +{{- fail (include "azureCloudIntegrationJSON" .) }} +{{- end }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml index c0b44911d..9b6764967 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml @@ -3,7 +3,7 @@ {{/* A cloud integration secret is required for cloud cost to function as a dedicated pod. */}} -{{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} +{{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaBucketName) }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml b/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml index d52f82d8a..e6023e59b 100644 --- a/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml +++ b/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml @@ -1,4 +1,4 @@ -{{- if or ((.Values.kubecostProductConfigs).cloudIntegrationJSON) ((.Values.kubecostProductConfigs).athenaProjectID) }} +{{- if or ((.Values.kubecostProductConfigs).cloudIntegrationJSON) ((.Values.kubecostProductConfigs).athenaBucketName) }} apiVersion: v1 kind: Secret type: Opaque diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index d38cc6cef..457561db6 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -158,7 +158,7 @@ spec: items: - key: cloud-integration.json path: cloud-integration.json - {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaBucketName) }} - name: cloud-integration secret: secretName: cloud-integration @@ -684,7 +684,6 @@ spec: value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API. {{- if .Values.kubecostProductConfigs }} {{- if .Values.kubecostProductConfigs.gcpSecretName }} - - name: GOOGLE_APPLICATION_CREDENTIALS value: /var/configs/key.json {{- end }} @@ -1008,6 +1007,33 @@ spec: key: kubecost-token - name: WATERFOWL_ENABLED value: "true" + {{- /*A pre-requisite for running MultiClusterDiagnostics in the cost-model container is a configured federated-store secret and cluster_id*/}} + {{- if or (empty .Values.kubecostModel.federatedStorageConfigSecret) (eq .Values.prometheus.server.global.external_labels.cluster_id "cluster-one") }} + - name: DIAGNOSTICS_RUN_IN_COST_MODEL + value: "false" + {{- else if .Values.diagnostics.deployment.enabled }} + - name: DIAGNOSTICS_RUN_IN_COST_MODEL + value: "false" + {{- else }} + - name: DIAGNOSTICS_RUN_IN_COST_MODEL + value: "true" + - name: DIAGNOSTICS_KUBECOST_FQDN + value: "localhost" + - name: DIAGNOSTICS_KUBECOST_NAMESPACE + value: {{ .Release.Namespace }} + - name: DIAGNOSTICS_PRIMARY + value: {{ quote .Values.diagnostics.primary.enabled }} + - name: DIAGNOSTICS_RETENTION + value: {{ .Values.diagnostics.primary.retention }} + - name: DIAGNOSTICS_PRIMARY_READONLY + value: {{ quote .Values.diagnostics.primary.readonly }} + - name: DIAGNOSTICS_POLLING_INTERVAL + value: {{ .Values.diagnostics.pollingInterval }} + - name: DIAGNOSTICS_KEEP_HISTORY + value: {{ quote .Values.diagnostics.keepDiagnosticHistory }} + - name: DIAGNOSTICS_COLLECT_HELM_VALUES + value: {{ quote .Values.diagnostics.collectHelmValues }} + {{- end }} {{- if and .Values.kubecostFrontend.enabled (not .Values.federatedETL.agentOnly) }} {{- if .Values.kubecostFrontend }} {{- if .Values.kubecostFrontend.fullImageName }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index 1b9b03222..dc2cf8bd5 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -52,49 +52,51 @@ data: text/x-cross-domain-policy; upstream api { -{{- if.Values.kubecostFrontend.api }} -{{- if.Values.kubecostFrontend.api.fqdn }} +{{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ $serviceName }}.{{ .Release.Namespace }}.svc.cluster.local:9001; +{{- else if (.Values.kubecostFrontend.api).fqdn }} server {{ .Values.kubecostFrontend.api.fqdn }}; -{{- else }} - server {{ $serviceName }}.{{ .Release.Namespace }}:9001; -{{- end }} {{- else }} server {{ $serviceName }}.{{ .Release.Namespace }}:9001; {{- end }} } upstream model { -{{- if.Values.kubecostFrontend.model }} -{{- if.Values.kubecostFrontend.model.fqdn }} +{{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ $serviceName }}.{{ .Release.Namespace }}.svc.cluster.local:9003; +{{- else if (.Values.kubecostFrontend.model).fqdn }} server {{ .Values.kubecostFrontend.model.fqdn }}; -{{- else }} - server {{ $serviceName }}.{{ .Release.Namespace }}:9003; -{{- end }} {{- else }} server {{ $serviceName }}.{{ .Release.Namespace }}:9003; {{- end }} } -{{- if .Values.clusterController }} -{{- if .Values.clusterController.enabled }} +{{- if and .Values.clusterController .Values.clusterController.enabled }} upstream clustercontroller { -{{- if .Values.clusterController.fqdn }} - server {{ .Values.clusterController.fqdn }}; +{{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ template "kubecost.clusterControllerName" . }}-service.{{ .Release.Namespace }}.svc.cluster.local:9731; +{{- else }} +{{- if (.Values.kubecostFrontend.clusterController).fqdn }} + server {{ .Values.kubecostFrontend.clusterController.fqdn }}; {{- else }} server {{ template "kubecost.clusterControllerName" . }}-service.{{ .Release.Namespace }}:9731; {{- end }} - } {{- end }} + } {{- end }} {{- if .Values.global.grafana.proxy }} upstream grafana { {{- if .Values.global.grafana.enabled }} +{{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ .Release.Name }}-grafana.{{ .Release.Namespace }}.svc.cluster.local; +{{- else }} {{- if .Values.global.grafana.fqdn }} server {{ .Values.global.grafana.fqdn }}; {{- else }} server {{ .Release.Name }}-grafana.{{ .Release.Namespace }}; {{- end }} +{{- end }} {{- else }} server {{.Values.global.grafana.domainName}}; {{- end }} @@ -103,22 +105,55 @@ data: {{- if .Values.forecasting.enabled }} upstream forecasting { + {{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ .Release.Name }}-forecasting.{{ .Release.Namespace }}.svc.cluster.local:5000; + {{- else }} + {{- if (.Values.kubecostFrontend.forcasting).fqdn }} + server {{ .Values.kubecostFrontend.forcasting.fqdn }}; + {{- else }} server {{ .Release.Name }}-forecasting.{{ .Release.Namespace }}:5000; + {{- end }} + {{- end }} } {{- end }} {{- if and (not .Values.agent) (not .Values.cloudAgent) (not (eq (include "aggregator.deployMethod" .) "disabled")) }} upstream aggregator { + {{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ .Release.Name }}-aggregator.{{ .Release.Namespace }}.svc.cluster.local:9004; + {{- else }} + {{- if (.Values.kubecostFrontend.aggregator).fqdn }} + server {{ .Values.kubecostFrontend.aggregator.fqdn }}; + {{- else }} server {{ .Release.Name }}-aggregator.{{ .Release.Namespace }}:9004; + {{- end }} + {{- end }} } upstream cloudCost { + {{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ template "cloudCost.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local:9005; + {{- else }} + {{- if (.Values.kubecostFrontend.cloudCost).fqdn }} + server {{ .Values.kubecostFrontend.cloudCost.fqdn }}; + {{- else }} server {{ template "cloudCost.serviceName" . }}.{{ .Release.Namespace }}:9005; + {{- end }} + {{- end }} } {{- end }} - {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} + + {{- if and .Values.diagnostics.enabled .Values.diagnostics.primary.enabled .Values.diagnostics.deployment.enabled }} {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} upstream multi-cluster-diagnostics { + {{- if .Values.kubecostFrontend.useDefaultFqdn }} + server {{ template "diagnostics.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:9007; + {{- else}} + {{- if (.Values.kubecostFrontend.multiClusterDiagnostics).fqdn }} + server {{ .Values.kubecostFrontend.multiClusterDiagnostics.fqdn }}; + {{- else }} server {{ template "diagnostics.fullname" . }}.{{ .Release.Namespace }}:9007; + {{- end }} + {{- end }} } {{- end }} {{- end }} @@ -551,6 +586,16 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + {{- if eq (default .Values.kubecostAggregator.env.MEMORY_INTENSIVE_CLUSTER_SIZING "disabled") "enabled" }} + location = /model/savings/clusterSizingETL { + proxy_read_timeout 600; + proxy_pass http://aggregator/savings/clusterSizingETL; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + {{- end }} location = /model/reports/allocation { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/allocation; @@ -778,6 +823,22 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/serviceAccounts { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/serviceAccounts; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/serviceAccount { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/serviceAccount; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } location = /model/debug/orchestrator { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/debug/orchestrator; @@ -802,6 +863,86 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/diagnostic/tableWindowCount { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/tableWindowCount; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/containersPerDay { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/containersPerDay; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/nodesPerDay { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/nodesPerDay; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/containerLabelStats { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/containerLabelStats; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/containerAnnotationStats { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/containerAnnotationStats; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/cloudCostsPerDay { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/cloudCostsPerDay; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/containerWithoutMatchingNode { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/containerWithoutMatchingNode; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/containerDuplicateNoId { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/containerDuplicateNoId; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/containerDuplicateWithId { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/containerDuplicateWithId; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/nodeDuplicateNoId { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/nodeDuplicateNoId; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } #Cloud Cost Endpoints location = /model/cloudCost/status { @@ -884,17 +1025,24 @@ data: default_type 'application/json'; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; - {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} + {{- if and .Values.diagnostics.enabled .Values.diagnostics.primary.enabled }} {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} - return 200 '{"multi-cluster-diagnostics-enabled": "true"}'; + return 200 '{"multiClusterDiagnosticsEnabled": true}'; {{- end }} {{- else }} - return 200 '{"multi-cluster-diagnostics-enabled": "false"}'; + return 200 '{"multiClusterDiagnosticsEnabled": false}'; {{- end }} } - {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} + + {{- if and .Values.diagnostics.enabled .Values.diagnostics.primary.enabled .Values.diagnostics.deployment.enabled }} {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} - location /model/multi-cluster-diagnostics { + + # When the Multi-cluster Diagnostics Service is run within the + # cost-model container, its endpoint is available at the path + # `/model/diagnostics/multicluster`. No additional Nginx path forwarding + # needed. When the Multi-cluster Diagnostics Service is run as a K8s + # Deployment, we should forward that path to the K8s Service. + location /model/diagnostics/multicluster { default_type 'application/json'; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; @@ -906,7 +1054,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # simple alias for support - location /model/mcd { + location /mcd { default_type 'application/json'; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; @@ -917,6 +1065,7 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + {{- end }} {{- end }} @@ -948,7 +1097,10 @@ data: add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; return 200 '\n - {"ssoConfigured": "{{ template "ssoEnabled" . }}"}\n + { + "ssoConfigured": "{{ template "ssoEnabled" . }}", + "dataBackupConfigured": "{{ template "dataBackupConfigured" . }}" + } '; } } diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml index 2bfaf5bd0..0dad4bc8c 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml @@ -68,6 +68,8 @@ spec: value: {{ (quote .Values.networkCosts.port) | default (quote 3001) }} - name: TRAFFIC_LOGGING_ENABLED value: {{ (quote .Values.networkCosts.trafficLogging) | default (quote true) }} + - name: LOG_LEVEL + value: info {{- if .Values.networkCosts.softMemoryLimit }} - name: GOMEMLIMIT value: {{ .Values.networkCosts.softMemoryLimit }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml index 541c2f8d8..dd2121eae 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml @@ -5,7 +5,7 @@ metadata: name: {{ template "cost-analyzer.serviceName" . }} namespace: {{ .Release.Namespace }} labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if .Values.service.labels }} {{ toYaml .Values.service.labels | indent 4 }} {{- end }} @@ -15,7 +15,7 @@ metadata: {{- end }} spec: selector: - {{ include "cost-analyzer.selectorLabels" . | nindent 4 }} + {{- include "cost-analyzer.selectorLabels" . | nindent 4 }} {{- if .Values.service -}} {{- if .Values.service.type }} type: "{{ .Values.service.type }}" diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml index a40833340..f10362130 100644 --- a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.diagnostics.enabled }} +{{- if and .Values.diagnostics.enabled .Values.diagnostics.deployment.enabled }} {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} {{- if eq .Values.prometheus.server.global.external_labels.cluster_id "cluster-one" }} @@ -12,8 +12,8 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "diagnostics.selectorLabels" . | nindent 4 }} - {{- if and .Values.diagnostics .Values.diagnostics.labels }} - {{- toYaml .Values.diagnostics.labels | nindent 4 }} + {{- if .Values.diagnostics.deployment.labels }} + {{- toYaml .Values.diagnostics.deployment.labels | nindent 4 }} {{- end }} spec: replicas: 1 @@ -32,9 +32,9 @@ spec: {{- end }} spec: restartPolicy: Always - {{- if .Values.diagnostics.securityContext }} + {{- if .Values.diagnostics.deployment.securityContext }} securityContext: - {{- toYaml .Values.diagnostics.securityContext | nindent 8 }} + {{- toYaml .Values.diagnostics.deployment.securityContext | nindent 8 }} {{- else if .Values.global.securityContext }} securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} @@ -75,9 +75,9 @@ spec: imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 2 }} {{- end }} - {{- if .Values.diagnostics.containerSecurityContext }} + {{- if .Values.diagnostics.deployment.containerSecurityContext }} securityContext: - {{- toYaml .Values.diagnostics.containerSecurityContext | nindent 12 }} + {{- toYaml .Values.diagnostics.deployment.containerSecurityContext | nindent 12 }} {{- else if .Values.global.containerSecurityContext }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} @@ -103,30 +103,24 @@ spec: {{- end }} - name: FEDERATED_STORE_CONFIG value: /var/configs/etl/federated-store.yaml + - name: DIAGNOSTICS_RUN_IN_COST_MODEL + value: "false" - name: DIAGNOSTICS_KUBECOST_FQDN value: {{ template "cost-analyzer.serviceName" . }} - name: DIAGNOSTICS_KUBECOST_NAMESPACE value: {{ .Release.Namespace }} - - name: DIAGNOSTICS_POLLING_INTERVAL - value: {{ .Values.diagnostics.pollingInterval | default "300s" }} - name: DIAGNOSTICS_PRIMARY - {{- if .Values.diagnostics.isDiagnosticsPrimary.enabled }} - value: "true" - {{- else }} - value: "false" - {{- end }} - - name: DIAGNOSTICS_COLLECT_HELM_VALUES - {{- if and .Values.reporting.valuesReporting .Values.diagnostics.collectHelmValues }} - value: "true" - {{- else }} - value: "false" - {{- end }} + value: {{ quote .Values.diagnostics.primary.enabled }} + - name: DIAGNOSTICS_RETENTION + value: {{ .Values.diagnostics.primary.retention }} + - name: DIAGNOSTICS_PRIMARY_READONLY + value: {{ quote .Values.diagnostics.primary.readonly }} + - name: DIAGNOSTICS_POLLING_INTERVAL + value: {{ .Values.diagnostics.pollingInterval }} - name: DIAGNOSTICS_KEEP_HISTORY - {{- if .Values.diagnostics.keepDiagnosticHistory }} - value: "true" - {{- else }} - value: "false" - {{- end }} + value: {{ quote .Values.diagnostics.keepDiagnosticHistory }} + - name: DIAGNOSTICS_COLLECT_HELM_VALUES + value: {{ quote .Values.diagnostics.collectHelmValues }} {{- if .Values.systemProxy.enabled }} - name: HTTP_PROXY value: {{ .Values.systemProxy.httpProxyUrl }} @@ -141,12 +135,12 @@ spec: - name: no_proxy value: {{ .Values.systemProxy.noProxy }} {{- end }} - {{- range $key, $value := .Values.diagnostics.env }} + {{- range $key, $value := .Values.diagnostics.deployment.env }} - name: {{ $key | quote }} value: {{ $value | quote }} {{- end }} {{- /* TODO: heatlhcheck that validates the diagnotics pod is healthy */}} - {{- if .Values.diagnostics.isDiagnosticsPrimary.enabled}} + {{- if .Values.diagnostics.primary.enabled}} readinessProbe: httpGet: path: /healthz @@ -157,18 +151,19 @@ spec: protocol: TCP {{- end }} resources: - {{- toYaml .Values.diagnostics.resources | nindent 12 }} - {{- with .Values.diagnostics.nodeSelector }} + {{- toYaml .Values.diagnostics.deployment.resources | nindent 12 }} + {{- with .Values.diagnostics.deployment.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.diagnostics.tolerations }} + {{- with .Values.diagnostics.deployment.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.diagnostics.affinity }} + {{- with .Values.diagnostics.deployment.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml index 04a3e9ef3..5c0fdebe8 100644 --- a/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml @@ -1,5 +1,4 @@ -{{- if .Values.diagnostics.isDiagnosticsPrimary.enabled }} -{{- if .Values.diagnostics.enabled }} +{{- if and .Values.diagnostics.enabled .Values.diagnostics.deployment.enabled .Values.diagnostics.primary.enabled }} {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} apiVersion: v1 kind: Service @@ -19,4 +18,3 @@ spec: type: ClusterIP {{- end }} {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml b/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml index a277a03a3..3284a67a5 100644 --- a/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml @@ -71,6 +71,8 @@ spec: value: http://{{ template "cost-analyzer.serviceName" . }}:9090/model - name: MODEL_STORAGE_PATH value: "/tmp/localrun/models" + - name: PAGE_ITEM_LIMIT + value: "1000" {{- range $key, $value := .Values.forecasting.env }} - name: {{ $key | quote }} value: {{ $value | quote }} diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml index 4ea1444be..5b2990d49 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml @@ -106,7 +106,7 @@ spec: items: - key: cloud-integration.json path: cloud-integration.json - {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaBucketName) }} - name: cloud-integration secret: secretName: cloud-integration @@ -197,7 +197,7 @@ spec: - name: azure-storage-config mountPath: /var/azure-storage-config {{- end }} - {{- if or (.Values.kubecostProductConfigs.cloudIntegrationSecret) (.Values.kubecostProductConfigs.cloudIntegrationJSON) ((.Values.kubecostProductConfigs).athenaProjectID) }} + {{- if or (.Values.kubecostProductConfigs.cloudIntegrationSecret) (.Values.kubecostProductConfigs.cloudIntegrationJSON) ((.Values.kubecostProductConfigs).athenaBucketName) }} - name: cloud-integration mountPath: /var/configs/cloud-integration {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/tests/basic-health.yaml b/charts/kubecost/cost-analyzer/templates/tests/basic-health.yaml index b4278c76f..e092b54fd 100644 --- a/charts/kubecost/cost-analyzer/templates/tests/basic-health.yaml +++ b/charts/kubecost/cost-analyzer/templates/tests/basic-health.yaml @@ -6,6 +6,10 @@ metadata: namespace: {{ .Release.Namespace }} annotations: {{- include "kubecost.test.annotations" . | nindent 4 }} + labels: + app: basic-health + app.kubernetes.io/name: basic-health + app.kubernetes.io/instance: {{ .Release.Name }} spec: automountServiceAccountToken: false restartPolicy: Never diff --git a/charts/kubecost/cost-analyzer/values-agent.yaml b/charts/kubecost/cost-analyzer/values-agent.yaml index c74ea90b0..39320e0ed 100644 --- a/charts/kubecost/cost-analyzer/values-agent.yaml +++ b/charts/kubecost/cost-analyzer/values-agent.yaml @@ -81,7 +81,7 @@ prometheus: enableAdminApi: true sidecarContainers: - name: thanos-sidecar - image: thanosio/thanos:v0.32.5 + image: thanosio/thanos:v0.34.0 securityContext: runAsNonRoot: true runAsUser: 1001 diff --git a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml index bd6f6b116..a4490afe8 100644 --- a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml +++ b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml @@ -67,7 +67,19 @@ kubecostModel: # memory: "256Mi" forecasting: - fullImageName: public.ecr.aws/kubecost/kubecost-modeling:e59c4d9 + fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.2 + +networkCosts: + enabled: false + image: + repository: public.ecr.aws/kubecost/kubecost-network-costs + tag: v0.17.3 + +clusterController: + enabled: false + image: + repository: public.ecr.aws/kubecost/cluster-controller + tag: v0.15.2 serviceAccount: create: true # Set this to false if you're bringing your own service account. diff --git a/charts/kubecost/cost-analyzer/values.yaml b/charts/kubecost/cost-analyzer/values.yaml index 95a858753..98a92d926 100644 --- a/charts/kubecost/cost-analyzer/values.yaml +++ b/charts/kubecost/cost-analyzer/values.yaml @@ -12,7 +12,7 @@ global: domainName: cost-analyzer-grafana.default.svc # example grafana domain Ignored if enabled: true scheme: "http" # http or https, for the domain name above. proxy: true # If true, the kubecost frontend will route to your grafana through its service endpoint -# fqdn: cost-analyzer-grafana.default.svc + # fqdn: cost-analyzer-grafana.default.svc # Enable only when you are using GCP Marketplace ENT listing. Learn more at https://console.cloud.google.com/marketplace/product/kubecost-public/kubecost-ent gcpstore: @@ -244,6 +244,10 @@ global: runAsNonRoot: true seccompProfile: type: RuntimeDefault + # Set options for deploying with CI/CD tools like Argo CD. + cicd: + enabled: false # Set to true when using affected CI/CD tools for access to the below configuration options. + skipSanityChecks: false # If true, skip all sanity/existence checks for resources like Secrets. ## This flag is only required for users upgrading to a new version of Kubecost. ## The flag is used to ensure users are aware of important @@ -401,10 +405,24 @@ kubecostFrontend: # large_client_header_buffers 4 64k; # hideDiagnostics: false # useful if the primary is not monitored. Supported in limited environments. # hideOrphanedResources: false # OrphanedResources works on the primary-cluster's cloud-provider only. + + # set to true to set all upstreams to use ..svc.cluster.local instead of just . + useDefaultFqdn: false # api: # fqdn: kubecost-api.kubecost.svc.cluster.local:9001 # model: # fqdn: kubecost-model.kubecost.svc.cluster.local:9003 +# forecasting: +# fqdn: kubecost-forcasting.kubecost.svc.cluster.local:5000 +# aggregator: +# fqdn: kubecost-aggregator.kubecost.svc.cluster.local:9004 +# cloudCost: +# fqdn: kubecost-cloud-cost.kubecost.svc.cluster.local:9005 +# multiClusterDiagnostics: +# fqdn: kubecost-multi-diag.kubecost.svc.cluster.local:9007 +# clusterController: +# fqdn: cluster-controller.kubecost.svc.cluster.local:9731 + # Kubecost Metrics deploys a separate pod which will emit kubernetes specific metrics required # by the cost-model. This pod is designed to remain active and decoupled from the cost-model itself. @@ -508,8 +526,9 @@ kubecostModel: # The name of the Secret containing a bucket config for ETL backup. # etlBucketConfigSecret: - # The name of the Secret containing a bucket config for Federated storage. - # federatedStorageConfigSecret: + # The name of the Secret containing a bucket config for Federated storage. The contents should be stored + # under a key named federated-store.yaml. + # federatedStorageConfigSecret: "" ## Feature to view your out-of-cluster costs and their k8s utilization ## Ref: https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cloud-costs-explorer @@ -2094,7 +2113,7 @@ networkCosts: enabled: false image: repository: gcr.io/kubecost1/kubecost-network-costs - tag: v0.17.2 + tag: v0.17.3 imagePullPolicy: Always updateStrategy: type: RollingUpdate @@ -2251,7 +2270,7 @@ forecasting: # image provided (registry, image, tag) will be used for the forecasting # container. # Example: fullImageName: gcr.io/kubecost1/forecasting:v0.0.1 - fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.2 + fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.3 # Resource specification block for the forecasting container. resources: @@ -2329,6 +2348,14 @@ kubecostAggregator: # 2400Mi. In most environments, the default should suffice. stagingEmptyDirSizeLimit: 2Gi + # this is the number of partitions the datastore is split into for copying + # the higher this number, the lower the ram usage but the longer it takes for + # new data to show in the kubecost UI + # set to 0 for max partitioning (minimum possible ram usage, but the slowest) + # the default of 25 is sufficient for 95%+ of users. This should only be modified + # after consulting with Kubecost's support team + numDBCopyPartitions: 25 + resources: {} # requests: # cpu: 1000m @@ -2418,32 +2445,53 @@ kubecostAggregator: ## A single view into the health of all agent clusters. Each agent cluster sends ## its diagnostic data to a storage bucket. Future versions may include ## repairing & alerting from the primary. -## Ref: https://docs.kubecost.com/install-and-configure/install/diagnostics +## Ref: https://docs.kubecost.com/install-and-configure/install/multi-cluster-diagnostics ## diagnostics: enabled: true + + ## The primary aggregates all diagnostic data and handles API requests. It's + ## also responsible for deleting diagnostic data (on disk & bucket) beyond + ## retention. When in readonly mode it does not push its own diagnostic data + ## to the bucket. + primary: + enabled: false + retention: "7d" + readonly: false + ## How frequently to run & push diagnostics. Defaults to 5 minutes. pollingInterval: "300s" + ## Creates a new Diagnostic file in the bucket for every run. keepDiagnosticHistory: false + ## Pushes the cluster's Kubecost Helm Values to the bucket once upon startup. ## This may contain sensitive information and is roughly 30kb per cluster. collectHelmValues: false - ## The primary aggregates all diagnostic data and serves HTTP queries. - isDiagnosticsPrimary: + + ## By default, the Multi-cluster Diagnostics service runs within the + ## cost-model container in the cost-analyzer pod. For higher availability, it + ## can be run as a separate deployment. + deployment: enabled: false - resources: - requests: - cpu: "10m" - memory: "20Mi" - securityContext: {} + resources: + requests: + cpu: "10m" + memory: "20Mi" + env: {} + labels: {} + securityContext: {} + containerSecurityContext: {} + nodeSelector: {} + tolerations: {} + affinity: {} # Kubecost Cluster Controller for Right Sizing and Cluster Turndown clusterController: enabled: false image: repository: gcr.io/kubecost1/cluster-controller - tag: v0.14.0 + tag: v0.15.2 imagePullPolicy: Always ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass @@ -2466,7 +2514,7 @@ clusterController: # turndown: ignore # params: # minNamespaceAge: 4h - # this configures the Kubecost Cluster Sizing action + # this configures the Kubecost Cluster Sizing action # for more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#cluster-sizing clusterRightsize: # startTime: '2024-01-02T15:04:05Z' @@ -2485,14 +2533,16 @@ clusterController: containerRightsize: # workloads: # - clusterID: cluster-one - # namespace: kube-system + # namespace: my-namespace # controllerKind: deployment - # controllerName: kube-dns-autoscaler + # controllerName: my-controller # schedule: - # start: 2024-01-30T00:00 - # frequencyMinutes: 1440 - # cpuTarget: 0.8 - # ramTarget: 0.8 + # start: "2024-01-30T15:04:05Z" + # frequencyMinutes: 5 + # recommendationQueryWindow: "48h" + # lastModified: '' + # targetUtilizationCPU: 0.8 + # targetUtilizationMemory: 0.8 kubescaler: # If true, will cause all (supported) workloads to be have their requests @@ -2784,7 +2834,7 @@ grafana: sidecar: image: repository: kiwigrid/k8s-sidecar - tag: 1.25.3 + tag: 1.25.4 pullPolicy: IfNotPresent resources: {} dashboards: diff --git a/charts/kuma/kuma/Chart.yaml b/charts/kuma/kuma/Chart.yaml index b771c0c4d..dfe6fb54e 100644 --- a/charts/kuma/kuma/Chart.yaml +++ b/charts/kuma/kuma/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/namespace: kuma-system catalog.cattle.io/release-name: kuma apiVersion: v2 -appVersion: 2.6.1 +appVersion: 2.6.2 description: A Helm chart for the Kuma Control Plane home: https://github.com/kumahq/kuma icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg @@ -20,4 +20,4 @@ maintainers: name: nickolaev name: kuma type: application -version: 2.6.1 +version: 2.6.2 diff --git a/charts/kuma/kuma/README.md b/charts/kuma/kuma/README.md index f1612d140..c0423333c 100644 --- a/charts/kuma/kuma/README.md +++ b/charts/kuma/kuma/README.md @@ -2,7 +2,7 @@ A Helm chart for the Kuma Control Plane -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.6.1](https://img.shields.io/badge/Version-2.6.1-informational?style=flat-square) ![AppVersion: 2.6.1](https://img.shields.io/badge/AppVersion-2.6.1-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.6.2](https://img.shields.io/badge/Version-2.6.2-informational?style=flat-square) ![AppVersion: 2.6.2](https://img.shields.io/badge/AppVersion-2.6.2-informational?style=flat-square) **Homepage:** diff --git a/charts/linkerd/linkerd-control-plane/Chart.yaml b/charts/linkerd/linkerd-control-plane/Chart.yaml index 2c9f19944..854c8730a 100644 --- a/charts/linkerd/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/Chart.yaml @@ -1,11 +1,12 @@ annotations: + catalog.cattle.io/auto-install: linkerd-crds catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd Control Plane catalog.cattle.io/featured: "5" - catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 -appVersion: stable-2.14.10 +appVersion: edge-24.3.3 dependencies: - name: partials repository: file://./charts/partials @@ -16,7 +17,7 @@ home: https://linkerd.io icon: https://linkerd.io/images/logo-only-200h.png keywords: - service-mesh -kubeVersion: '>=1.21.0-0' +kubeVersion: '>=1.22.0-0' maintainers: - email: cncf-linkerd-dev@lists.cncf.io name: Linkerd authors @@ -25,4 +26,4 @@ name: linkerd-control-plane sources: - https://github.com/linkerd/linkerd2/ type: application -version: 1.16.11 +version: 2024.3.3 diff --git a/charts/linkerd/linkerd-control-plane/README.md b/charts/linkerd/linkerd-control-plane/README.md index 2de375d52..64bebbbe0 100644 --- a/charts/linkerd/linkerd-control-plane/README.md +++ b/charts/linkerd/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 1.16.11](https://img.shields.io/badge/Version-1.16.11-informational?style=flat-square) +![Version: 2024.3.3](https://img.shields.io/badge/Version-2024.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) @@ -11,8 +11,8 @@ for your microservices — with no code change required. ## Quickstart and documentation -You can run Linkerd on any Kubernetes 1.21+ cluster in a matter of seconds. See -the [Linkerd Getting Started Guide][getting-started] for how. +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. For more comprehensive documentation, start with the [Linkerd docs][linkerd-docs]. @@ -52,15 +52,10 @@ Included here for completeness-sake, but should have already been added when `linkerd-base` was installed. ```bash -# To add the repo for Linkerd stable releases: -helm repo add linkerd https://helm.linkerd.io/stable # To add the repo for Linkerd edge releases: -helm repo add linkerd-edge https://helm.linkerd.io/edge +helm repo add linkerd https://helm.linkerd.io/edge ``` -The following instructions use the `linkerd` repo. For installing an edge -release, just replace with `linkerd-edge`. - ## Installing the chart You must provide the certificates and keys described in the preceding section, @@ -135,7 +130,7 @@ extensions: ## Requirements -Kubernetes: `>=1.21.0-0` +Kubernetes: `>=1.22.0-0` | Repository | Name | Version | |------------|------|---------| @@ -151,6 +146,8 @@ Kubernetes: `>=1.21.0-0` | commonLabels | object | `{}` | Labels to apply to all resources | | controlPlaneTracing | bool | `false` | enables control plane tracing | | controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to | +| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments | +| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption | | controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components | | controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. | | controllerLogFormat | string | `"plain"` | Log format for the control plane components | @@ -158,8 +155,8 @@ Kubernetes: `>=1.21.0-0` | controllerReplicas | int | `1` | Number of replicas for each control plane pod | | controllerUID | int | `2103` | User ID for the control plane components | | debugContainer.image.name | string | `"cr.l5d.io/linkerd/debug"` | Docker image for the debug container | -| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container Docker image | -| debugContainer.image.version | string | linkerdVersion | Tag for the debug container Docker image | +| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container image | +| debugContainer.image.version | string | linkerdVersion | Tag for the debug container image | | deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy | | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | | enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on | @@ -203,8 +200,8 @@ Kubernetes: `>=1.21.0-0` | podMonitor.scrapeTimeout | string | `"10s"` | Iimeout after which the scrape is ended | | podMonitor.serviceMirror.enabled | bool | `true` | Enables the creation of PodMonitor for the Service Mirror component | | policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the policy controller | -| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container Docker image | -| policyController.image.version | string | linkerdVersion | Tag for the proxy container Docker image | +| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image | +| policyController.image.version | string | linkerdVersion | Tag for the policy controller container image | | policyController.logLevel | string | `"info"` | Log level for the policy controller | | policyController.probeNetworks | list | `["0.0.0.0/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. | | policyController.resources | object | destinationResources | policy controller resource requests & limits | @@ -231,18 +228,23 @@ Kubernetes: `>=1.21.0-0` | profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | | prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) | | proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready | +| proxy.control.streams.idleTimeout | string | `"5m"` | The timeout between consecutive updates from the control plane. | +| proxy.control.streams.initialTimeout | string | `"3s"` | The timeout for the first update from the control plane. | +| proxy.control.streams.lifetime | string | `"1h"` | The maximum duration for a response stream (i.e. before it will be reinitialized). | | proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | | proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" | | proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value | | proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value | | proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | | proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy | -| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container Docker image | -| proxy.image.version | string | linkerdVersion | Tag for the proxy container Docker image | +| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image | +| proxy.image.version | string | linkerdVersion | Tag for the proxy container image | | proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection | | proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | +| proxy.livenessProbe | object | `{"initialDelaySeconds":10,"timeoutSeconds":1}` | LivenessProbe timeout and delay configuration | | proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | | proxy.logLevel | string | `"warn,linkerd=info,trust_dns=error"` | Log level for the proxy | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. | | proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | | proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | | proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | @@ -250,6 +252,7 @@ Kubernetes: `>=1.21.0-0` | proxy.ports.control | int | `4190` | Control port for the proxy container | | proxy.ports.inbound | int | `4143` | Inbound port for the proxy container | | proxy.ports.outbound | int | `4140` | Outbound port for the proxy container | +| proxy.readinessProbe | object | `{"initialDelaySeconds":2,"timeoutSeconds":1}` | ReadinessProbe timeout and delay configuration | | proxy.requireIdentityOnInboundPorts | string | `""` | | | proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use | | proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests | @@ -258,14 +261,17 @@ Kubernetes: `>=1.21.0-0` | proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | | proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | | proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. | +| proxy.startupProbe.failureThreshold | int | `120` | | +| proxy.startupProbe.initialDelaySeconds | int | `0` | | +| proxy.startupProbe.periodSeconds | int | `1` | | | proxy.uid | int | `2102` | User id under which the proxy runs | | proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | | proxyInit.closeWaitTimeoutSecs | int | `0` | | | proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) | | proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) | | proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container | -| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container Docker image | -| proxyInit.image.version | string | `"v2.2.3"` | Tag for the proxy-init container Docker image | +| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image | +| proxyInit.image.version | string | `"v2.2.4"` | Tag for the proxy-init container image | | proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used | | proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server | | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init | @@ -290,8 +296,9 @@ Kubernetes: `>=1.21.0-0` | proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one. | | proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. | | proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. | +| proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. | | runtimeClassName | string | `""` | Runtime Class Name for all the pods | | webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/README.md.gotmpl index 2d96c3db2..19da2a82d 100644 --- a/charts/linkerd/linkerd-control-plane/README.md.gotmpl +++ b/charts/linkerd/linkerd-control-plane/README.md.gotmpl @@ -9,8 +9,8 @@ ## Quickstart and documentation -You can run Linkerd on any Kubernetes 1.21+ cluster in a matter of seconds. See -the [Linkerd Getting Started Guide][getting-started] for how. +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. For more comprehensive documentation, start with the [Linkerd docs][linkerd-docs]. @@ -50,15 +50,10 @@ Included here for completeness-sake, but should have already been added when `linkerd-base` was installed. ```bash -# To add the repo for Linkerd stable releases: -helm repo add linkerd https://helm.linkerd.io/stable # To add the repo for Linkerd edge releases: -helm repo add linkerd-edge https://helm.linkerd.io/edge +helm repo add linkerd https://helm.linkerd.io/edge ``` -The following instructions use the `linkerd` repo. For installing an edge -release, just replace with `linkerd-edge`. - ## Installing the chart You must provide the certificates and keys described in the preceding section, diff --git a/charts/linkerd/linkerd-control-plane/app-readme.md b/charts/linkerd/linkerd-control-plane/app-readme.md index 0bf758574..351eac5f0 100644 --- a/charts/linkerd/linkerd-control-plane/app-readme.md +++ b/charts/linkerd/linkerd-control-plane/app-readme.md @@ -4,6 +4,11 @@ Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd adds security, observability, and reliability to Kubernetes, without the complexity. -This particular chart only installs the control plane core. To gain access to -the observability features, please install the linkerd-viz chart. Other -extensions are available (multicluster, jaeger) under the linkerd Helm repo. +This particular Helm chart only installs the control plane core. You will also need to install the +linkerd-crds chart. This chart should be automatically installed along with any other dependencies. +If it is not installed as a dependency, install it first. + +To gain access to the observability features, please install the linkerd-viz chart. +Other extensions are available (multicluster, jaeger) under the linkerd Helm repo. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-control-plane/charts/partials/README.md b/charts/linkerd/linkerd-control-plane/charts/partials/README.md index e5fbd3938..10805c9b9 100644 --- a/charts/linkerd/linkerd-control-plane/charts/partials/README.md +++ b/charts/linkerd/linkerd-control-plane/charts/partials/README.md @@ -6,4 +6,4 @@ depended by the 'linkerd' and 'patch' charts. ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_debug.tpl index cf0eb1417..4df8cc77b 100644 --- a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_debug.tpl +++ b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_debug.tpl @@ -3,4 +3,13 @@ image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.vers imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} name: linkerd-debug terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" {{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl index f5dd4c2cd..1db5c8779 100644 --- a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl +++ b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl @@ -1,4 +1,7 @@ {{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} {{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} env: - name: _pod_name @@ -36,11 +39,18 @@ env: - name: LINKERD2_PROXY_POLICY_SVC_ADDR value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} - name: LINKERD2_PROXY_POLICY_WORKLOAD - value: "$(_pod_ns):$(_pod_name)" + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY value: {{.Values.proxy.defaultInboundPolicy}} - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} {{ if .Values.proxy.inboundConnectTimeout -}} - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: {{.Values.proxy.inboundConnectTimeout | quote}} @@ -150,13 +160,20 @@ be used in other contexts. - name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD value: {{.Values.proxy.shutdownGracePeriod | quote}} {{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} livenessProbe: httpGet: path: /live port: {{.Values.proxy.ports.admin}} - initialDelaySeconds: 10 + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} name: linkerd-proxy ports: - containerPort: {{.Values.proxy.ports.inbound}} @@ -167,7 +184,17 @@ readinessProbe: httpGet: path: /ready port: {{.Values.proxy.ports.admin}} - initialDelaySeconds: 2 + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} {{- if .Values.proxy.resources }} {{ include "partials.resources" .Values.proxy.resources }} {{- end }} @@ -182,7 +209,7 @@ securityContext: seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError -{{- if or (.Values.proxy.await) (.Values.proxy.waitBeforeExitSeconds) }} +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} lifecycle: {{- if .Values.proxy.await }} postStart: @@ -212,4 +239,7 @@ volumeMounts: name: {{.Values.proxy.saMountPath.name}} readOnly: {{.Values.proxy.saMountPath.readOnly}} {{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} {{- end }} diff --git a/charts/linkerd/linkerd-control-plane/questions.yaml b/charts/linkerd/linkerd-control-plane/questions.yaml index a58084d05..4ae27870a 100644 --- a/charts/linkerd/linkerd-control-plane/questions.yaml +++ b/charts/linkerd/linkerd-control-plane/questions.yaml @@ -17,9 +17,3 @@ questions: required: true type: multiline group: Identity -- variable: identity.issuer.crtExpiry - label: "Expiration timestamp for the issuer certificate" - description: "This must match the expiry date in crtPEM" - required: true - type: string - group: Identity diff --git a/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml b/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml index 840be6272..d05ed0dd3 100644 --- a/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml @@ -23,10 +23,16 @@ rules: - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list", "get", "watch"] +- apiGroups: ["workload.linkerd.io"] + resources: ["externalworkloads"] + verbs: ["list", "get", "watch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "patch"] {{- if .Values.enableEndpointSlices }} - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] - verbs: ["list", "get", "watch"] + verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] {{- end }} --- kind: ClusterRoleBinding @@ -179,6 +185,11 @@ webhooks: - meshtlsauthentications - serverauthorizations - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["*"] + resources: + - httproutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 @@ -238,6 +249,14 @@ rules: - httproutes/status verbs: - patch + - apiGroups: + - workload.linkerd.io + resources: + - externalworkloads + verbs: + - get + - list + - watch - apiGroups: - coordination.k8s.io resources: diff --git a/charts/linkerd/linkerd-control-plane/templates/destination.yaml b/charts/linkerd/linkerd-control-plane/templates/destination.yaml index d9992747f..c0d2418cd 100644 --- a/charts/linkerd/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/destination.yaml @@ -115,7 +115,7 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - maxUnavailable: 1 + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} selector: matchLabels: linkerd.io/control-plane-component: destination @@ -190,7 +190,9 @@ spec: */}} {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} - args: - destination - -addr=:8086 @@ -203,6 +205,21 @@ spec: - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} - -default-opaque-ports={{.Values.proxy.opaquePorts}} - -enable-pprof={{.Values.enablePprof | default false}} + {{- range (.Values.destinationController).additionalArgs }} + - {{ . }} + {{- end }} + {{- range (.Values.destinationController).experimentalArgs }} + - {{ . }} + {{- end }} + {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }} + env: + {{- with (.Values.destinationController).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.destinationController).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} {{- include "partials.linkerd.trace" . | nindent 8 -}} image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} @@ -240,6 +257,15 @@ spec: - -log-level={{.Values.controllerLogLevel}} - -log-format={{.Values.controllerLogFormat}} - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }} + env: + {{- with (.Values.spValidator).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.spValidator).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} livenessProbe: @@ -292,6 +318,12 @@ spec: {{- if .Values.policyController.probeNetworks }} - --probe-networks={{.Values.policyController.probeNetworks | join ","}} {{- end}} + {{- range .Values.policyController.additionalArgs }} + - {{ . }} + {{- end }} + {{- range .Values.policyController.experimentalArgs }} + - {{ . }} + {{- end }} image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}} livenessProbe: @@ -341,6 +373,12 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/templates/heartbeat.yaml b/charts/linkerd/linkerd-control-plane/templates/heartbeat.yaml index aa43874fb..d96318786 100644 --- a/charts/linkerd/linkerd-control-plane/templates/heartbeat.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/heartbeat.yaml @@ -59,6 +59,12 @@ spec: env: - name: LINKERD_DISABLED value: "the heartbeat controller does not use the proxy" + {{- with (.Values.heartbeat).additionalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + {{- with (.Values.heartbeat).experimentalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} args: - "heartbeat" - "-controller-namespace={{.Release.Namespace}}" diff --git a/charts/linkerd/linkerd-control-plane/templates/identity.yaml b/charts/linkerd/linkerd-control-plane/templates/identity.yaml index 3964efe74..f6e6deeca 100644 --- a/charts/linkerd/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/identity.yaml @@ -90,7 +90,7 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - maxUnavailable: 1 + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} selector: matchLabels: linkerd.io/control-plane-component: identity @@ -165,6 +165,12 @@ spec: env: - name: LINKERD_DISABLED value: "linkerd-await cannot block the identity controller" + {{- with (.Values.identity).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.identity).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} livenessProbe: @@ -208,6 +214,7 @@ spec: {{- $_ := set $tree.Values.proxy "await" false }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} {{- /* The identity controller cannot discover policies, so we configure it with defaults that enforce TLS on the identity service. diff --git a/charts/linkerd/linkerd-control-plane/templates/proxy-injector-rbac.yaml b/charts/linkerd/linkerd-control-plane/templates/proxy-injector-rbac.yaml index 5b165ded1..abf4edf5d 100644 --- a/charts/linkerd/linkerd-control-plane/templates/proxy-injector-rbac.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/proxy-injector-rbac.yaml @@ -116,3 +116,4 @@ webhooks: apiVersions: ["v1"] resources: ["pods", "services"] sideEffects: None + timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }} diff --git a/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml index 89798c06a..27e2881e0 100644 --- a/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml @@ -70,13 +70,24 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} - args: - proxy-injector - -log-level={{.Values.controllerLogLevel}} - -log-format={{.Values.controllerLogFormat}} - -linkerd-namespace={{.Release.Namespace}} - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }} + env: + {{- with (.Values.proxyInjector).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.proxyInjector).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} livenessProbe: @@ -127,6 +138,12 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} @@ -186,7 +203,7 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - maxUnavailable: 1 + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} selector: matchLabels: linkerd.io/control-plane-component: proxy-injector diff --git a/charts/linkerd/linkerd-control-plane/values-ha.yaml b/charts/linkerd/linkerd-control-plane/values-ha.yaml index 3c0ce102b..920b803e5 100644 --- a/charts/linkerd/linkerd-control-plane/values-ha.yaml +++ b/charts/linkerd/linkerd-control-plane/values-ha.yaml @@ -5,6 +5,12 @@ # -- Create PodDisruptionBudget resources for each control plane workload enablePodDisruptionBudget: true +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 + # -- Specify a deployment strategy for each control plane workload deploymentStrategy: rollingUpdate: diff --git a/charts/linkerd/linkerd-control-plane/values.yaml b/charts/linkerd/linkerd-control-plane/values.yaml index af855276c..fb129e611 100644 --- a/charts/linkerd/linkerd-control-plane/values.yaml +++ b/charts/linkerd/linkerd-control-plane/values.yaml @@ -22,7 +22,7 @@ controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version -linkerdVersion: stable-2.14.10 +linkerdVersion: edge-24.3.3 # -- default kubernetes deployment strategy deploymentStrategy: rollingUpdate: @@ -39,6 +39,12 @@ enablePodAntiAffinity: false enablePprof: false # -- enables the creation of pod disruption budgets for control plane components enablePodDisruptionBudget: false + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 # -- enabling this omits the NET_ADMIN capability in the PSP # and the proxy-init container when injecting the proxy; # requires the linkerd-cni plugin to already be installed @@ -71,10 +77,10 @@ policyController: image: # -- Docker image for the policy controller name: cr.l5d.io/linkerd/policy-controller - # -- Pull policy for the proxy container Docker image + # -- Pull policy for the policy controller container image # @default -- imagePullPolicy pullPolicy: "" - # -- Tag for the proxy container Docker image + # -- Tag for the policy controller container image # @default -- linkerdVersion version: "" @@ -131,10 +137,10 @@ proxy: image: # -- Docker image for the proxy name: cr.l5d.io/linkerd/proxy - # -- Pull policy for the proxy container Docker image + # -- Pull policy for the proxy container image # @default -- imagePullPolicy pullPolicy: "" - # -- Tag for the proxy container Docker image + # -- Tag for the proxy container image # @default -- linkerdVersion version: "" # -- Log level for the proxy @@ -198,6 +204,34 @@ proxy: # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" # @default -- "all-unauthenticated" defaultInboundPolicy: "all-unauthenticated" + # -- Enable KEP-753 native sidecars + # This is an experimental feature. It requires Kubernetes >= 1.29. + # If enabled, .proxy.waitBeforeExitSeconds should not be used. + nativeSidecar: false + # -- Native sidecar proxy startup probe parameters. + # -- LivenessProbe timeout and delay configuration + livenessProbe: + initialDelaySeconds: 10 + timeoutSeconds: 1 + # -- ReadinessProbe timeout and delay configuration + readinessProbe: + initialDelaySeconds: 2 + timeoutSeconds: 1 + startupProbe: + initialDelaySeconds: 0 + periodSeconds: 1 + failureThreshold: 120 + # Configures general properties of the proxy's control plane clients. + control: + # Configures limits on API response streams. + streams: + # -- The timeout for the first update from the control plane. + initialTimeout: "3s" + # -- The timeout between consecutive updates from the control plane. + idleTimeout: "5m" + # -- The maximum duration for a response stream (i.e. before it will be + # reinitialized). + lifetime: "1h" # proxy-init configuration proxyInit: @@ -226,11 +260,11 @@ proxyInit: image: # -- Docker image for the proxy-init container name: cr.l5d.io/linkerd/proxy-init - # -- Pull policy for the proxy-init container Docker image + # -- Pull policy for the proxy-init container image # @default -- imagePullPolicy pullPolicy: "" - # -- Tag for the proxy-init container Docker image - version: v2.2.3 + # -- Tag for the proxy-init container image + version: v2.2.4 resources: cpu: # -- Maximum amount of CPU units that the proxy-init container can use @@ -312,8 +346,7 @@ controllerUID: 2103 # see proxy.resources for details. # destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields) #destinationResources: -#destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy -# injected into destination pod (see `proxy.resources` for sub-fields) +# destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy injected into destination pod (see `proxy.resources` for sub-fields) #destinationProxyResources: # debug configuration @@ -321,10 +354,10 @@ debugContainer: image: # -- Docker image for the debug container name: cr.l5d.io/linkerd/debug - # -- Pull policy for the debug container Docker image + # -- Pull policy for the debug container image # @default -- imagePullPolicy pullPolicy: "" - # -- Tag for the debug container Docker image + # -- Tag for the debug container image # @default -- linkerdVersion version: "" @@ -368,6 +401,9 @@ disableHeartBeat: false # proxy injector configuration proxyInjector: + # -- Timeout in seconds before the API Server cancels a request to the proxy + # injector. If timeout is exceeded, the webhookfailurePolicy is used. + timeoutSeconds: 10 # -- Do not create a secret resource for the proxyInjector webhook. # If this is set to `true`, the value `proxyInjector.caBundle` must be set # or the ca bundle must injected with cert-manager ca injector using diff --git a/charts/linkerd/linkerd-crds/.helmignore b/charts/linkerd/linkerd-crds/.helmignore new file mode 100644 index 000000000..79c90a806 --- /dev/null +++ b/charts/linkerd/linkerd-crds/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/Chart.lock b/charts/linkerd/linkerd-crds/Chart.lock new file mode 100644 index 000000000..a62a03063 --- /dev/null +++ b/charts/linkerd/linkerd-crds/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-08-17T10:42:52.610449255-05:00" diff --git a/charts/linkerd/linkerd-crds/Chart.yaml b/charts/linkerd/linkerd-crds/Chart.yaml new file mode 100644 index 000000000..fe7af45db --- /dev/null +++ b/charts/linkerd/linkerd-crds/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds +apiVersion: v2 +dependencies: +- name: partials + repository: file://./charts/partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: https://linkerd.io/images/logo-only-200h.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-crds +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.3.3 diff --git a/charts/linkerd/linkerd-crds/README.md b/charts/linkerd/linkerd-crds/README.md new file mode 100644 index 000000000..a21c459dd --- /dev/null +++ b/charts/linkerd/linkerd-crds/README.md @@ -0,0 +1,71 @@ +# linkerd-crds + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.3.3](https://img.shields.io/badge/Version-2024.3.3-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| enableHttpRoutes | bool | `true` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/README.md.gotmpl b/charts/linkerd/linkerd-crds/README.md.gotmpl new file mode 100644 index 000000000..88be73954 --- /dev/null +++ b/charts/linkerd/linkerd-crds/README.md.gotmpl @@ -0,0 +1,59 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/app-readme.md b/charts/linkerd/linkerd-crds/app-readme.md new file mode 100644 index 000000000..59010a6b2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/app-readme.md @@ -0,0 +1,9 @@ +# Linkerd 2 CRDs Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs Linkerd CRDs. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-crds/charts/partials/.helmignore b/charts/linkerd/linkerd-crds/charts/partials/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/charts/partials/Chart.yaml b/charts/linkerd/linkerd-crds/charts/partials/Chart.yaml new file mode 100644 index 000000000..23cfc167e --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-crds/charts/partials/README.md b/charts/linkerd/linkerd-crds/charts/partials/README.md new file mode 100644 index 000000000..10805c9b9 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-crds/charts/partials/README.md.gotmpl new file mode 100644 index 000000000..37f510106 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-crds/charts/partials/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_affinity.tpl new file mode 100644 index 000000000..5dde1da47 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_capabilities.tpl new file mode 100644 index 000000000..a595d74c1 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_debug.tpl new file mode 100644 index 000000000..4df8cc77b --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_helpers.tpl new file mode 100644 index 000000000..b6cdc34d0 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_metadata.tpl new file mode 100644 index 000000000..04d2f1bea --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl new file mode 100644 index 000000000..58f36e62f --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,32 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxyInit.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + - {{ .Values.networkValidator.connectAddr }} + - --listen-addr + - {{ .Values.networkValidator.listenAddr }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 000000000..4cde0ab16 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 000000000..9651b3bd1 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 000000000..91cc96e0a --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,89 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxyInit.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl new file mode 100644 index 000000000..1db5c8779 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl @@ -0,0 +1,245 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_LOG + value: {{.Values.proxy.logLevel | quote}} +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:{{.Values.proxy.ports.control}} +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:{{.Values.proxy.ports.admin}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:{{.Values.proxy.ports.outbound}} +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:{{.Values.proxy.ports.inbound}} +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 000000000..0c9aa4f01 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_resources.tpl new file mode 100644 index 000000000..1fd6789fd --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_tolerations.tpl new file mode 100644 index 000000000..c2292b146 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_trace.tpl new file mode 100644 index 000000000..dee059541 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_validate.tpl new file mode 100644 index 000000000..ba772c2fe --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_volumes.tpl new file mode 100644 index 000000000..9684cf240 --- /dev/null +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/charts/partials/values.yaml b/charts/linkerd/linkerd-crds/charts/partials/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-crds/templates/NOTES.txt b/charts/linkerd/linkerd-crds/templates/NOTES.txt new file mode 100644 index 000000000..4ff5c1818 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/NOTES.txt @@ -0,0 +1,6 @@ +The linkerd-crds chart was successfully installed 🎉 + +To complete the linkerd core installation, please now proceed to install the +linkerd-control-plane chart in the {{ .Release.Namespace }} namespace. + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-crds/templates/gateway.networking.k8s.io_httproutes.yaml b/charts/linkerd/linkerd-crds/templates/gateway.networking.k8s.io_httproutes.yaml new file mode 100644 index 000000000..2a88ae2fa --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/gateway.networking.k8s.io_httproutes.yaml @@ -0,0 +1,4012 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1-dev + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and + will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match and (absent of + any applicable header modification configuration) MUST forward this + header unmodified to the backend. \n Valid values for Hostnames + are determined by RFC 1123 definition of a hostname with 2 notable + exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label must appear by + itself as the first label. \n If a hostname is specified by both + the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" and a ReplacePrefixMatch of + \"/xyz\" would be modified to \"/xyz/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not. \n Request Path | Prefix + Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | /xyz/ + \ | /xyz/bar /foo/bar | /foo/ | + /xyz | /xyz/bar /foo/bar | /foo/ + \ | /xyz/ | /xyz/bar /foo | + /foo | /xyz | /xyz /foo/ | + /foo | /xyz | /xyz/ /foo/bar + \ | /foo | | /bar + /foo/ | /foo | + | / /foo | /foo | + | / /foo/ | /foo | / | + / /foo | /foo | / | + /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" and a ReplacePrefixMatch of + \"/xyz\" would be modified to \"/xyz/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not. \n Request Path | Prefix + Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | /xyz/ + \ | /xyz/bar /foo/bar | /foo/ | + /xyz | /xyz/bar /foo/bar | /foo/ + \ | /xyz/ | /xyz/bar /foo | + /foo | /xyz | /xyz /foo/ | + /foo | /xyz | /xyz/ /foo/bar + \ | /foo | | /bar + /foo/ | /foo | + | / /foo | /foo | + | / /foo/ | /foo | / | + / /foo | /foo | / | + /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match and (absent of + any applicable header modification configuration) MUST forward this + header unmodified to the backend. \n Valid values for Hostnames + are determined by RFC 1123 definition of a hostname with 2 notable + exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label must appear by + itself as the first label. \n If a hostname is specified by both + the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" and a ReplacePrefixMatch of + \"/xyz\" would be modified to \"/xyz/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not. \n Request Path | Prefix + Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | /xyz/ + \ | /xyz/bar /foo/bar | /foo/ | + /xyz | /xyz/bar /foo/bar | /foo/ + \ | /xyz/ | /xyz/bar /foo | + /foo | /xyz | /xyz /foo/ | + /foo | /xyz | /xyz/ /foo/bar + \ | /foo | | /bar + /foo/ | /foo | + | / /foo | /foo | + | / /foo/ | /foo | / | + / /foo | /foo | / | + /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" and a ReplacePrefixMatch of + \"/xyz\" would be modified to \"/xyz/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not. \n Request Path | Prefix + Match | Replace Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | /xyz/ + \ | /xyz/bar /foo/bar | /foo/ | + /xyz | /xyz/bar /foo/bar | /foo/ + \ | /xyz/ | /xyz/bar /foo | + /foo | /xyz | /xyz /foo/ | + /foo | /xyz | /xyz/ /foo/bar + \ | /foo | | /bar + /foo/ | /foo | + | / /foo | /foo | + | / /foo/ | /foo | / | + / /foo | /foo | / | + /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} diff --git a/charts/linkerd/linkerd-crds/templates/policy/authorization-policy.yaml b/charts/linkerd/linkerd-crds/templates/policy/authorization-policy.yaml new file mode 100644 index 000000000..7d86520e2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/policy/authorization-policy.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authorizationpolicies.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + shortNames: [authzpolicy] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied server + resources. + type: object + required: [targetRef, requiredAuthenticationRefs] + properties: + targetRef: + description: >- + TargetRef references a resource to which the authorization + policy applies. + type: object + required: [kind, name] + # Modified from the gateway API. + # Copyright 2020 The Kubernetes Authors + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + requiredAuthenticationRefs: + description: >- + RequiredAuthenticationRefs enumerates a set of required + authentications. ALL authentications must be satisfied for + the authorization to apply. If any of the referred objects + cannot be found, the authorization will be ignored. + type: array + items: + type: object + required: [kind, name] + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/templates/policy/httproute.yaml b/charts/linkerd/linkerd-crds/templates/policy/httproute.yaml new file mode 100644 index 000000000..9aaaefc4f --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/policy/httproute.yaml @@ -0,0 +1,5216 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n\n " + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + timeouts: + description: "Timeouts defines the timeouts that can be configured + for an HTTP request. \n Support: Core \n " + properties: + backendRequest: + description: "BackendRequest specifies a timeout for an + individual request from the gateway to a backend service. + Typically used in conjunction with automatic retries, + if supported by an implementation. Default is the value + of Request timeout. \n Support: Extended" + format: duration + type: string + request: + description: "Request specifies a timeout for responding + to client HTTP requests, disabled by default. \n For example, + the following rule will timeout if a client request is + taking longer than 10 seconds to complete: \n ``` rules: + - timeouts: request: 10s backendRefs: ... ``` \n Support: + Core" + format: duration + type: string + type: object + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/linkerd/linkerd-crds/templates/policy/meshtls-authentication.yaml b/charts/linkerd/linkerd-crds/templates/policy/meshtls-authentication.yaml new file mode 100644 index 000000000..58ee815f5 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/policy/meshtls-authentication.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: meshtlsauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: MeshTLSAuthentication + plural: meshtlsauthentications + singular: meshtlsauthentication + shortNames: [meshtlsauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + MeshTLSAuthentication defines a list of authenticated client IDs + to be referenced by an `AuthorizationPolicy`. If a client + connection has the mutually-authenticated identity that matches + ANY of the of the provided identities, the connection is + considered authenticated. + type: object + oneOf: + - required: [identities] + - required: [identityRefs] + properties: + identities: + description: >- + Authorizes clients with the provided proxy identity strings + (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + minItems: 1 + items: + type: string + identityRefs: + type: array + minItems: 1 + items: + type: object + required: + - kind + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this refers to all resources of the specified Group + and Kind in the specified namespace. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/templates/policy/network-authentication.yaml b/charts/linkerd/linkerd-crds/templates/policy/network-authentication.yaml new file mode 100644 index 000000000..cef15d3c4 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/policy/network-authentication.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: NetworkAuthentication + plural: networkauthentications + singular: networkauthentication + shortNames: [netauthn, networkauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + NetworkAuthentication defines a list of authenticated client + networks to be referenced by an `AuthorizationPolicy`. If a + client connection originates from ANY of the of the provided + networks, the connection is considered authenticated. + type: object + required: [networks] + properties: + networks: + type: array + items: + type: object + required: [cidr] + properties: + cidr: + description: >- + The CIDR of the network to be authorized. + type: string + except: + description: >- + A list of IP networks/addresses not to be included in + the above `cidr`. + type: array + items: + type: string diff --git a/charts/linkerd/linkerd-crds/templates/policy/server-authorization.yaml b/charts/linkerd/linkerd-crds/templates/policy/server-authorization.yaml new file mode 100644 index 000000000..33fb65900 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/policy/server-authorization.yaml @@ -0,0 +1,266 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serverauthorizations.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: ServerAuthorization + plural: serverauthorizations + singular: serverauthorization + shortNames: [saz, serverauthz, srvauthz] + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + additionalPrinterColumns: + - name: Server + type: string + description: The server that this grants access to + jsonPath: .spec.server.name diff --git a/charts/linkerd/linkerd-crds/templates/policy/server.yaml b/charts/linkerd/linkerd-crds/templates/policy/server.yaml new file mode 100644 index 000000000..ac3215c02 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/policy/server.yaml @@ -0,0 +1,222 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: servers.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: Server + plural: servers + singular: server + shortNames: [srv] + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta1 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + oneOf: + - required: [matchExpressions] + - required: [matchLabels] + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + - name: v1beta1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta2 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol diff --git a/charts/linkerd/linkerd-crds/templates/serviceprofile.yaml b/charts/linkerd/linkerd-crds/templates/serviceprofile.yaml new file mode 100644 index 000000000..ad12c96a3 --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/serviceprofile.yaml @@ -0,0 +1,274 @@ +--- +### +### Service Profile CRD +### +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + required: + - routes + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + scope: Namespaced + preserveUnknownFields: false + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp diff --git a/charts/linkerd/linkerd-crds/templates/workload/external-workload.yaml b/charts/linkerd/linkerd-crds/templates/workload/external-workload.yaml new file mode 100644 index 000000000..56cb3bddb --- /dev/null +++ b/charts/linkerd/linkerd-crds/templates/workload/external-workload.yaml @@ -0,0 +1,302 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalworkloads.workload.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: workload.linkerd.io + names: + categories: + - external + kind: ExternalWorkload + listKind: ExternalWorkloadList + plural: externalworkloads + singular: externalworkload + shortNames: [] + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTls: + description: meshTls describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. + items: + type: object + properties: + ip: + type: string + # TODO: relax this in the future when ipv6 is supported + # an external workload (like a pod) should only + # support 2 interfaces + maxItems: 1 + type: object + required: + - meshTls + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTls.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTLS: + description: meshTLS describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. + items: + type: object + properties: + ip: + type: string + # TODO: relax this in the future when ipv6 is supported + # an external workload (like a pod) should only + # support 2 interfaces + maxItems: 1 + type: object + required: + - meshTLS + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTLS.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date diff --git a/charts/linkerd/linkerd-crds/values.yaml b/charts/linkerd/linkerd-crds/values.yaml new file mode 100644 index 000000000..362145168 --- /dev/null +++ b/charts/linkerd/linkerd-crds/values.yaml @@ -0,0 +1 @@ +enableHttpRoutes: true diff --git a/charts/loft/loft/Chart.yaml b/charts/loft/loft/Chart.yaml index d781bde87..ad48b787e 100644 --- a/charts/loft/loft/Chart.yaml +++ b/charts/loft/loft/Chart.yaml @@ -28,4 +28,4 @@ name: loft sources: - https://github.com/loft-sh/loft type: application -version: 3.3.4 +version: 3.4.1 diff --git a/charts/loft/loft/templates/deployment.yaml b/charts/loft/loft/templates/deployment.yaml index 0a7fd0e44..0e125f1de 100644 --- a/charts/loft/loft/templates/deployment.yaml +++ b/charts/loft/loft/templates/deployment.yaml @@ -27,6 +27,10 @@ spec: release: {{ .Release.Name }} replicas: {{ .Values.replicaCount }} strategy: + {{- if .Values.agentOnly }} + type: Recreate + {{- else }} + type: RollingUpdate rollingUpdate: maxSurge: 1 {{- if (eq (int .Values.replicaCount) 1) }} @@ -34,7 +38,7 @@ spec: {{- else }} maxUnavailable: 1 {{- end }} - type: RollingUpdate + {{- end }} template: metadata: labels: @@ -62,6 +66,11 @@ spec: - name: loft-data emptyDir: {} {{- end }} + {{- if .Values.additionalCA }} + - name: loft-additional-ca + secret: + secretName: loft-additional-ca + {{- end }} containers: - name: manager {{- if .Values.agentOnly }} @@ -69,12 +78,10 @@ spec: {{- end }} image: {{ default (include "loft.image" .) .Values.image }} ports: - {{- if not .Values.agentOnly }} - name: http containerPort: 8080 - name: https containerPort: 10443 - {{- end }} - name: https-webhook containerPort: 9443 - name: http-wakeup @@ -137,6 +144,14 @@ spec: - name: LOFT_LOG_LEVEL value: {{ default "info" .Values.logging.level }} {{- end }} + {{- if .Values.additionalCA }} + - name: SSL_CERT_FILE + value: /etc/loft/additional-ca/ca.crt + {{- end }} + {{- if .Values.insecureSkipVerify }} + - name: TS_DEBUG_TLS_DIAL_INSECURE_SKIP_VERIFY + value: "true" + {{- end }} {{- range $key, $value := .Values.env }} - name: {{ $key | quote }} value: {{ $value | quote }} @@ -147,6 +162,10 @@ spec: {{- end }} - mountPath: /var/lib/loft name: loft-data + {{- if .Values.additionalCA }} + - mountPath: /etc/loft/additional-ca + name: loft-additional-ca + {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} {{- if .Values.securityContext }} diff --git a/charts/loft/loft/templates/ingress-wakeup-service.yaml b/charts/loft/loft/templates/ingress-wakeup-service.yaml index 07ffa35c0..0431ea9bc 100644 --- a/charts/loft/loft/templates/ingress-wakeup-service.yaml +++ b/charts/loft/loft/templates/ingress-wakeup-service.yaml @@ -10,11 +10,7 @@ metadata: release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" spec: - {{- if .Values.agentOnly }} - type: {{ .Values.service.type }} - {{- else }} type: ClusterIP - {{- end }} ports: - name: http-wakeup port: 9090 diff --git a/charts/loft/loft/templates/ingress.yaml b/charts/loft/loft/templates/ingress.yaml index fdea219ce..e8946c8b6 100644 --- a/charts/loft/loft/templates/ingress.yaml +++ b/charts/loft/loft/templates/ingress.yaml @@ -27,7 +27,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + {{- if .Values.ingress.ingressClass }} ingressClassName: {{ .Values.ingress.ingressClass }} + {{- end }} rules: - host: {{ .Values.ingress.host }} http: @@ -49,6 +51,8 @@ spec: tls: - hosts: - {{ .Values.ingress.host }} + {{- if .Values.ingress.tls.secret }} secretName: {{ .Values.ingress.tls.secret }} + {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/loft/loft/templates/secret.yaml b/charts/loft/loft/templates/secret.yaml index b0b93696e..227f273c8 100644 --- a/charts/loft/loft/templates/secret.yaml +++ b/charts/loft/loft/templates/secret.yaml @@ -46,4 +46,55 @@ metadata: {{- end }} data: values: {{ toYaml .Values.agentValues | b64enc }} -{{- end }} \ No newline at end of file +{{- end }} + +{{- if .Values.agentOnly -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: loft-agent-connection + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "loft.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if or .Values.commonAnnotations .Values.agentSecretAnnotations }} + {{- with .Values.agentSecretAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +data: + token: {{ toYaml .Values.token | b64enc }} + url: {{ toYaml .Values.url | b64enc }} +{{- end }} + +{{- if .Values.additionalCA }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: loft-additional-ca + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "loft.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if or .Values.commonAnnotations .Values.agentSecretAnnotations }} + {{- with .Values.agentSecretAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +data: + ca.crt: {{ .Values.additionalCA | quote }} +{{- end }} diff --git a/charts/loft/loft/templates/service.yaml b/charts/loft/loft/templates/service.yaml index 52b139081..7394c6079 100644 --- a/charts/loft/loft/templates/service.yaml +++ b/charts/loft/loft/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if not .Values.agentOnly }} apiVersion: v1 kind: Service metadata: @@ -38,4 +37,3 @@ spec: selector: app: {{ template "loft.fullname" . }} release: {{ .Release.Name }} -{{- end }} diff --git a/charts/loft/loft/values.yaml b/charts/loft/loft/values.yaml index 9490d0637..825d435d8 100644 --- a/charts/loft/loft/values.yaml +++ b/charts/loft/loft/values.yaml @@ -22,7 +22,6 @@ ingress: tls: enabled: true secret: loft-tls - clusterIssuer: lets-encrypt-http-issuer # TLS configuration with a custom cert and key # Make sure the secret exists prior to deploying loft, # otherwise the loft pod will not be able to start @@ -163,3 +162,13 @@ logging: encoding: console # Can be either json or console level: info # Can be either: debug, info, error product: loft +# Token is used to connect to the network peer coordinator server of a Loft instance +token: "" +# URL is used to connect as the endpoint of the network peer coordinator server +url: "" +# AdditionalCA is used to add an additional CA certificate to the application's +# x509 root ca verification flow. Needs to be base64 encoded. +additionalCA: "" +# insecureSkipVerify is used to omit tls verification within loft and all its +# managed components +insecureSkipVerify: false diff --git a/charts/minio/minio-operator/Chart.yaml b/charts/minio/minio-operator/Chart.yaml index 3c5cfc2a1..1b3e2c2aa 100644 --- a/charts/minio/minio-operator/Chart.yaml +++ b/charts/minio/minio-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: minio-operator apiVersion: v2 -appVersion: v5.0.12 +appVersion: v5.0.13 description: A Helm chart for MinIO Operator home: https://min.io icon: https://min.io/resources/img/logo/MINIO_wordmark.png @@ -19,4 +19,4 @@ name: minio-operator sources: - https://github.com/minio/operator type: application -version: 5.0.12 +version: 5.0.13 diff --git a/charts/minio/minio-operator/Chart.yaml-e b/charts/minio/minio-operator/Chart.yaml-e index 34504bb4e..be0963e35 100644 --- a/charts/minio/minio-operator/Chart.yaml-e +++ b/charts/minio/minio-operator/Chart.yaml-e @@ -1,8 +1,8 @@ apiVersion: v2 description: A Helm chart for MinIO Operator name: operator -version: 5.0.12 -appVersion: v5.0.12 +version: 5.0.13 +appVersion: v5.0.13 keywords: - storage - object-storage diff --git a/charts/minio/minio-operator/templates/job.min.io_jobs.yaml b/charts/minio/minio-operator/templates/job.min.io_jobs.yaml index 412d453bb..37df0e4cd 100644 --- a/charts/minio/minio-operator/templates/job.min.io_jobs.yaml +++ b/charts/minio/minio-operator/templates/job.min.io_jobs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: miniojobs.job.min.io spec: group: job.min.io diff --git a/charts/minio/minio-operator/templates/operator-clusterrole.yaml b/charts/minio/minio-operator/templates/operator-clusterrole.yaml index 3e58817c1..318760e83 100644 --- a/charts/minio/minio-operator/templates/operator-clusterrole.yaml +++ b/charts/minio/minio-operator/templates/operator-clusterrole.yaml @@ -3,6 +3,16 @@ kind: ClusterRole metadata: name: minio-operator-role rules: + - apiGroups: + - "job.min.io" + resources: + - miniojobs + verbs: + - list + - get + - update + - delete + - watch - apiGroups: - "apiextensions.k8s.io" resources: diff --git a/charts/minio/minio-operator/values.yaml b/charts/minio/minio-operator/values.yaml index fc3ac0bce..fd13287bb 100644 --- a/charts/minio/minio-operator/values.yaml +++ b/charts/minio/minio-operator/values.yaml @@ -32,14 +32,14 @@ operator: ### # Specify the Operator container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.12 + # tag: v5.0.13 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -53,7 +53,7 @@ operator: # image: repository: quay.io/minio/operator - tag: v5.0.12 + tag: v5.0.13 pullPolicy: IfNotPresent ### # @@ -171,14 +171,14 @@ console: ### # Specify the Operator Console container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.12 + # tag: v5.0.13 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -193,7 +193,7 @@ console: # The specified values should match that of ``operator.image`` to ensure predictable operations. image: repository: quay.io/minio/operator - tag: v5.0.12 + tag: v5.0.13 pullPolicy: IfNotPresent ### # An array of environment variables to pass to the Operator Console deployment. diff --git a/charts/minio/minio-operator/values.yaml-e b/charts/minio/minio-operator/values.yaml-e index fc3ac0bce..fd13287bb 100644 --- a/charts/minio/minio-operator/values.yaml-e +++ b/charts/minio/minio-operator/values.yaml-e @@ -32,14 +32,14 @@ operator: ### # Specify the Operator container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.12 + # tag: v5.0.13 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -53,7 +53,7 @@ operator: # image: repository: quay.io/minio/operator - tag: v5.0.12 + tag: v5.0.13 pullPolicy: IfNotPresent ### # @@ -171,14 +171,14 @@ console: ### # Specify the Operator Console container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.12 + # tag: v5.0.13 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -193,7 +193,7 @@ console: # The specified values should match that of ``operator.image`` to ensure predictable operations. image: repository: quay.io/minio/operator - tag: v5.0.12 + tag: v5.0.13 pullPolicy: IfNotPresent ### # An array of environment variables to pass to the Operator Console deployment. diff --git a/charts/nats/nats/Chart.yaml b/charts/nats/nats/Chart.yaml index 07ae788d1..6fb764204 100644 --- a/charts/nats/nats/Chart.yaml +++ b/charts/nats/nats/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: nats apiVersion: v2 -appVersion: 2.10.11 +appVersion: 2.10.12 description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications Technology. home: http://github.com/nats-io/k8s @@ -18,4 +18,4 @@ maintainers: name: The NATS Authors url: https://github.com/nats-io name: nats -version: 1.1.9 +version: 1.1.10 diff --git a/charts/nats/nats/files/nats-box/contexts-secret/context.yaml b/charts/nats/nats/files/nats-box/contexts-secret/context.yaml index 97e4671b5..54480eac9 100644 --- a/charts/nats/nats/files/nats-box/contexts-secret/context.yaml +++ b/charts/nats/nats/files/nats-box/contexts-secret/context.yaml @@ -39,11 +39,13 @@ key: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} {{- end }} # tlsCA +{{- if $.Values.config.nats.tls.enabled }} {{- with $.Values.tlsCA }} {{- if and .enabled (or .configMapName .secretName) }} {{- $dir := trimSuffix "/" .dir }} ca: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} {{- end }} {{- end }} +{{- end }} {{- end }} diff --git a/charts/nats/nats/values.yaml b/charts/nats/nats/values.yaml index 54275266e..79ef3389e 100644 --- a/charts/nats/nats/values.yaml +++ b/charts/nats/nats/values.yaml @@ -312,7 +312,7 @@ config: container: image: repository: nats - tag: 2.10.11-alpine + tag: 2.10.12-alpine pullPolicy: registry: diff --git a/charts/new-relic/nri-bundle/Chart.lock b/charts/new-relic/nri-bundle/Chart.lock index bd93e357d..d46228dea 100644 --- a/charts/new-relic/nri-bundle/Chart.lock +++ b/charts/new-relic/nri-bundle/Chart.lock @@ -1,36 +1,36 @@ dependencies: - name: newrelic-infrastructure repository: https://newrelic.github.io/nri-kubernetes - version: 3.30.2 + version: 3.32.0 - name: nri-prometheus repository: https://newrelic.github.io/nri-prometheus version: 2.1.17 - name: newrelic-prometheus-agent repository: https://newrelic.github.io/newrelic-prometheus-configurator - version: 1.10.0 + version: 1.11.0 - name: nri-metadata-injection repository: https://newrelic.github.io/k8s-metadata-injection - version: 4.17.1 + version: 4.18.2 - name: newrelic-k8s-metrics-adapter repository: https://newrelic.github.io/newrelic-k8s-metrics-adapter - version: 1.9.0 + version: 1.10.1 - name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts version: 5.12.1 - name: nri-kube-events repository: https://newrelic.github.io/nri-kube-events - version: 3.8.2 + version: 3.9.2 - name: newrelic-logging repository: https://newrelic.github.io/helm-charts - version: 1.20.2 + version: 1.21.2 - name: newrelic-pixie repository: https://newrelic.github.io/helm-charts - version: 2.1.2 + version: 2.1.3 - name: pixie-operator-chart repository: https://pixie-operator-charts.storage.googleapis.com version: 0.1.4 - name: newrelic-infra-operator repository: https://newrelic.github.io/newrelic-infra-operator - version: 2.9.0 -digest: sha256:66f2aae4e837b4f3a019c3c02555f0420d7ff23360239b18e5a4a728e2f89343 -generated: "2024-02-19T16:22:45.54705047Z" + version: 2.10.0 +digest: sha256:cfa9040fb965fb13487710c241e8c8dca25727054c6ed51088692d7769eece11 +generated: "2024-03-11T21:57:30.13774149Z" diff --git a/charts/new-relic/nri-bundle/Chart.yaml b/charts/new-relic/nri-bundle/Chart.yaml index 45f23b128..8d4a77412 100644 --- a/charts/new-relic/nri-bundle/Chart.yaml +++ b/charts/new-relic/nri-bundle/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - condition: infrastructure.enabled,newrelic-infrastructure.enabled name: newrelic-infrastructure repository: file://./charts/newrelic-infrastructure - version: 3.30.2 + version: 3.32.0 - condition: prometheus.enabled,nri-prometheus.enabled name: nri-prometheus repository: file://./charts/nri-prometheus @@ -15,15 +15,15 @@ dependencies: - condition: newrelic-prometheus-agent.enabled name: newrelic-prometheus-agent repository: file://./charts/newrelic-prometheus-agent - version: 1.10.0 + version: 1.11.0 - condition: webhook.enabled,nri-metadata-injection.enabled name: nri-metadata-injection repository: file://./charts/nri-metadata-injection - version: 4.17.1 + version: 4.18.2 - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled name: newrelic-k8s-metrics-adapter repository: file://./charts/newrelic-k8s-metrics-adapter - version: 1.9.0 + version: 1.10.1 - condition: ksm.enabled,kube-state-metrics.enabled name: kube-state-metrics repository: file://./charts/kube-state-metrics @@ -31,15 +31,15 @@ dependencies: - condition: kubeEvents.enabled,nri-kube-events.enabled name: nri-kube-events repository: file://./charts/nri-kube-events - version: 3.8.2 + version: 3.9.2 - condition: logging.enabled,newrelic-logging.enabled name: newrelic-logging repository: file://./charts/newrelic-logging - version: 1.20.2 + version: 1.21.2 - condition: newrelic-pixie.enabled name: newrelic-pixie repository: file://./charts/newrelic-pixie - version: 2.1.2 + version: 2.1.3 - alias: pixie-chart condition: pixie-chart.enabled name: pixie-operator-chart @@ -48,7 +48,7 @@ dependencies: - condition: newrelic-infra-operator.enabled name: newrelic-infra-operator repository: file://./charts/newrelic-infra-operator - version: 2.9.0 + version: 2.10.0 description: Groups together the individual charts for the New Relic Kubernetes solution for a more comfortable deployment. home: https://github.com/newrelic/helm-charts @@ -75,4 +75,4 @@ sources: - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator -version: 5.0.66 +version: 5.0.69 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml index d61b13236..011fede4d 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.17.0 +appVersion: 0.18.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -32,4 +32,4 @@ name: newrelic-infra-operator sources: - https://github.com/newrelic/newrelic-infra-operator - https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator -version: 2.9.0 +version: 2.10.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-createSecret.yaml index 045665511..022e6254e 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -47,10 +47,9 @@ spec: runAsGroup: 2000 runAsNonRoot: true runAsUser: 2000 - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 -}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index e6acc6b90..61e363678 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -47,10 +47,9 @@ spec: runAsGroup: 2000 runAsNonRoot: true runAsUser: 2000 - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 -}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/deployment.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/deployment.yaml index 51a7a8b7a..40f389887 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/deployment.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/templates/deployment.yaml @@ -71,10 +71,9 @@ spec: {{- with include "newrelic.common.priorityClassName" . }} priorityClassName: {{ . }} {{- end }} - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 -}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/deployment_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/deployment_test.yaml new file mode 100644 index 000000000..a1ffa88d0 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/deployment_test.yaml @@ -0,0 +1,32 @@ +suite: test cluster environment variable setup +templates: + - templates/deployment.yaml + - templates/configmap.yaml + - templates/secret.yaml +release: + name: my-release + namespace: my-namespac +tests: + - it: has a linux node selector by default + set: + cluster: my-cluster + licenseKey: use-whatever + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + template: templates/deployment.yaml + - it: has a linux node selector and additional selectors + set: + cluster: my-cluster + licenseKey: use-whatever + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue + template: templates/deployment.yaml diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/job_serviceaccount_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/job_serviceaccount_test.yaml index 2ab9f137b..c6acda2db 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/job_serviceaccount_test.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/tests/job_serviceaccount_test.yaml @@ -39,3 +39,26 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: default + + - it: has a linux node selector by default + set: + cluster: my-cluster + licenseKey: use-whatever + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + + - it: has a linux node selector and additional selectors + set: + cluster: my-cluster + licenseKey: use-whatever + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/values.yaml index f419e8b68..d8ab6019e 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/values.yaml @@ -140,7 +140,7 @@ config: # @default -- See `values.yaml` image: repository: newrelic/infrastructure-k8s - tag: 2.13.11-unprivileged + tag: 2.13.12-unprivileged pullPolicy: IfNotPresent # -- configSelectors is the way to configure resource requirements and extra envVars of the injected sidecar container. diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml index 89849ee3f..58131c39b 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.25.2 +appVersion: 3.27.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -23,4 +23,4 @@ sources: - https://github.com/newrelic/nri-kubernetes/ - https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure - https://github.com/newrelic/infrastructure-agent/ -version: 3.30.2 +version: 3.32.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/controlplane/daemonset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/controlplane/daemonset.yaml index f7c2464ab..938fc48d4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/controlplane/daemonset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/controlplane/daemonset.yaml @@ -197,8 +197,9 @@ spec: tolerations: {{- . | nindent 8 }} {{- end }} - {{- with .Values.controlPlane.nodeSelector | default (fromYaml (include "newrelic.common.nodeSelector" .)) }} nodeSelector: + kubernetes.io/os: linux + {{- with .Values.controlPlane.nodeSelector | default (fromYaml (include "newrelic.common.nodeSelector" .)) }} {{- toYaml . | nindent 8 }} - {{- end -}} + {{- end -}} {{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/ksm/deployment.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/ksm/deployment.yaml index c036ba653..507199d5a 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/ksm/deployment.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/ksm/deployment.yaml @@ -184,8 +184,9 @@ spec: tolerations: {{- . | nindent 8 }} {{- end }} - {{- with .Values.ksm.nodeSelector | default (fromYaml (include "newrelic.common.nodeSelector" .)) }} nodeSelector: + kubernetes.io/os: linux + {{- with .Values.ksm.nodeSelector | default (fromYaml (include "newrelic.common.nodeSelector" .)) }} {{- toYaml . | nindent 8 }} - {{- end -}} + {{- end -}} {{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/kubelet/daemonset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/kubelet/daemonset.yaml index 31b781fb8..a80be0b5b 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/kubelet/daemonset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/kubelet/daemonset.yaml @@ -256,8 +256,9 @@ spec: tolerations: {{- . | nindent 8 }} {{- end }} - {{- with .Values.kubelet.nodeSelector | default (fromYaml (include "newrelic.common.nodeSelector" .)) }} nodeSelector: + kubernetes.io/os: linux + {{- with .Values.kubelet.nodeSelector | default (fromYaml (include "newrelic.common.nodeSelector" .)) }} {{- toYaml . | nindent 8 }} - {{- end -}} + {{- end -}} {{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml index 96c871eba..743cf05b2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml @@ -23,14 +23,14 @@ images: forwarder: registry: "" repository: newrelic/k8s-events-forwarder - tag: 1.49.0 + tag: 1.50.0 pullPolicy: IfNotPresent # -- Image for the New Relic Infrastructure Agent plus integrations. # @default -- See `values.yaml` agent: registry: "" repository: newrelic/infrastructure-bundle - tag: 3.2.29 + tag: 3.2.33 pullPolicy: IfNotPresent # -- Image for the New Relic Kubernetes integration. # @default -- See `values.yaml` diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml index 2cb4cd1b9..c1039dc13 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.11.0 +appVersion: 0.12.1 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -22,4 +22,4 @@ name: newrelic-k8s-metrics-adapter sources: - https://github.com/newrelic/newrelic-k8s-metrics-adapter - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter -version: 1.9.0 +version: 1.10.1 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-createSecret.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-createSecret.yaml index 51b30809d..6cf89b79e 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-createSecret.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-createSecret.yaml @@ -45,10 +45,9 @@ spec: runAsGroup: 2000 runAsNonRoot: true runAsUser: 2000 - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-patchAPIService.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-patchAPIService.yaml index ed44a70ae..9d651c210 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-patchAPIService.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/apiservice/job-patch/job-patchAPIService.yaml @@ -43,10 +43,9 @@ spec: runAsGroup: 2000 runAsNonRoot: true runAsUser: 2000 - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml index cbe625dbf..1b96459a5 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml @@ -95,10 +95,9 @@ spec: {{- with include "newrelic.common.priorityClassName" . }} priorityClassName: {{ . }} {{- end }} - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 }} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/deployment_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/deployment_test.yaml index e983a7519..7a1898790 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/deployment_test.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/deployment_test.yaml @@ -66,3 +66,34 @@ tests: path: spec.template.spec.containers[0].env[2].value value: localhost:1234 template: templates/deployment.yaml + + - it: has a linux node selector by default + set: + personalAPIKey: 21321 + cluster: test-cluster + config: + accountID: 111 + region: A-REGION + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + template: templates/deployment.yaml + + - it: has a linux node selector and additional selectors + set: + personalAPIKey: 21321 + cluster: test-cluster + config: + accountID: 111 + region: A-REGION + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue + template: templates/deployment.yaml diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/job_serviceaccount_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/job_serviceaccount_test.yaml index 6c72439a5..9b6207c35 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/job_serviceaccount_test.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/tests/job_serviceaccount_test.yaml @@ -48,3 +48,32 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: default + + - it: has a linux node selector by default + set: + personalAPIKey: 21321 + cluster: test-cluster + config: + accountID: 111 + region: A-REGION + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + + - it: has a linux node selector and additional selectors + set: + personalAPIKey: 21321 + cluster: test-cluster + config: + accountID: 111 + region: A-REGION + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml index 19f7f2f1d..6bbc47de4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.19.0 +appVersion: 1.19.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -17,4 +17,4 @@ maintainers: - name: danybmx - name: sdaubin name: newrelic-logging -version: 1.20.2 +version: 1.21.2 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md b/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md index 5ccdca8bd..deb45426b 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md @@ -107,7 +107,7 @@ helm upgrade --install newrelic-bundle newrelic/nri-bundle \ See [values.yaml](values.yaml) for the default values | Parameter | Description | Default | -| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------- | +|--------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------| | `global.cluster` - `cluster` | The cluster name for the Kubernetes cluster. | | | `global.licenseKey` - `licenseKey` | The [license key](https://docs.newrelic.com/docs/accounts/install-new-relic/account-setup/license-key) for your New Relic Account. This will be the preferred configuration option if both `licenseKey` and `customSecret*` values are specified. | | | `global.customSecretName` - `customSecretName` | Name of the Secret object where the license key is stored | | @@ -165,6 +165,7 @@ See [values.yaml](values.yaml) for the default values | `fluentBit.config.extraOutputs` | Contains extra fluent-bit.conf Outputs config | | | `fluentBit.config.parsers` | Contains parsers.conf Parsers config | | | `fluentBit.retryLimit` | Amount of times to retry sending a given batch of logs to New Relic. This prevents data loss if there is a temporary network disruption, if a request to the Logs API is lost or when receiving a recoverable HTTP response. Set it to "False" for unlimited retries. | 5 | +| `fluentBit.sendMetrics` | Enable the collection of Fluent Bit internal metrics in Prometheus format as well as newrelic-fluent-bit-output internal plugin metrics. | `false` | | `dnsConfig` | [DNS configuration](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) that will be added to the pods. Can be configured also with `global.dnsConfig`. | `{}` | | `fluentBit.criEnabled` | We assume that `kubelet`directly communicates with the container engine using the [CRI](https://kubernetes.io/docs/concepts/overview/components/#container-runtime) specification. Set this to `false` if your K8s installation uses [dockershim](https://kubernetes.io/docs/tasks/administer-cluster/migrating-from-dockershim/) instead, in order to get the logs properly parsed. | `true` | diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/_helpers.tpl b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/_helpers.tpl index d4f750582..439d25cae 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/_helpers.tpl +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/_helpers.tpl @@ -163,6 +163,34 @@ Returns lowDataMode {{- end -}} {{- end -}} +{{/* +Returns logsEndpoint +*/}} +{{- define "newrelic-logging.logsEndpoint" -}} +{{- if (include "newrelic.nrStaging" .) -}} +https://staging-log-api.newrelic.com/log/v1 +{{- else if .Values.endpoint -}} +{{ .Values.endpoint -}} +{{- else if eq (substr 0 2 (include "newrelic-logging.licenseKey" .)) "eu" -}} +https://log-api.eu.newrelic.com/log/v1 +{{- else -}} +https://log-api.newrelic.com/log/v1 +{{- end -}} +{{- end -}} + +{{/* +Returns metricsHost +*/}} +{{- define "newrelic-logging.metricsHost" -}} +{{- if (include "newrelic.nrStaging" .) -}} +staging-metric-api.newrelic.com +{{- else if eq (substr 0 2 (include "newrelic-logging.licenseKey" .)) "eu" -}} +metric-api.eu.newrelic.com +{{- else -}} +metric-api.newrelic.com +{{- end -}} +{{- end -}} + {{/* Returns if the template should render, it checks if the required values are set. */}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/configmap.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/configmap.yaml index a92c16fa5..4b1d89014 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/configmap.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/configmap.yaml @@ -29,6 +29,9 @@ data: {{- if .Values.fluentBit.config.extraOutputs }} {{- .Values.fluentBit.config.extraOutputs | nindent 4}} {{- end }} + {{- if and (.Values.fluentBit.sendMetrics) (.Values.fluentBit.config.metricInstrumentation) }} + {{- .Values.fluentBit.config.metricInstrumentation | nindent 4}} + {{- end }} parsers.conf: | {{- if .Values.fluentBit.config.parsers }} {{- .Values.fluentBit.config.parsers | nindent 4}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml index d9938feb3..754c1f79d 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml @@ -60,15 +60,7 @@ spec: securityContext: {} env: - name: ENDPOINT - {{- if (include "newrelic.nrStaging" $) }} - value: "https://staging-log-api.newrelic.com/log/v1" - {{- else if $.Values.endpoint }} - value: {{ $.Values.endpoint }} - {{- else if eq (substr 0 2 (include "newrelic-logging.licenseKey" $)) "eu" }} - value: "https://log-api.eu.newrelic.com/log/v1" - {{- else }} - value: "https://log-api.newrelic.com/log/v1" - {{- end }} + value: {{ include "newrelic-logging.logsEndpoint" $ | quote }} - name: SOURCE value: {{ if (include "newrelic-logging.lowDataMode" $) }} "k8s" {{- else }} "kubernetes" {{- end }} - name: LICENSE_KEY @@ -108,6 +100,18 @@ spec: value: {{ include "newrelic-logging.lowDataMode" $ | default "false" | quote }} - name: RETRY_LIMIT value: {{ $.Values.fluentBit.retryLimit | quote }} + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SEND_OUTPUT_PLUGIN_METRICS + value: {{ $.Values.fluentBit.sendMetrics | default "false" | quote }} + - name: METRICS_HOST + value: {{ include "newrelic-logging.metricsHost" $ | quote }} {{- include "newrelic-logging.extraEnv" $ | nindent 12 }} command: - C:\fluent-bit\bin\fluent-bit.exe diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml index 64bd7b448..4bc7c73dd 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml @@ -70,15 +70,7 @@ spec: imagePullPolicy: "{{ .Values.image.pullPolicy }}" env: - name: ENDPOINT - {{- if (include "newrelic.nrStaging" .) }} - value: "https://staging-log-api.newrelic.com/log/v1" - {{- else if .Values.endpoint }} - value: {{ .Values.endpoint }} - {{- else if eq (substr 0 2 (include "newrelic-logging.licenseKey" .)) "eu" }} - value: "https://log-api.eu.newrelic.com/log/v1" - {{- else }} - value: "https://log-api.newrelic.com/log/v1" - {{- end }} + value: {{ include "newrelic-logging.logsEndpoint" . | quote }} - name: SOURCE value: {{ if (include "newrelic-logging.lowDataMode" .) }} "k8s" {{- else }} "kubernetes" {{- end }} - name: LICENSE_KEY @@ -105,10 +97,6 @@ spec: - name: FB_DB value: {{ .Values.fluentBit.db | quote }} {{- else if eq .Values.fluentBit.persistence.mode "persistentVolume" }} - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - name: FB_DB value: "/db/$(NODE_NAME)-fb.db" {{- else }} @@ -125,10 +113,18 @@ spec: value: {{ include "newrelic-logging.lowDataMode" . | default "false" | quote }} - name: RETRY_LIMIT value: {{ .Values.fluentBit.retryLimit | quote }} + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName - name: HOSTNAME valueFrom: fieldRef: fieldPath: metadata.name + - name: SEND_OUTPUT_PLUGIN_METRICS + value: {{ $.Values.fluentBit.sendMetrics | default "false" | quote }} + - name: METRICS_HOST + value: {{ include "newrelic-logging.metricsHost" . | quote }} {{- include "newrelic-logging.extraEnv" . | nindent 12 }} command: - /fluent-bit/bin/fluent-bit diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/endpoint_region_selection_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/endpoint_region_selection_test.yaml new file mode 100644 index 000000000..82e700d93 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/endpoint_region_selection_test.yaml @@ -0,0 +1,128 @@ +suite: test endpoint selection based on region settings +templates: + - templates/configmap.yaml + - templates/daemonset.yaml + - templates/daemonset-windows.yaml +release: + name: endpoint-selection-release + namespace: endpoint-selection-namespace +tests: + + - it: selects staging endpoints if nrStaging is enabled + set: + licenseKey: nr_license_key + nrStaging: true + enableWindows: true + asserts: + # Linux + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "https://staging-log-api.newrelic.com/log/v1" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "staging-metric-api.newrelic.com" + template: templates/daemonset.yaml + # Windows + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "https://staging-log-api.newrelic.com/log/v1" + template: templates/daemonset-windows.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "staging-metric-api.newrelic.com" + template: templates/daemonset-windows.yaml + + - it: selects US endpoints for a US license key + set: + licenseKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaFFFFNRAL + enableWindows: true + asserts: + # Linux + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "https://log-api.newrelic.com/log/v1" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "metric-api.newrelic.com" + template: templates/daemonset.yaml + # Windows + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "https://log-api.newrelic.com/log/v1" + template: templates/daemonset-windows.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "metric-api.newrelic.com" + template: templates/daemonset-windows.yaml + + - it: selects EU endpoints for a EU license key + set: + licenseKey: euaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaFFFFNRAL + enableWindows: true + asserts: + # Linux + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "https://log-api.eu.newrelic.com/log/v1" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "metric-api.eu.newrelic.com" + template: templates/daemonset.yaml + # Windows + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "https://log-api.eu.newrelic.com/log/v1" + template: templates/daemonset-windows.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "metric-api.eu.newrelic.com" + template: templates/daemonset-windows.yaml + + + - it: selects custom logs endpoint if provided + set: + licenseKey: euaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaFFFFNRAL + endpoint: custom + enableWindows: true + asserts: + # Linux + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "custom" + template: templates/daemonset.yaml + # Windows + - contains: + path: spec.template.spec.containers[0].env + content: + name: ENDPOINT + value: "custom" + template: templates/daemonset-windows.yaml \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/fluentbit_sendmetrics_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/fluentbit_sendmetrics_test.yaml new file mode 100644 index 000000000..f320172cb --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/fluentbit_sendmetrics_test.yaml @@ -0,0 +1,74 @@ +suite: test fluentbit send metrics +templates: + - templates/configmap.yaml + - templates/daemonset.yaml + - templates/daemonset-windows.yaml +release: + name: sendmetrics-release + namespace: sendmetrics-namespace +tests: + + - it: sets requirement environment variables to send metrics + set: + licenseKey: nr_license_key + enableWindows: true + fluentBit.sendMetrics: true + asserts: + # Linux + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SEND_OUTPUT_PLUGIN_METRICS + value: "true" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "metric-api.newrelic.com" + template: templates/daemonset.yaml + # Windows + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + template: templates/daemonset-windows.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + template: templates/daemonset-windows.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SEND_OUTPUT_PLUGIN_METRICS + value: "true" + template: templates/daemonset-windows.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: METRICS_HOST + value: "metric-api.newrelic.com" + template: templates/daemonset-windows.yaml diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml index 55da1a73c..14fcb28d7 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml @@ -17,16 +17,16 @@ tests: asserts: - equal: path: spec.template.spec.containers[0].image - value: newrelic/newrelic-fluentbit-output:1.19.0 + value: newrelic/newrelic-fluentbit-output:1.19.2 template: templates/daemonset.yaml - equal: path: spec.template.spec.containers[0].image - value: newrelic/newrelic-fluentbit-output:1.19.0-windows-ltsc-2019 + value: newrelic/newrelic-fluentbit-output:1.19.2-windows-ltsc-2019 template: templates/daemonset-windows.yaml documentIndex: 0 - equal: path: spec.template.spec.containers[0].image - value: newrelic/newrelic-fluentbit-output:1.19.0-windows-ltsc-2022 + value: newrelic/newrelic-fluentbit-output:1.19.2-windows-ltsc-2022 template: templates/daemonset-windows.yaml documentIndex: 1 - it: global registry is used if set diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml index b941f77c0..c8f19bdf7 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml @@ -35,6 +35,7 @@ fluentBit: k8sBufferSize: "32k" k8sLoggingExclude: "Off" retryLimit: 5 + sendMetrics: false extraEnv: [] # extraEnv: # - name: HTTPS_PROXY @@ -81,6 +82,7 @@ fluentBit: # and parsers.conf (parsers). The configuration below is not configured for lowDataMode and will # send all attributes. If custom configuration is required, update these variables. config: + # Note that Prometheus metric collection needs the HTTP server to be online at port 2020 (see fluentBit.config.metricInstrumentation) service: | [SERVICE] Flush 1 @@ -94,6 +96,7 @@ fluentBit: inputs: | [INPUT] Name tail + Alias pod-logs-tailer Tag kube.* Path ${PATH} multiline.parser ${LOG_PARSER} @@ -110,6 +113,7 @@ fluentBit: filters: | [FILTER] Name kubernetes + Alias kubernetes-enricher Match kube.* # We need the full DNS suffix as Windows only supports resolving names with this suffix # See: https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#dns-limitations @@ -119,6 +123,7 @@ fluentBit: [FILTER] Name record_modifier + Alias node-attributes-enricher Match * Record cluster_name ${CLUSTER_NAME} @@ -132,6 +137,7 @@ fluentBit: [FILTER] Name kubernetes Match kube.* + Alias kubernetes-enricher # We need the full DNS suffix as Windows only supports resolving names with this suffix # See: https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#dns-limitations Kube_URL https://kubernetes.default.svc.cluster.local:443 @@ -143,12 +149,14 @@ fluentBit: [FILTER] Name nest Match * + Alias kubernetes-attribute-lifter Operation lift Nested_under kubernetes [FILTER] Name record_modifier Match * + Alias node-attributes-enricher-filter Record cluster_name ${CLUSTER_NAME} Allowlist_key container_name Allowlist_key namespace_name @@ -161,9 +169,11 @@ fluentBit: [OUTPUT] Name newrelic Match * + Alias newrelic-logs-forwarder licenseKey ${LICENSE_KEY} endpoint ${ENDPOINT} lowDataMode ${LOW_DATA_MODE} + sendMetrics ${SEND_OUTPUT_PLUGIN_METRICS} Retry_Limit ${RETRY_LIMIT} # extraOutputs: | @@ -178,6 +188,33 @@ fluentBit: # Time_Key time # Time_Format %Y-%m-%dT%H:%M:%S.%L # Time_Keep On + metricInstrumentation: | + [INPUT] + name prometheus_scrape + Alias fb-metrics-collector + host 127.0.0.1 + port 2020 + tag fb_metrics + metrics_path /api/v2/metrics/prometheus + scrape_interval 10s + + [OUTPUT] + Name prometheus_remote_write + Match fb_metrics + Alias fb-metrics-forwarder + Host ${METRICS_HOST} + Port 443 + Uri /prometheus/v1/write?prometheus_server=${CLUSTER_NAME} + Header Authorization Bearer ${LICENSE_KEY} + Tls On + # Windows pods using prometheus_remote_write currently have issues if TLS verify is On + Tls.verify Off + # User-defined labels + add_label app fluent-bit + add_label cluster_name ${CLUSTER_NAME} + add_label hostname ${HOSTNAME} + add_label node_name ${NODE_NAME} + add_label source kubernetes image: repository: newrelic/newrelic-fluentbit-output diff --git a/charts/new-relic/nri-bundle/charts/newrelic-pixie/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-pixie/Chart.yaml index 79a72b7a7..ee3b5d215 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-pixie/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-pixie/Chart.yaml @@ -20,4 +20,4 @@ maintainers: name: newrelic-pixie sources: - https://github.com/newrelic/ -version: 2.1.2 +version: 2.1.3 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-pixie/templates/job.yaml b/charts/new-relic/nri-bundle/charts/newrelic-pixie/templates/job.yaml index e37f65f2a..d70dc9ce1 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-pixie/templates/job.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-pixie/templates/job.yaml @@ -8,6 +8,7 @@ metadata: {{- include "newrelic-pixie.labels" . | nindent 4 }} spec: backoffLimit: 4 + ttlSecondsAfterFinished: 600 template: metadata: labels: diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/CHANGELOG.md b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/CHANGELOG.md index 6a8c3688e..826f22cec 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/CHANGELOG.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/CHANGELOG.md @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## Unreleased +### enhancement +- Add linux node selector @dbudziwojskiNR [#362](https://github.com/newrelic/newrelic-prometheus-configurator/pull/362) ## v1.3.0 - 2023-09-15 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml index f02e7ead1..8738fe593 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml @@ -1,5 +1,5 @@ annotations: - configuratorVersion: 1.13.0 + configuratorVersion: 1.14.0 apiVersion: v2 appVersion: v2.37.8 dependencies: @@ -19,4 +19,4 @@ maintainers: url: https://github.com/dbudziwojskiNR name: newrelic-prometheus-agent type: application -version: 1.10.0 +version: 1.11.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/templates/statefulset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/templates/statefulset.yaml index c43252253..01886d845 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/templates/statefulset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/templates/statefulset.yaml @@ -140,10 +140,9 @@ spec: {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 }} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.affinity" . }} affinity: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/tests/configurator_image_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/tests/configurator_image_test.yaml index f1460c2ab..0f5da69bf 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/tests/configurator_image_test.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/tests/configurator_image_test.yaml @@ -30,3 +30,28 @@ tests: path: spec.template.spec.containers[0].imagePullPolicy value: "IfNotPresent" template: templates/statefulset.yaml + + - it: has a linux node selector by default + set: + licenseKey: license-key-test + cluster: my-cluster + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + template: templates/statefulset.yaml + + - it: has a linux node selector and additional selectors + set: + licenseKey: license-key-test + cluster: my-cluster + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue + template: templates/statefulset.yaml diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml index 7c6f72a3c..0a0b12f86 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.8.2 +appVersion: 2.9.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -23,4 +23,4 @@ sources: - https://github.com/newrelic/nri-kube-events/ - https://github.com/newrelic/nri-kube-events/tree/main/charts/nri-kube-events - https://github.com/newrelic/infrastructure-agent/ -version: 3.8.2 +version: 3.9.2 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md index cd2695e7a..656deb7e9 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md @@ -1,6 +1,6 @@ # nri-kube-events -![Version: 3.8.2](https://img.shields.io/badge/Version-3.8.2-informational?style=flat-square) ![AppVersion: 2.8.2](https://img.shields.io/badge/AppVersion-2.8.2-informational?style=flat-square) +![Version: 3.9.2](https://img.shields.io/badge/Version-3.9.2-informational?style=flat-square) ![AppVersion: 2.9.2](https://img.shields.io/badge/AppVersion-2.9.2-informational?style=flat-square) A Helm chart to deploy the New Relic Kube Events router diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/templates/deployment.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/templates/deployment.yaml index 3d05ac0a6..7ba9eaea9 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/templates/deployment.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/templates/deployment.yaml @@ -106,10 +106,9 @@ spec: {{- with include "newrelic.common.priorityClassName" . }} priorityClassName: {{ . }} {{- end }} - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 }} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/tests/deployment_test.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/tests/deployment_test.yaml index d053cae8d..702917bce 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/tests/deployment_test.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/tests/deployment_test.yaml @@ -79,3 +79,26 @@ tests: items: - key: newrelic-infra.yml path: newrelic-infra.yml + + - it: has a linux node selector by default + set: + cluster: my-cluster + licenseKey: us-whatever + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + + - it: has a linux node selector and additional selectors + set: + cluster: my-cluster + licenseKey: us-whatever + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml index 8356434c6..da88deeb3 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml @@ -27,7 +27,7 @@ images: agent: registry: repository: newrelic/k8s-events-forwarder - tag: 1.49.0 + tag: 1.50.0 pullPolicy: IfNotPresent # -- The secrets that are needed to pull images from a custom registry. pullSecrets: [] diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml index b66744313..a46408dcc 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.25.1 +appVersion: 1.26.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -22,4 +22,4 @@ name: nri-metadata-injection sources: - https://github.com/newrelic/k8s-metadata-injection - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection -version: 4.17.1 +version: 4.18.2 diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml index 3db03d664..a04f27935 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -51,10 +51,9 @@ spec: runAsGroup: 2000 runAsNonRoot: true runAsUser: 2000 - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- if .Values.tolerations }} tolerations: {{- toYaml .Values.tolerations | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 0dfe4f721..99374ef35 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -51,10 +51,9 @@ spec: runAsGroup: 2000 runAsNonRoot: true runAsUser: 2000 - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- if .Values.tolerations }} tolerations: {{- toYaml .Values.tolerations | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/deployment.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/deployment.yaml index 85f5aa225..4974dbbc1 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/deployment.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/templates/deployment.yaml @@ -72,10 +72,9 @@ spec: - name: tls-key-cert-pair secret: secretName: {{ include "nri-metadata-injection.fullname.admission" . }} - {{- with include "newrelic.common.nodeSelector" . }} nodeSelector: - {{- . | nindent 8 -}} - {{- end }} + kubernetes.io/os: linux + {{ include "newrelic.common.nodeSelector" . | nindent 8 }} {{- with include "newrelic.common.tolerations" . }} tolerations: {{- . | nindent 8 -}} diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/cluster_test.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/cluster_test.yaml index 7675095ac..a28487a06 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/cluster_test.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/cluster_test.yaml @@ -18,3 +18,22 @@ tests: asserts: - failedTemplate: errorMessage: There is not cluster name definition set neither in `.global.cluster' nor `.cluster' in your values.yaml. Cluster name is required. + - it: has a linux node selector by default + set: + cluster: my-cluster + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + - it: has a linux node selector and additional selectors + set: + cluster: my-cluster + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/job_serviceaccount_test.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/job_serviceaccount_test.yaml index 42bf2d360..63b6f0534 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/job_serviceaccount_test.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/tests/job_serviceaccount_test.yaml @@ -36,3 +36,24 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: default + + - it: has a linux node selector by default + set: + cluster: my-cluster + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + + - it: has a linux node selector and additional selectors + set: + cluster: my-cluster + nodeSelector: + aCoolTestLabel: aCoolTestValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + aCoolTestLabel: aCoolTestValue diff --git a/charts/ngrok/kubernetes-ingress-controller/Chart.lock b/charts/ngrok/kubernetes-ingress-controller/Chart.lock index e7dc0f4a0..3d386e334 100644 --- a/charts/ngrok/kubernetes-ingress-controller/Chart.lock +++ b/charts/ngrok/kubernetes-ingress-controller/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: https://charts.bitnami.com/bitnami - version: 2.13.3 -digest: sha256:37595168f1970c2ca27e2d2c08ffdaa4963b9f33a9ee68a13c2017b6487185ed -generated: "2023-10-17T13:27:53.460097-04:00" + version: 2.16.1 +digest: sha256:3c125c13875dbcbcfb32c9452f42151d76831466fcc92bb8ff22ba1ed587b536 +generated: "2024-02-27T12:05:25.026947838-05:00" diff --git a/charts/ngrok/kubernetes-ingress-controller/Chart.yaml b/charts/ngrok/kubernetes-ingress-controller/Chart.yaml index 327920243..2231d5285 100644 --- a/charts/ngrok/kubernetes-ingress-controller/Chart.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: ngrok Ingress Controller catalog.cattle.io/release-name: kubernetes-ingress-controller apiVersion: v2 -appVersion: 0.10.1 +appVersion: 0.10.2 dependencies: - name: common repository: file://./charts/common @@ -22,4 +22,4 @@ keywords: name: kubernetes-ingress-controller sources: - https://github.com/ngrok/kubernetes-ingress-controller -version: 0.12.1 +version: 0.12.2 diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/.helmignore b/charts/ngrok/kubernetes-ingress-controller/charts/common/.helmignore index 50af03172..7c7c21d65 100644 --- a/charts/ngrok/kubernetes-ingress-controller/charts/common/.helmignore +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml b/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml index 40cd22d77..33799499e 100644 --- a/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.16.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.16.1 diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/README.md b/charts/ngrok/kubernetes-ingress-controller/charts/common/README.md index 80da4cc2f..0d01a1e06 100644 --- a/charts/ngrok/kubernetes-ingress-controller/charts/common/README.md +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_resources.tpl b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d90f8752d --- /dev/null +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_secrets.tpl b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_secrets.tpl +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_warnings.tpl b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_warnings.tpl index 66dffc1fe..0f763cd82 100644 --- a/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_warnings.tpl +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} - +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/NOTES.txt b/charts/ngrok/kubernetes-ingress-controller/templates/NOTES.txt index e514b33da..3b5bf2823 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/NOTES.txt +++ b/charts/ngrok/kubernetes-ingress-controller/templates/NOTES.txt @@ -13,7 +13,7 @@ be automatically configured on the internet using ngrok. {{- if eq $portMap.port 80 443 }} {{- if ne $service.metadata.name "kubernetes" }} {{- $found = true -}} - {{- $randomStr := randAlphaNum 8 }} + {{- $randomStr := randAlphaNum 8 | lower }} One example, taken from your cluster, is the Service: {{ $service.metadata.name | quote }} diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml index 06b8f21de..7de6c37c3 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml @@ -908,6 +908,62 @@ spec: type: string type: array type: object + policy: + properties: + enabled: + description: Determines if the rule will be applied to traffic + type: boolean + inbound: + description: Inbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Outbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object saml: description: SAML is the SAML configuration to apply to this route diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml index 2e0c0327e..800fa04fc 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml @@ -793,6 +793,63 @@ spec: type: string type: array type: object + policy: + description: Policy configuration for this module set + properties: + enabled: + description: Determines if the rule will be applied to traffic + type: boolean + inbound: + description: Inbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Outbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object saml: description: SAML configuration for this module set properties: diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml index 3ae1b6798..191605903 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml @@ -90,6 +90,62 @@ spec: description: Metadata is a string of arbitrary data associated with the object in the ngrok API/Dashboard type: string + policy: + properties: + enabled: + description: Determines if the rule will be applied to traffic + type: boolean + inbound: + description: Inbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Outbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object type: object status: description: TCPEdgeStatus defines the observed state of TCPEdge diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml index 7f804456a..670936e4c 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml @@ -104,6 +104,62 @@ spec: type: string type: array type: object + policy: + properties: + enabled: + description: Determines if the rule will be applied to traffic + type: boolean + inbound: + description: Inbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Outbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object tlsTermination: properties: minVersion: diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tunnels.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tunnels.yaml index f67724a32..7b9f20e21 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tunnels.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tunnels.yaml @@ -44,6 +44,10 @@ spec: spec: description: TunnelSpec defines the desired state of Tunnel properties: + appProtocol: + description: The appProtocol for the backend. Currently only supports + `http2` + type: string backend: description: The configuration for backend connections to services properties: diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml index 3a624ca6e..0590bcab9 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml @@ -203,6 +203,34 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - gateways/status + verbs: + - get - apiGroups: - networking.k8s.io resources: diff --git a/charts/percona/psmdb-operator/Chart.yaml b/charts/percona/psmdb-operator/Chart.yaml index b9a284e27..1853d521b 100644 --- a/charts/percona/psmdb-operator/Chart.yaml +++ b/charts/percona/psmdb-operator/Chart.yaml @@ -16,4 +16,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: psmdb-operator -version: 1.15.2 +version: 1.15.3 diff --git a/charts/percona/psmdb-operator/README.md b/charts/percona/psmdb-operator/README.md index 3237153e9..04a7ec42f 100644 --- a/charts/percona/psmdb-operator/README.md +++ b/charts/percona/psmdb-operator/README.md @@ -38,7 +38,8 @@ The chart can be customized using the following configurable parameters: | `nodeSelector` | Labels for Pod assignment | `{}` | | `podAnnotations` | Annotations for pod | `{}` | | `podSecurityContext` | Pod Security Context | `{}` | -| `watchNamespace` | Set when a different from default namespace is needed to watch | `""` | +| `watchNamespace` | Set when a different from default namespace is needed to watch (comma separated if multiple needed) | `""` | +| `createNamespace` | Set if you want to create watched namespaces with helm | `false` | | `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` | | `securityContext` | Container Security Context | `{}` | | `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` | diff --git a/charts/percona/psmdb-operator/templates/namespace.yaml b/charts/percona/psmdb-operator/templates/namespace.yaml index 6eac7de06..cfc96d4d9 100644 --- a/charts/percona/psmdb-operator/templates/namespace.yaml +++ b/charts/percona/psmdb-operator/templates/namespace.yaml @@ -1,8 +1,11 @@ -{{ if .Values.watchNamespace }} +{{ if and .Values.watchNamespace .Values.createNamespace }} +{{ range ( split "," .Values.watchNamespace ) }} apiVersion: v1 kind: Namespace metadata: - name: {{ .Values.watchNamespace }} + name: {{ trim . }} annotations: helm.sh/resource-policy: keep +--- +{{ end }} {{ end }} diff --git a/charts/percona/psmdb-operator/templates/role-binding.yaml b/charts/percona/psmdb-operator/templates/role-binding.yaml index fb2bdbe3a..a815869d4 100644 --- a/charts/percona/psmdb-operator/templates/role-binding.yaml +++ b/charts/percona/psmdb-operator/templates/role-binding.yaml @@ -19,11 +19,9 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: service-account-{{ include "psmdb-operator.fullname" . }} - {{- if .Values.watchNamespace }} - namespace: {{ .Values.watchNamespace }} - {{- else if not .Values.watchAllNamespaces }} +{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }} namespace: {{ .Release.Namespace }} - {{- end }} +{{- end }} labels: {{ include "psmdb-operator.labels" . | indent 4 }} subjects: diff --git a/charts/percona/psmdb-operator/templates/role.yaml b/charts/percona/psmdb-operator/templates/role.yaml index 6fee74312..3a0466fa9 100644 --- a/charts/percona/psmdb-operator/templates/role.yaml +++ b/charts/percona/psmdb-operator/templates/role.yaml @@ -7,7 +7,9 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "psmdb-operator.fullname" . }} +{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }} namespace: {{ .Release.Namespace }} +{{- end }} labels: {{ include "psmdb-operator.labels" . | indent 4 }} rules: diff --git a/charts/percona/psmdb-operator/values.yaml b/charts/percona/psmdb-operator/values.yaml index 37f58e237..3e3a047ca 100644 --- a/charts/percona/psmdb-operator/values.yaml +++ b/charts/percona/psmdb-operator/values.yaml @@ -17,7 +17,10 @@ disableTelemetry: false # set if you want to specify a namespace to watch # defaults to `.Release.namespace` if left blank +# multiple namespaces can be specified and separated by comma # watchNamespace: +# set if you want that watched namespaces are created by helm +# createNamespace: false # set if operator should be deployed in cluster wide mode. defaults to false watchAllNamespaces: false diff --git a/charts/percona/pxc-db/Chart.yaml b/charts/percona/pxc-db/Chart.yaml index 11ed317d2..2eb6ab1b3 100644 --- a/charts/percona/pxc-db/Chart.yaml +++ b/charts/percona/pxc-db/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: pxc-db apiVersion: v2 -appVersion: 1.13.0 +appVersion: 1.14.0 description: A Helm chart for installing Percona XtraDB Cluster Databases using the PXC Operator. home: https://www.percona.com/doc/kubernetes-operator-for-pxc/kubernetes.html @@ -17,4 +17,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: pxc-db -version: 1.13.7 +version: 1.14.0 diff --git a/charts/percona/pxc-db/README.md b/charts/percona/pxc-db/README.md index 2ce0724f8..70337d499 100644 --- a/charts/percona/pxc-db/README.md +++ b/charts/percona/pxc-db/README.md @@ -8,7 +8,7 @@ Useful links ## Pre-requisites * [Percona Operator for MySQL](https://hub.helm.sh/charts/percona/pxc-operator) running in your Kubernetes cluster. See installation details [here](https://github.com/percona/percona-helm-charts/tree/main/charts/pxc-operator) or in the [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-pxc/helm.html). -* Kubernetes 1.23+ +* Kubernetes 1.24+ * Helm v3 @@ -20,20 +20,22 @@ To install the chart with the `pxc` release name using a dedicated namespace (re ```sh helm repo add percona https://percona.github.io/percona-helm-charts/ -helm install my-db percona/pxc-db --version 1.13.0 --namespace my-namespace +helm install my-db percona/pxc-db --version 1.14.0 --namespace my-namespace ``` The chart can be customized using the following configurable parameters: | Parameter | Description | Default | | ------------------------------- | ------------------------------------------------------------------------------|--------------------------------------------------------------------------| -| `crVersion` | Version of the Operator the Custom Resource belongs to | `1.13.0` | +| `crVersion` | Version of the Operator the Custom Resource belongs to | `1.14.0` | | `ignoreAnnotations` | Operator will not remove following annotations | `[]` | | `ignoreLabels` | Operator will not remove following labels | `[]` | | `pause` | Stop PXC Database safely | `false` | | `allowUnsafeConfigurations` | Allows forbidden configurations like even number of PXC cluster pods | `false` | | `enableCRValidationWebhook` | Enables or disables schema validation before applying custom resource | `false` | -| `initImage` | An alternative image for the initial Operator installation | `""` | +| `initContainer.image` | An alternative image for the initial Operator installation | `""` | +| `initContainer.resources.requests` | Init container resource requests | `{}` | +| `initContainer.resources.limits` | Init container resource limits | `{}` | | `updateStrategy` | Regulates the way how PXC Cluster Pods will be updated after setting a new image | `SmartUpdate` | | `upgradeOptions.versionServiceEndpoint` | Endpoint for actual PXC Versions provider | `https://check.percona.com/versions` | | `upgradeOptions.apply` | PXC image to apply from version service - `recommended`, `latest`, actual version like `8.0.19-10.1` | `disabled` | @@ -55,8 +57,12 @@ The chart can be customized using the following configurable parameters: | `pxc.autoRecovery` | Enable full cluster crash auto recovery | `true` | | `pxc.expose.enabled` | Enable or disable exposing `Percona XtraDB Cluster` nodes with dedicated IP addresses | `true` | | `pxc.expose.type` | The Kubernetes Service Type used for exposure | `LoadBalancer` | -| `pxc.expose.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `10.0.0.0/8` | -| `pxc.expose.annotations` | The Kubernetes annotations | `true` | +| `pxc.expose.externalTrafficPolicy` | Specifies whether Service for Percona XtraDB Cluster should [route external traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) (it can influence the load balancing effectiveness) | `"" | +| `pxc.expose.internalTrafficPolicy` | Specifies whether Service for Percona XtraDB Cluster should [route internal traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/) (it can influence the load balancing effectiveness) | `""` | +| `pxc.expose.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `[]` | +| `pxc.expose.loadBalancerIP` | The static IP-address for the load balancer | `""` | +| `pxc.expose.annotations` | The Kubernetes annotations for exposed service | `{}` | +| `pxc.expose.labels` | The Kubernetes labels for exposed service | `{}` | | `pxc.replicationChannels.name` | Name of the replication channel for cross-site replication | `pxc1_to_pxc2` | | `pxc.replicationChannels.isSource` | Should the cluster act as Source (true) or Replica (false) in cross-site replication | `false` | | `pxc.replicationChannels.sourcesList.host` | For the cross-site replication Replica cluster, this key should contain the hostname or IP address of the Source cluster | `10.95.251.101` | @@ -80,10 +86,13 @@ The chart can be customized using the following configurable parameters: | `pxc.sidecarResources.requests` | PXC sidecar resource requests | `{}` | | `pxc.sidecarResources.limits` | PXC sidecar resource limits | `{}` | | `pxc.nodeSelector` | PXC Pods key-value pairs setting for K8S node assingment | `{}` | +| `pxc.topologySpreadConstraints` | The Label selector for the [Kubernetes Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) | `[]` | | `pxc.affinity.antiAffinityTopologyKey` | PXC Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | | `pxc.affinity.advanced` | PXC Pods advanced scheduling restriction with match expression engine | `{}` | | `pxc.tolerations` | List of node taints to tolerate for PXC Pods | `[]` | | `pxc.gracePeriod` | Allowed time for graceful shutdown | `600` | +| `pxc.lifecycle.preStop.exec.command` | Command for the [preStop lifecycle hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) for Percona XtraDB Cluster Pods | `""` | +| `pxc.lifecycle.postStart.exec.command` | Command for the [postStart lifecycle hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) for Percona XtraDB Cluster Pods | `600` | | `pxc.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | | `pxc.persistence.enabled` | Requests a persistent storage (`hostPath` or `storageClass`) from K8S for PXC Pods datadir | `true` | | `pxc.persistence.hostPath` | Sets datadir path on K8S node for all PXC Pods. Available only when `pxc.persistence.enabled: true` | | @@ -107,25 +116,28 @@ The chart can be customized using the following configurable parameters: | | | `haproxy.enabled` | Use HAProxy as TCP proxy for PXC cluster | `true` | | `haproxy.size` | HAProxy target pod quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | -| `haproxy.image` | HAProxy Container image repository | `percona/percona-xtradb-cluster-operator:1.13.0-haproxy` | +| `haproxy.image` | HAProxy Container image repository | `percona/percona-xtradb-cluster-operator:1.14.0-haproxy` | | `haproxy.imagePullPolicy` | The policy used to update images | `` | | `haproxy.imagePullSecrets` | HAProxy Container pull secret | `[]` | | `haproxy.configuration` | User defined HAProxy options according to HAProxy configuration file syntax | `` | | `haproxy.priorityClassName` | HAProxy Pod priority Class defined by user | | | `haproxy.runtimeClassName` | Name of the Kubernetes Runtime Class for HAProxy Pods | | -| `haproxy.externalTrafficPolicy` | Desire service to route external traffic for HAProxy to node-local or cluster-wide endpoints | | -| `haproxy.loadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer | `[]` | -| `haproxy.loadBalancerIP` | The static IP-address for the load balancer | `` | -| `haproxy.serviceType` | Specify what kind of Service you want for HAProxy | `ClusterIP` | -| `haproxy.replicasServiceEnabled` | Allow disabling k8s service for haproxy-replicas | `true` | -| `haproxy.replicasLoadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer for HAProxy Replicas | `[]` | -| `haproxy.replicasLoadBalancerIP` | The static IP-address for the load balancer for HAProxy Replicas | `` | -| `haproxy.replicasServiceType` | Specify what kind of Service you want for HAProxy Replicas | `ClusterIP` | -| `haproxy.replicasExternalTrafficPolicy` | Desire service to route external traffic for HAProxy replicas to node-local or cluster-wide endpoints | | -| `haproxy.replicasServiceAnnotations` | The Kubernetes annotations metadata for the haproxy-replicas Service | {} | -| `haproxy.replicasServiceLabels` | The Kubernetes labels for the haproxy-replicas Service | {} | -| `haproxy.serviceAnnotations` | Specify service annotations | `{}` | -| `haproxy.serviceLabels` | Specify service labels | `{}` | +| `haproxy.exposePrimary.enabled` | Enable or disable exposing `HAProxy` nodes with dedicated IP addresses | `true` | +| `haproxy.exposePrimary.type` | The Kubernetes Service Type used for exposure | `LoadBalancer` | +| `haproxy.exposePrimary.externalTrafficPolicy` | Specifies whether Service for HAProxy primary should [route external traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) (it can influence the load balancing effectiveness) | `"" | +| `haproxy.exposePrimary.internalTrafficPolicy` | Specifies whether Service for HAProxy primary should [route internal traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/) (it can influence the load balancing effectiveness) | `""` | +| `haproxy.exposePrimary.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `[]` | +| `haproxy.exposePrimary.loadBalancerIP` | The static IP-address for the load balancer | `""` | +| `haproxy.exposePrimary.annotations` | The Kubernetes annotations for exposed service | `{}` | +| `haproxy.exposePrimary.labels` | The Kubernetes labels for exposed service | `{}` | +| `haproxy.exposeReplicas.enabled` | Enable or disable exposing `HAProxy` primary service with dedicated IP addresses | `true` | +| `haproxy.exposeReplicas.type` | The Kubernetes Service Type used for exposure | `LoadBalancer` | +| `haproxy.exposeReplicas.externalTrafficPolicy` | Specifies whether Service for HAProxy replicas should [route external traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) (it can influence the load balancing effectiveness) | `"" | +| `haproxy.exposeReplicas.internalTrafficPolicy` | Specifies whether Service for HAProxy replicas should [route internal traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/) (it can influence the load balancing effectiveness) | `""` | +| `haproxy.exposeReplicas.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `[]` | +| `haproxy.exposeReplicas.loadBalancerIP` | The static IP-address for the load balancer | `""` | +| `haproxy.exposeReplicas.annotations` | The Kubernetes annotations for exposed service | `{}` | +| `haproxy.exposeReplicas.labels` | The Kubernetes labels for exposed service | `{}` | | `haproxy.annotations` | HAProxy Pod user-defined annotations | `{}` | | `haproxy.labels` | HAProxy Pod user-defined labels | `{}` | | `haproxy.schedulerName` | The Kubernetes Scheduler | | @@ -140,10 +152,13 @@ The chart can be customized using the following configurable parameters: | `haproxy.sidecarResources.requests` | HAProxy sidecar resource requests | `{}` | | `haproxy.sidecarResources.limits` | HAProxy sidecar resource limits | `{}` | | `haproxy.nodeSelector` | HAProxy Pods key-value pairs setting for K8S node assingment | `{}` | +| `haproxy.topologySpreadConstraints` | The Label selector for the [Kubernetes Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) | `[]` | | `haproxy.affinity.antiAffinityTopologyKey` | HAProxy Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | | `haproxy.affinity.advanced` | HAProxy Pods advanced scheduling restriction with match expression engine | `{}` | | `haproxy.tolerations` | List of node taints to tolerate for HAProxy Pods | `[]` | | `haproxy.gracePeriod` | Allowed time for graceful shutdown | `600` | +| `haproxy.lifecycle.preStop.exec.command` | Command for the [preStop lifecycle hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) for HAProxy Pods | `""` | +| `haproxy.lifecycle.postStart.exec.command` | Command for the [postStart lifecycle hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) for HAProxy Pods | `600` | | `haproxy.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | | `haproxy.readinessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `5` | | `haproxy.readinessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `15` | @@ -160,18 +175,20 @@ The chart can be customized using the following configurable parameters: | | | `proxysql.enabled` | Use ProxySQL as TCP proxy for PXC cluster | `false` | | `proxysql.size` | ProxySQL target pod quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | -| `proxysql.image` | ProxySQL Container image | `percona/percona-xtradb-cluster-operator:1.13.0-proxysql` | +| `proxysql.image` | ProxySQL Container image | `percona/percona-xtradb-cluster-operator:1.14.0-proxysql` | | `proxysql.imagePullPolicy` | The policy used to update images | `` | | `proxysql.imagePullSecrets` | ProxySQL Container pull secret | `[]` | | `proxysql.configuration` | User defined ProxySQL options according to ProxySQL configuration file syntax | `` | | `proxysql.priorityClassName` | ProxySQL Pod priority Class defined by user | | | `proxysql.runtimeClassName` | Name of the Kubernetes Runtime Class for ProxySQL Pods | | -| `proxysql.externalTrafficPolicy` | Desire service to route external traffic to node-local or cluster-wide endpoints | | -| `proxysql.loadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer | `[]` | -| `proxysql.loadBalancerIP` | The static IP-address for the load balancer | `` | -| `proxysql.serviceType` | Specify what kind of Service you want | `ClusterIP` | -| `proxysql.serviceAnnotations` | Specify service annotations | `{}` | -| `proxysql.serviceLabels` | Specify service labels | `{}` | +| `proxysql.expose.enabled` | Enable or disable exposing `ProxySQL` nodes with dedicated IP addresses | `true` | +| `proxysql.expose.type` | The Kubernetes Service Type used for exposure | `LoadBalancer` | +| `proxysql.expose.externalTrafficPolicy` | Specifies whether Service for ProxySQL nodes should [route external traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) (it can influence the load balancing effectiveness) | `"" | +| `proxysql.expose.internalTrafficPolicy` | Specifies whether Service for ProxySQL nodes should [route internal traffic to cluster-wide or to node-local endpoints](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/) (it can influence the load balancing effectiveness) | `""` | +| `proxysql.expose.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `[]` | +| `proxysql.expose.loadBalancerIP` | The static IP-address for the load balancer | `""` | +| `proxysql.expose.annotations` | The Kubernetes annotations for exposed service | `{}` | +| `proxysql.expose.labels` | The Kubernetes labels for exposed service | `{}` | | `proxysql.annotations` | ProxySQL Pod user-defined annotations | `{}` | | `proxysql.labels` | ProxySQL Pod user-defined labels | `{}` | | `proxysql.schedulerName` | The Kubernetes Scheduler | | @@ -185,11 +202,14 @@ The chart can be customized using the following configurable parameters: | `proxysql.sidecarPVCs` | ProxySQL Pods sidecar PVCs | `[]` | | `proxysql.sidecarResources.requests` | ProxySQL sidecar resource requests | `{}` | | `proxysql.sidecarResources.limits` | ProxySQL sidecar resource limits | `{}` | -| `proxysql.nodeSelector` | ProxySQL Pods key-value pairs setting for K8S node assingment | `{}` | +| `proxysql.nodeSelector` | ProxySQL Pods key-value pairs setting for K8S node assingment | `{}` | +| `proxysql.topologySpreadConstraints` | The Label selector for the [Kubernetes Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) | `[]` | | `proxysql.affinity.antiAffinityTopologyKey` | ProxySQL Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | | `proxysql.affinity.advanced` | ProxySQL Pods advanced scheduling restriction with match expression engine | `{}` | | `proxysql.tolerations` | List of node taints to tolerate for ProxySQL Pods | `[]` | | `proxysql.gracePeriod` | Allowed time for graceful shutdown | `600` | +| `proxysql.lifecycle.preStop.exec.command` | Command for the [preStop lifecycle hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) for ProxySQL Pods | `""` | +| `proxysql.lifecycle.postStart.exec.command` | Command for the [postStart lifecycle hook](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) for ProxySQL Pods | `600` | | `proxysql.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | | `proxysql.persistence.enabled` | Requests a persistent storage (`hostPath` or `storageClass`) from K8S for ProxySQL Pods | `true` | | `proxysql.persistence.hostPath` | Sets datadir path on K8S node for all ProxySQL Pods. Available only when `proxysql.persistence.enabled: true` | | @@ -200,7 +220,7 @@ The chart can be customized using the following configurable parameters: | `proxysql.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | | | | `logcollector.enabled` | Enable log collector container | `true` | -| `logcollector.image` | Log collector image repository | `percona/percona-xtradb-cluster-operator:1.13.0-logcollector` | +| `logcollector.image` | Log collector image repository | `percona/percona-xtradb-cluster-operator:1.14.0-logcollector` | | `logcollector.imagePullSecrets` | Log collector pull secret | `[]` | | `logcollector.imagePullPolicy` | The policy used to update images | `` | | `logcollector.configuration` | User defined configuration for logcollector | `` | @@ -209,7 +229,7 @@ The chart can be customized using the following configurable parameters: | | | `pmm.enabled` | Enable integration with [Percona Monitoring and Management software](https://www.percona.com/doc/kubernetes-operator-for-pxc/monitoring.html) | `false` | | `pmm.image.repository` | PMM Container image repository | `percona/pmm-client` | -| `pmm.image.tag` | PMM Container image tag | `2.41.0` | +| `pmm.image.tag` | PMM Container image tag | `2.41.1` | | `pmm.imagePullSecrets` | PMM Container pull secret | `[]` | | `pmm.imagePullPolicy` | The policy used to update images | `` | | `pmm.serverHost` | PMM server related K8S service hostname | `monitoring-service` | @@ -218,16 +238,18 @@ The chart can be customized using the following configurable parameters: | `pmm.resources.limits` | PMM Container resource limits | `{}` | | `pmm.pxcParams` | Additional parameters which will be passed to the [pmm-admin add mysql](https://docs.percona.com/percona-monitoring-and-management/setting-up/client/mysql.html#add-service) command for `pxc` Pods | `""` | | `pmm.proxysqlParams` | Additional parameters which will be passed to the [pmm-admin add proxysql](https://docs.percona.com/percona-monitoring-and-management/setting-up/client/proxysql.html) command for `proxysql` Pods | `""` | +| `pmm.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | | | | `backup.enabled` | Enables backups for PXC cluster | `true` | | `backup.allowParallel` | Allow taking multiple backups in parallel | `true` | -| `backup.image` | Backup Container image | `percona/percona-xtradb-cluster-operator:1.13.0-pxc8.0-backup-pxb8.0.32` | +| `backup.image` | Backup Container image | `percona/percona-xtradb-cluster-operator:1.14.0-pxc8.0-backup-pxb8.0.35` | | `backup.backoffLimit` | The number of retries to make a backup | `10` | | `backup.imagePullSecrets` | Backup Container pull secret | `[]` | | `backup.imagePullPolicy` | The policy used to update images | `` | | `backup.pitr.enabled` | Enable point in time recovery | `false` | | `backup.pitr.storageName` | Storage name for PITR | `s3-us-west-binlogs` | | `backup.pitr.timeBetweenUploads` | Time between uploads for PITR | `60` | +| `backup.pitr.timeoutSeconds` | Timeout in seconds for the binlog to be uploaded; the binlog uploader container will be restarted after exceeding this timeout | `60` | | `backup.pitr.resources.requests` | PITR Container resource requests | `{}` | | `backup.pitr.resources.limits` | PITR Container resource limits | `{}` | | `backup.storages.fs-pvc` | Backups storage configuration, where `storages:` is a high-level key for the underlying structure. `fs-pvc` is a user-defined storage name. | | @@ -236,6 +258,11 @@ The chart can be customized using the following configurable parameters: | `backup.storages.fs-pvc.volume.persistentVolumeClaim.accessModes` | Backup PVC access policy | `["ReadWriteOnce"]` | | `backup.storages.fs-pvc.volume.persistentVolumeClaim.resources` | Backup Pod resources specification | `{}` | | `backup.storages.fs-pvc.volume.persistentVolumeClaim.resources.requests.storage` | Backup Pod datadir backups size | `6Gi` | +| `backup.storages.fs-pvc.topologySpreadConstraints` | The Label selector for the [Kubernetes Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) | `[]` | +| `backup.storages.fs-pvc.containerOptions.env` | Environment variables to add to the backup container | `[]` | +| `backup.storages.fs-pvc.containerOptions.args.xtrabackup` | Additional arguments for xtrabackup | `[]` | +| `backup.storages.fs-pvc.containerOptions.args.xbstream` | Additional arguments for xbstream | `[]` | +| `backup.storages.fs-pvc.containerOptions.args.xbcloud` | Additional arguments for xbcloud | `[]` | | `backup.schedule` | Backup execution timetable | `[]` | | `backup.schedule.0.name` | Backup execution timetable name | `daily-backup` | | `backup.schedule.0.schedule` | Backup execution timetable cron timing | `0 0 * * *` | diff --git a/charts/percona/pxc-db/templates/cluster.yaml b/charts/percona/pxc-db/templates/cluster.yaml index 2d3f137a9..7e94c3697 100644 --- a/charts/percona/pxc-db/templates/cluster.yaml +++ b/charts/percona/pxc-db/templates/cluster.yaml @@ -48,10 +48,24 @@ spec: {{- else }} logCollectorSecretName: {{ include "pxc-database.fullname" . }}-log-collector {{- end }} - {{- if .Values.initImage }} - initImage: {{ .Values.initImage }} - {{- else }} - initImage: {{ include "pxc-db.operator-image" . }} + {{- if .Values.initContainer }} + initContainer: + {{- if hasKey .Values.initContainer "image" }} + image: {{ .Values.initContainer.image }} + {{- else }} + image: {{ include "pxc-db.operator-image" . }} + {{- end }} + {{- if .Values.initContainer.resources }} + resources: + {{- if hasKey .Values.initContainer.resources "requests" }} + requests: +{{ tpl (.Values.initContainer.resources.requests | toYaml) $ | indent 8 }} + {{- end }} + {{- if hasKey .Values.initContainer.resources "limits" }} + limits: +{{ tpl (.Values.initContainer.resources.limits | toYaml) $ | indent 8 }} + {{- end }} + {{- end }} {{- end }} {{- if or .Values.allowUnsafeConfigurations .Values.pxc.disableTLS }} allowUnsafeConfigurations: true @@ -139,6 +153,10 @@ spec: {{ tpl ($pxc.sidecarResources.limits | toYaml) $ | indent 8 }} nodeSelector: {{ $pxc.nodeSelector | toYaml | indent 6 }} + {{- if $pxc.topologySpreadConstraints }} + topologySpreadConstraints: +{{ $pxc.topologySpreadConstraints | toYaml | indent 6 }} + {{- end }} affinity: {{ $pxc.affinity | toYaml | indent 6 }} tolerations: @@ -169,6 +187,17 @@ spec: {{- end }} {{- end }} gracePeriod: {{ $pxc.gracePeriod }} + {{- if hasKey $pxc "lifecycle" }} + lifecycle: + {{- if hasKey $pxc.lifecycle "preStop" }} + preStop: + {{- $pxc.lifecycle.preStop | toYaml | nindent 8 }} + {{- end }} + {{- if hasKey $pxc.lifecycle "postStart" }} + postStart: + {{- $pxc.lifecycle.postStart | toYaml | nindent 8 }} + {{- end }} + {{- end }} readinessProbes: {{ tpl ($pxc.readinessProbes | toYaml) $ | indent 6 }} livenessProbes: @@ -210,52 +239,13 @@ spec: {{- if $haproxy.priorityClassName }} priorityClassName: {{ $haproxy.priorityClassName }} {{- end }} - {{- if $haproxy.externalTrafficPolicy }} - externalTrafficPolicy: {{ $haproxy.externalTrafficPolicy }} + {{- if $haproxy.exposePrimary }} + exposePrimary: +{{ tpl ($haproxy.exposePrimary | toYaml) $ | indent 6 }} {{- end }} - {{- if $haproxy.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ $haproxy.loadBalancerSourceRanges | toYaml | indent 6 }} - {{- end }} - {{- if $haproxy.loadBalancerIP }} - loadBalancerIP: {{ $haproxy.loadBalancerIP }} - {{- end }} - {{- if $haproxy.serviceType }} - serviceType: {{ $haproxy.serviceType }} - {{- end }} - replicasServiceEnabled: {{ $haproxy.replicasServiceEnabled }} - {{- if $haproxy.replicasLoadBalancerSourceRanges }} - replicasLoadBalancerSourceRanges: -{{ $haproxy.replicasLoadBalancerSourceRanges | toYaml | indent 6 }} - {{- end }} - {{- if $haproxy.replicasLoadBalancerIP }} - replicasLoadBalancerIP: {{ $haproxy.replicasLoadBalancerIP }} - {{- end }} - {{- if $haproxy.replicasServiceType }} - replicasServiceType: {{ $haproxy.replicasServiceType }} - {{- end }} - {{- if $haproxy.replicasExternalTrafficPolicy }} - replicasExternalTrafficPolicy: {{ $haproxy.replicasExternalTrafficPolicy }} - {{- end }} - {{- if $haproxy.replicasServiceAnnotations }} - replicasServiceAnnotations: -{{ $haproxy.replicasServiceAnnotations | toYaml | indent 6 }} - {{- end }} - {{- if $haproxy.replicasServiceLabels }} - replicasServiceLabels: -{{ $haproxy.replicasServiceLabels | toYaml | indent 6 }} - {{- end }} - {{- if $haproxy.serviceLabels }} - serviceLabels: -{{ $haproxy.serviceLabels | toYaml | indent 6 }} - {{- end }} - {{- if $haproxy.serviceAnnotations }} - serviceAnnotations: -{{ $haproxy.serviceAnnotations | toYaml | indent 6 }} - {{- end }} - {{- if $haproxy.serviceLabels }} - serviceLabels: -{{ $haproxy.serviceLabels | toYaml | indent 6 }} + {{- if $haproxy.exposeReplicas }} + exposeReplicas: +{{ tpl ($haproxy.exposeReplicas | toYaml) $ | indent 6 }} {{- end }} annotations: {{ $haproxy.annotations | toYaml | indent 6 }} @@ -288,6 +278,10 @@ spec: {{- end }} nodeSelector: {{ $haproxy.nodeSelector | toYaml | indent 6 }} + {{- if $haproxy.topologySpreadConstraints }} + topologySpreadConstraints: +{{ $haproxy.topologySpreadConstraints | toYaml | indent 6 }} + {{- end }} affinity: {{ $haproxy.affinity | toYaml | indent 6 }} tolerations: @@ -297,6 +291,17 @@ spec: volumeSpec: emptyDir: {} gracePeriod: {{ $haproxy.gracePeriod }} + {{- if hasKey $haproxy "lifecycle" }} + lifecycle: + {{- if hasKey $haproxy.lifecycle "preStop" }} + preStop: + {{- $haproxy.lifecycle.preStop | toYaml | nindent 8 }} + {{- end }} + {{- if hasKey $haproxy.lifecycle "postStart" }} + postStart: + {{- $haproxy.lifecycle.postStart | toYaml | nindent 8 }} + {{- end }} + {{- end }} {{- if $haproxy.readinessDelaySec }} readinessDelaySec: {{ $haproxy.readinessDelaySec }} {{- end }} @@ -342,26 +347,9 @@ spec: {{- if $proxysql.priorityClassName }} priorityClassName: {{ $proxysql.priorityClassName }} {{- end }} - {{- if $proxysql.externalTrafficPolicy }} - externalTrafficPolicy: {{ $proxysql.externalTrafficPolicy }} - {{- end }} - {{- if $proxysql.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ $proxysql.loadBalancerSourceRanges | toYaml | indent 6 }} - {{- end }} - {{- if $proxysql.loadBalancerIP }} - loadBalancerIP: {{ $proxysql.loadBalancerIP }} - {{- end }} - {{- if $proxysql.serviceType }} - serviceType: {{ $proxysql.serviceType }} - {{- end }} - {{- if $proxysql.serviceAnnotations }} - serviceAnnotations: -{{ $proxysql.serviceAnnotations | toYaml | indent 6 }} - {{- end }} - {{- if $proxysql.serviceLabels }} - serviceLabels: -{{ $proxysql.serviceLabels | toYaml | indent 6 }} + {{- if $proxysql.expose }} + expose: +{{ tpl ($proxysql.expose | toYaml) $ | indent 6 }} {{- end }} annotations: {{ $proxysql.annotations | toYaml | indent 6 }} @@ -394,6 +382,10 @@ spec: {{- end }} nodeSelector: {{ $proxysql.nodeSelector | toYaml | indent 6 }} + {{- if $proxysql.topologySpreadConstraints }} + topologySpreadConstraints: +{{ $proxysql.topologySpreadConstraints | toYaml | indent 6 }} + {{- end }} affinity: {{ $proxysql.affinity | toYaml | indent 6 }} tolerations: @@ -424,6 +416,17 @@ spec: {{- end }} {{- end }} gracePeriod: {{ $proxysql.gracePeriod }} + {{- if hasKey $proxysql "lifecycle" }} + lifecycle: + {{- if hasKey $proxysql.lifecycle "preStop" }} + preStop: + {{- $proxysql.lifecycle.preStop | toYaml | nindent 8 }} + {{- end }} + {{- if hasKey $proxysql.lifecycle "postStart" }} + postStart: + {{- $proxysql.lifecycle.postStart | toYaml | nindent 8 }} + {{- end }} + {{- end }} {{- if $proxysql.containerSecurityContext }} containerSecurityContext: {{ tpl ($proxysql.containerSecurityContext | toYaml) $ | indent 6 }} @@ -516,6 +519,7 @@ spec: enabled: true storageName: {{ $backup.pitr.storageName }} timeBetweenUploads: {{ $backup.pitr.timeBetweenUploads }} + timeoutSeconds: {{ $backup.pitr.timeoutSeconds }} resources: requests: {{ tpl ($backup.pitr.resources.requests | toYaml) $ | indent 10 }} diff --git a/charts/percona/pxc-db/values.yaml b/charts/percona/pxc-db/values.yaml index 3d4d90a96..55b65c80f 100644 --- a/charts/percona/pxc-db/values.yaml +++ b/charts/percona/pxc-db/values.yaml @@ -19,13 +19,21 @@ annotations: {} operatorImageRepository: percona/percona-xtradb-cluster-operator -crVersion: 1.13.0 +crVersion: 1.14.0 ignoreAnnotations: [] # - iam.amazonaws.com/role ignoreLabels: [] # - rack pause: false -initImage: "" +# initContainer: +# image: "" +# resources: +# requests: +# memory: 100M +# cpu: 100m +# limits: +# memory: 200M +# cpu: 200m allowUnsafeConfigurations: false updateStrategy: SmartUpdate upgradeOptions: @@ -53,11 +61,15 @@ pxc: # expose: # enabled: true # type: LoadBalancer - # trafficPolicy: Local + # externalTrafficPolicy: Local + # internalTrafficPolicy: Local # loadBalancerSourceRanges: # - 10.0.0.0/8 + # loadBalancerIP: 127.0.0.1 # annotations: # networking.gke.io/load-balancer-type: "Internal" + # labels: + # rack: rack-22 # replicationChannels: # - name: pxc1_to_pxc2 # isSource: true @@ -105,6 +117,13 @@ pxc: limits: {} nodeSelector: {} # disktype: ssd + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-xtradb-cluster-operator + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule affinity: antiAffinityTopologyKey: "kubernetes.io/hostname" # advanced: @@ -123,6 +142,13 @@ pxc: # effect: "NoExecute" # tolerationSeconds: 6000 gracePeriod: 600 + # lifecycle: + # preStop: + # exec: + # command: [ "/bin/true" ] + # postStart: + # exec: + # command: [ "/bin/true" ] podDisruptionBudget: # only one of maxUnavailable or minAvaliable can be set maxUnavailable: 1 @@ -198,6 +224,9 @@ haproxy: # timeout connect 100500 # timeout server 28800s # +# resolvers kubernetes +# parse-resolv-conf +# # frontend galera-in # bind *:3309 accept-proxy # bind *:3306 @@ -232,26 +261,7 @@ haproxy: # iam.amazonaws.com/role: role-arn labels: {} # rack: rack-22 - # serviceType: ClusterIP - # externalTrafficPolicy: Cluster # runtimeClassName: image-rc - # loadBalancerSourceRanges: - # - 10.0.0.0/8 - # loadBalancerIP: 127.0.0.1 - # serviceAnnotations: - # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # serviceLabels: - # rack: rack-23 - replicasServiceEnabled: true - # replicasLoadBalancerSourceRanges: - # - 10.0.0.0/8 - # replicasLoadBalancerIP: 127.0.0.1 - # replicasServiceType: ClusterIP - # replicasExternalTrafficPolicy: Cluster - # replicasServiceAnnotations: - # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # replicasServiceLabels: - # rack: rack-23 # priorityClassName: high-priority # schedulerName: mycustom-scheduler readinessDelaySec: 15 @@ -273,6 +283,13 @@ haproxy: nodeSelector: {} # disktype: ssd # serviceAccountName: percona-xtradb-cluster-operator-workload + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-xtradb-cluster-operator + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule affinity: antiAffinityTopologyKey: "kubernetes.io/hostname" # advanced: @@ -291,6 +308,13 @@ haproxy: # effect: "NoExecute" # tolerationSeconds: 6000 gracePeriod: 30 + # lifecycle: + # preStop: + # exec: + # command: [ "/bin/true" ] + # postStart: + # exec: + # command: [ "/bin/true" ] # only one of `maxUnavailable` or `minAvailable` can be set. podDisruptionBudget: maxUnavailable: 1 @@ -307,6 +331,30 @@ haproxy: periodSeconds: 30 successThreshold: 1 failureThreshold: 4 + # exposePrimary: + # enabled: false + # type: ClusterIP + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # labels: + # rack: rack-22 + # loadBalancerSourceRanges: + # - 10.0.0.0/8 + # loadBalancerIP: 127.0.0.1 + # exposeReplicas: + # enabled: false + # type: ClusterIP + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # labels: + # rack: rack-22 + # loadBalancerSourceRanges: + # - 10.0.0.0/8 + # loadBalancerIP: 127.0.0.1 # A custom Kubernetes Security Context for a Container to be used instead of the default one # containerSecurityContext: # privileged: false @@ -378,16 +426,19 @@ proxysql: # iam.amazonaws.com/role: role-arn labels: {} # rack: rack-22 - # serviceType: ClusterIP - # externalTrafficPolicy: Cluster # runtimeClassName: image-rc - # loadBalancerSourceRanges: - # - 10.0.0.0/8 - # loadBalancerIP: 127.0.0.1 - # serviceAnnotations: - # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # serviceLabels: - # rack: rack-23 + # expose: + # enabled: false + # type: ClusterIP + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # labels: + # rack: rack-22 + # loadBalancerSourceRanges: + # - 10.0.0.0/8 + # loadBalancerIP: 127.0.0.1 # priorityClassName: high-priority # schedulerName: mycustom-scheduler readinessDelaySec: 15 @@ -408,6 +459,13 @@ proxysql: limits: {} nodeSelector: {} # disktype: ssd + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-xtradb-cluster-operator + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule # serviceAccountName: percona-xtradb-cluster-operator-workload affinity: antiAffinityTopologyKey: "kubernetes.io/hostname" @@ -427,6 +485,13 @@ proxysql: # effect: "NoExecute" # tolerationSeconds: 6000 gracePeriod: 30 + # lifecycle: + # preStop: + # exec: + # command: [ "/bin/true" ] + # postStart: + # exec: + # command: [ "/bin/true" ] # only one of `maxUnavailable` or `minAvailable` can be set. podDisruptionBudget: maxUnavailable: 1 @@ -482,6 +547,8 @@ pmm: serverUser: admin # pxcParams: "--disable-tablestats-limit=2000" # proxysqlParams: "--custom-labels=CUSTOM-LABELS" + # containerSecurityContext: + # privileged: false resources: requests: memory: 150M @@ -493,7 +560,7 @@ backup: # allowParallel: true image: repository: percona/percona-xtradb-cluster-operator - tag: 1.13.0-pxc8.0-backup-pxb8.0.32 + tag: 1.14.0-pxc8.0-backup-pxb8.0.35 # backoffLimit: 6 # serviceAccountName: percona-xtradb-cluster-operator # imagePullPolicy: Always @@ -503,6 +570,7 @@ backup: enabled: false storageName: s3-us-west-binlogs timeBetweenUploads: 60 + timeoutSeconds: 60 resources: requests: {} limits: {} @@ -526,6 +594,13 @@ backup: # requests: # memory: 1G # cpu: 600m + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-xtradb-cluster-operator + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: @@ -551,6 +626,17 @@ backup: # podSecurityContext: # fsGroup: 1001 # supplementalGroups: [1001, 1002, 1003] + # containerOptions: + # env: + # - name: VERIFY_TLS + # value: "false" + # args: + # xtrabackup: + # - "--someflag=abc" + # xbcloud: + # - "--someflag=abc" + # xbstream: + # - "--someflag=abc" # s3: # bucket: S3-BACKUP-BUCKET-NAME-HERE # # Use credentialsSecret OR credentialsAccessKey/credentialsSecretKey diff --git a/charts/percona/pxc-operator/Chart.yaml b/charts/percona/pxc-operator/Chart.yaml index 937c9f737..5f1f33aa6 100644 --- a/charts/percona/pxc-operator/Chart.yaml +++ b/charts/percona/pxc-operator/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: pxc-operator apiVersion: v2 -appVersion: 1.13.0 +appVersion: 1.14.0 description: A Helm chart for deploying the Percona Operator for MySQL (based on Percona XtraDB Cluster) home: https://docs.percona.com/percona-operator-for-mysql/pxc/ @@ -18,4 +18,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: pxc-operator -version: 1.13.5 +version: 1.14.0 diff --git a/charts/percona/pxc-operator/README.md b/charts/percona/pxc-operator/README.md index 1c465b742..cf24d5940 100644 --- a/charts/percona/pxc-operator/README.md +++ b/charts/percona/pxc-operator/README.md @@ -7,7 +7,7 @@ Useful links * [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-pxc/index.html) ## Pre-requisites -* Kubernetes 1.23+ +* Kubernetes 1.24+ * Helm v3 # Installation @@ -19,14 +19,14 @@ To install the chart with the `pxc` release name using a dedicated namespace (re ```sh helm repo add percona https://percona.github.io/percona-helm-charts/ -helm install my-operator percona/pxc-operator --version 1.13.0 --namespace my-namespace +helm install my-operator percona/pxc-operator --version 1.14.0 --namespace my-namespace ``` The chart can be customized using the following configurable parameters: | Parameter | Description | Default | | ------------------------------- | -----------------------------------------------------------------------------------------------| -------------------------------------------------| -| `image` | PXC Operator Container image full path | `percona/percona-xtradb-cluster-operator:1.13.0` | +| `image` | PXC Operator Container image full path | `percona/percona-xtradb-cluster-operator:1.14.0` | | `imagePullPolicy` | PXC Operator Container pull policy | `Always` | | `containerSecurityContext` | PXC Operator Container securityContext | `{}` | | `imagePullSecrets` | PXC Operator Pod pull secret | `[]` | diff --git a/charts/percona/pxc-operator/crds/crd.yaml b/charts/percona/pxc-operator/crds/crd.yaml index 2b6563843..8cb8b233c 100644 --- a/charts/percona/pxc-operator/crds/crd.yaml +++ b/charts/percona/pxc-operator/crds/crd.yaml @@ -57,6 +57,84 @@ spec: type: string spec: properties: + containerOptions: + properties: + args: + properties: + xbcloud: + items: + type: string + type: array + xbstream: + items: + type: string + type: array + xtrabackup: + items: + type: string + type: array + type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + type: object pxcCluster: type: string storageName: @@ -121,6 +199,9 @@ spec: lastscheduled: format: date-time type: string + latestRestorableTime: + format: date-time + type: string s3: properties: bucket: @@ -267,6 +348,9 @@ spec: lastscheduled: format: date-time type: string + latestRestorableTime: + format: date-time + type: string s3: properties: bucket: @@ -293,6 +377,84 @@ spec: verifyTLS: type: boolean type: object + containerOptions: + properties: + args: + properties: + xbcloud: + items: + type: string + type: array + xbstream: + items: + type: string + type: array + xtrabackup: + items: + type: string + type: array + type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + type: object pitr: properties: backupSource: @@ -354,6 +516,9 @@ spec: lastscheduled: format: date-time type: string + latestRestorableTime: + format: date-time + type: string s3: properties: bucket: @@ -852,6 +1017,8 @@ spec: type: string timeBetweenUploads: type: number + timeoutSeconds: + type: number type: object schedule: items: @@ -864,6 +1031,10 @@ spec: type: string storageName: type: string + required: + - name + - schedule + - storageName type: object type: array serviceAccountName: @@ -994,6 +1165,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1060,6 +1241,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1124,6 +1315,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1190,6 +1391,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1240,6 +1451,84 @@ spec: storageClass: type: string type: object + containerOptions: + properties: + args: + properties: + xbcloud: + items: + type: string + type: array + xbstream: + items: + type: string + type: array + xtrabackup: + items: + type: string + type: array + type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + type: object containerSecurityContext: properties: allowPrivilegeEscalation: @@ -1437,6 +1726,57 @@ spec: type: string type: object type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: type: string verifyTLS: @@ -1497,18 +1837,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1551,6 +1879,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -1691,6 +2021,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1757,6 +2097,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1821,6 +2171,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1887,6 +2247,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1996,6 +2366,60 @@ spec: type: boolean envVarsSecret: type: string + exposePrimary: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + trafficPolicy: + type: string + type: + type: string + type: object + exposeReplicas: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + trafficPolicy: + type: string + type: + type: string + type: object externalTrafficPolicy: type: string forceUnsafeBootstrap: @@ -2020,6 +2444,125 @@ spec: additionalProperties: type: string type: object + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object livenessDelaySec: format: int32 type: integer @@ -2381,18 +2924,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2435,6 +2966,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -2446,6 +2979,11 @@ spec: items: type: string type: array + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular allocatedResources: additionalProperties: anyOf: @@ -2484,9 +3022,18 @@ spec: - type type: object type: array - phase: + currentVolumeAttributesClassName: type: string - resizeStatus: + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: type: string type: object type: object @@ -2745,18 +3292,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2799,6 +3334,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -2985,6 +3522,42 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -3351,6 +3924,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -3401,6 +3982,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -3641,6 +4230,8 @@ spec: x-kubernetes-int-or-string: true type: object type: object + restartPolicy: + type: string securityContext: properties: allowPrivilegeEscalation: @@ -3851,6 +4442,57 @@ spec: type: string type: object type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array vaultSecretName: type: string volumeSpec: @@ -3909,18 +4551,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3963,6 +4593,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -3978,6 +4610,42 @@ spec: items: type: string type: array + initContainer: + properties: + image: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object initImage: type: string logCollectorSecretName: @@ -4331,6 +4999,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -4397,6 +5075,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -4461,6 +5149,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -4527,6 +5225,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -4636,6 +5344,33 @@ spec: type: boolean envVarsSecret: type: string + expose: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + trafficPolicy: + type: string + type: + type: string + type: object externalTrafficPolicy: type: string forceUnsafeBootstrap: @@ -4660,6 +5395,125 @@ spec: additionalProperties: type: string type: object + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object livenessDelaySec: format: int32 type: integer @@ -5013,18 +5867,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5067,6 +5909,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -5078,6 +5922,11 @@ spec: items: type: string type: array + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular allocatedResources: additionalProperties: anyOf: @@ -5116,9 +5965,18 @@ spec: - type type: object type: array - phase: + currentVolumeAttributesClassName: type: string - resizeStatus: + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: type: string type: object type: object @@ -5377,18 +6235,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5431,6 +6277,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -5617,6 +6465,42 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -5983,6 +6867,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -6033,6 +6925,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -6273,6 +7173,8 @@ spec: x-kubernetes-int-or-string: true type: object type: object + restartPolicy: + type: string securityContext: properties: allowPrivilegeEscalation: @@ -6483,6 +7385,57 @@ spec: type: string type: object type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array vaultSecretName: type: string volumeSpec: @@ -6541,18 +7494,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -6595,6 +7536,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -6729,6 +7672,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -6795,6 +7748,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -6859,6 +7822,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -6925,6 +7898,16 @@ spec: type: string type: object type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -7044,6 +8027,16 @@ spec: type: object enabled: type: boolean + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string loadBalancerSourceRanges: items: type: string @@ -7077,6 +8070,125 @@ spec: additionalProperties: type: string type: object + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object livenessDelaySec: format: int32 type: integer @@ -7463,18 +8575,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -7517,6 +8617,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -7528,6 +8630,11 @@ spec: items: type: string type: array + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular allocatedResources: additionalProperties: anyOf: @@ -7566,9 +8673,18 @@ spec: - type type: object type: array - phase: + currentVolumeAttributesClassName: type: string - resizeStatus: + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: type: string type: object type: object @@ -7827,18 +8943,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -7881,6 +8985,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -8067,6 +9173,42 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -8433,6 +9575,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -8483,6 +9633,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -8723,6 +9881,8 @@ spec: x-kubernetes-int-or-string: true type: object type: object + restartPolicy: + type: string securityContext: properties: allowPrivilegeEscalation: @@ -8933,6 +10093,57 @@ spec: type: string type: object type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array vaultSecretName: type: string volumeSpec: @@ -8991,18 +10202,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -9045,6 +10244,8 @@ spec: type: object storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: diff --git a/charts/redpanda/redpanda/.helmignore b/charts/redpanda/redpanda/.helmignore index 04ecd888b..d7883b5fc 100644 --- a/charts/redpanda/redpanda/.helmignore +++ b/charts/redpanda/redpanda/.helmignore @@ -22,3 +22,5 @@ README.md.gotmpl .idea/ *.tmproj .vscode/ + +*.go diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index 563d23d03..edf6b52b7 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: console repository: https://charts.redpanda.com - version: 0.7.20 + version: 0.7.24 - name: connectors repository: https://charts.redpanda.com - version: 0.1.9 -digest: sha256:86c88cb3979c06e3a1f7d7fe7c10a97404406b462ba8bbd44459e946fc42b228 -generated: "2024-02-20T17:00:13.264298798Z" + version: 0.1.10 +digest: sha256:9705ddcac0c386a44d8fa28cff078e52e0277f81e70db1c5c772303dcfb2ce69 +generated: "2024-03-13T15:41:09.286245943Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index b7e24e4b5..0972c364e 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/redpanda:v23.3.5 + image: docker.redpanda.com/redpandadata/redpanda:v23.3.7 - name: busybox image: busybox:latest - name: mintel/docker-alpine-bash-curl-jq @@ -17,7 +17,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: redpanda apiVersion: v2 -appVersion: v23.3.5 +appVersion: v23.3.7 dependencies: - condition: console.enabled name: console @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.7.25 +version: 5.7.34 diff --git a/charts/redpanda/redpanda/README.md b/charts/redpanda/redpanda/README.md index 5f609b6cb..3ab32dfa1 100644 --- a/charts/redpanda/redpanda/README.md +++ b/charts/redpanda/redpanda/README.md @@ -3,7 +3,7 @@ description: Find the default values and descriptions of settings in the Redpanda Helm chart. --- -![Version: 5.7.22](https://img.shields.io/badge/Version-5.7.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.4](https://img.shields.io/badge/AppVersion-v23.3.4-informational?style=flat-square) +![Version: 5.7.33](https://img.shields.io/badge/Version-5.7.33-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.6](https://img.shields.io/badge/AppVersion-v23.3.6-informational?style=flat-square) This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. @@ -1121,6 +1121,10 @@ To disable dynamic provisioning, set to "-". If undefined or empty (default), th **Default:** `""` +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled) + +**Default:** `true` + ### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls) TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). diff --git a/charts/redpanda/redpanda/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/charts/connectors/Chart.yaml index b5714c7c5..a989cc5ef 100644 --- a/charts/redpanda/redpanda/charts/connectors/Chart.yaml +++ b/charts/redpanda/redpanda/charts/connectors/Chart.yaml @@ -22,4 +22,4 @@ name: connectors sources: - https://github.com/redpanda-data/helm-charts type: application -version: 0.1.9 +version: 0.1.10 diff --git a/charts/redpanda/redpanda/charts/connectors/README.md b/charts/redpanda/redpanda/charts/connectors/README.md index d8d47dab7..f8f8193a9 100644 --- a/charts/redpanda/redpanda/charts/connectors/README.md +++ b/charts/redpanda/redpanda/charts/connectors/README.md @@ -3,14 +3,14 @@ description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart. --- -![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.6](https://img.shields.io/badge/AppVersion-v1.0.6-informational?style=flat-square) +![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.6](https://img.shields.io/badge/AppVersion-v1.0.6-informational?style=flat-square) This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values. For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/). ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) ## Source Code diff --git a/charts/redpanda/redpanda/charts/connectors/ci/02-broker-tls-values.yaml b/charts/redpanda/redpanda/charts/connectors/ci/02-broker-tls-values.yaml new file mode 100644 index 000000000..42f0ebc17 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/ci/02-broker-tls-values.yaml @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +connectors: + bootstrapServers: "redpanda-0.redpanda.redpanda.svc.cluster.local.:9093,redpanda-1.redpanda.redpanda.svc.cluster.local.:9093,redpanda-2.redpanda.redpanda.svc.cluster.local.:9093" + brokerTLS: + enabled: true + ca: + secretRef: redpanda-default-cert + cert: + secretRef: redpanda-default-cert + key: + secretRef: redpanda-default-cert + +logging: + level: trace diff --git a/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml b/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml index ecf79b01c..5efcfaac6 100644 --- a/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml +++ b/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml @@ -242,13 +242,13 @@ spec: secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} {{- end }} {{- if .Values.connectors.brokerTLS.cert.secretRef }} - - name: truststore + - name: cert secret: defaultMode: 0o444 secretName: {{ .Values.connectors.brokerTLS.cert.secretRef }} {{- end }} {{- if .Values.connectors.brokerTLS.key.secretRef }} - - name: truststore + - name: key secret: defaultMode: 0o444 secretName: {{ .Values.connectors.brokerTLS.key.secretRef }} diff --git a/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml index 8aae0e858..44dd20520 100644 --- a/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml +++ b/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml @@ -143,6 +143,12 @@ spec: curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json + # The rpk topic consume could fail for the first few times as kafka connect needs + # to spawn the task and copy one message from the source topic. To solve this race condition + # the retry should be implemented in bash for rpk topic consume or other mechanism that + # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added. + sleep 30 + rpk topic consume source.test-topic -n 1 | grep "Test message!" curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME diff --git a/charts/redpanda/redpanda/charts/console/Chart.yaml b/charts/redpanda/redpanda/charts/console/Chart.yaml index cdc37444f..67f9a2508 100644 --- a/charts/redpanda/redpanda/charts/console/Chart.yaml +++ b/charts/redpanda/redpanda/charts/console/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/console:v2.4.3 + image: docker.redpanda.com/redpandadata/console:v2.4.5 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Documentation @@ -9,7 +9,7 @@ annotations: - name: "Helm (>= 3.6.0)" url: https://helm.sh/docs/intro/install/ apiVersion: v2 -appVersion: v2.4.3 +appVersion: v2.4.5 description: Helm chart to deploy Redpanda Console. icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg maintainers: @@ -19,4 +19,4 @@ name: console sources: - https://github.com/redpanda-data/helm-charts type: application -version: 0.7.20 +version: 0.7.24 diff --git a/charts/redpanda/redpanda/charts/console/README.md b/charts/redpanda/redpanda/charts/console/README.md index 2d00c5371..4a5ebb073 100644 --- a/charts/redpanda/redpanda/charts/console/README.md +++ b/charts/redpanda/redpanda/charts/console/README.md @@ -3,7 +3,7 @@ description: Find the default values and descriptions of settings in the Redpanda Console Helm chart. --- -![Version: 0.7.15](https://img.shields.io/badge/Version-0.7.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.8](https://img.shields.io/badge/AppVersion-v2.3.8-informational?style=flat-square) +![Version: 0.7.21](https://img.shields.io/badge/Version-0.7.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.4.3](https://img.shields.io/badge/AppVersion-v2.4.3-informational?style=flat-square) This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). Each of the settings is listed and described on this page, along with any default values. @@ -13,7 +13,7 @@ For instructions on how to install and use the chart, refer to the [deployment d For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console). ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) +Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2) ## Source Code @@ -21,51 +21,51 @@ Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/n ## Settings -### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity) +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity) **Default:** `{}` -### [annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=annotations) +### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations) Annotations to add to the deployment. **Default:** `{}` -### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=autoscaling.enabled) +### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled) **Default:** `false` -### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=autoscaling.maxReplicas) +### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas) **Default:** `100` -### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=autoscaling.minReplicas) +### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas) **Default:** `1` -### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=autoscaling.targetCPUUtilizationPercentage) +### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage) **Default:** `80` -### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels) **Default:** `{}` -### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=configmap.create) +### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create) **Default:** `true` -### [console.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console.config) +### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config) Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). **Default:** `{}` -### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=deployment.create) +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create) **Default:** `true` -### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise) +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise) Settings for license key, as an alternative to secret.enterprise when a license secret is available @@ -75,43 +75,43 @@ Settings for license key, as an alternative to secret.enterprise when a license {"licenseSecretRef":{"key":"","name":""}} ``` -### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=extraContainers) +### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers) Add additional containers, such as for oauth2-proxy. **Default:** `[]` -### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=extraEnv) +### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv) Additional environment variables for the Redpanda Console Deployment. **Default:** `[]` -### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=extraEnvFrom) +### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom) Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. **Default:** `[]` -### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=extraVolumeMounts) +### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts) Add additional volume mounts, such as for TLS keys. **Default:** `[]` -### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=extraVolumes) +### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes) Add additional volumes, such as for TLS keys. **Default:** `[]` -### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride) +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride) Override `console.fullname` template. **Default:** `""` -### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image) +### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image) Redpanda Console Docker image settings. @@ -121,71 +121,71 @@ Redpanda Console Docker image settings. {"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""} ``` -### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy) +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy) The imagePullPolicy. **Default:** `"IfNotPresent"` -### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository) +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository) Docker repository from which to pull the Redpanda Docker image. **Default:** `"redpandadata/console"` -### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag) +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag) The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). **Default:** `Chart.appVersion` -### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets) Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ **Default:** `[]` -### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.annotations) +### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations) **Default:** `{}` -### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.className) +### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className) **Default:** `""` -### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.enabled) +### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled) **Default:** `false` -### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.hosts[0].host) +### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host) **Default:** `"chart-example.local"` -### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.hosts[0].paths[0].path) +### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path) **Default:** `"/"` -### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.hosts[0].paths[0].pathType) +### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType) **Default:** `"ImplementationSpecific"` -### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=ingress.tls) +### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls) **Default:** `[]` -### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=initContainers) +### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers) Any initContainers defined should be written here **Default:** `{"extraInitContainers":""}` -### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=initContainers.extraInitContainers) +### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers) Additional set of init containers **Default:** `""` -### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=livenessProbe) +### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe) Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). @@ -195,69 +195,69 @@ Settings for liveness and readiness probes. For details, see the [Kubernetes doc {"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} ``` -### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride) +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride) Override `console.name` template. **Default:** `""` -### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector) +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector) **Default:** `{}` -### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podAnnotations) +### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations) **Default:** `{}` -### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podLabels) +### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels) **Default:** `{}` -### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podSecurityContext.fsGroup) +### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup) **Default:** `99` -### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podSecurityContext.runAsUser) +### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser) **Default:** `99` -### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=priorityClassName) +### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName) PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). **Default:** `""` -### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=readinessProbe.failureThreshold) +### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold) **Default:** `3` -### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=readinessProbe.initialDelaySeconds) +### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds) Grant time to test connectivity to upstream services such as Kafka and Schema Registry. **Default:** `10` -### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=readinessProbe.periodSeconds) +### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds) **Default:** `10` -### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=readinessProbe.successThreshold) +### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold) **Default:** `1` -### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=readinessProbe.timeoutSeconds) +### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds) **Default:** `1` -### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=replicaCount) +### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount) **Default:** `1` -### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources) +### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources) **Default:** `{}` -### [secret](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=secret) +### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret) Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. @@ -267,67 +267,71 @@ Create a new Kubernetes Secret for all sensitive configuration inputs. Each prov {"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}} ``` -### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=secret.kafka) +### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka) Kafka Secrets. **Default:** `{}` -### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=secretMounts) +### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts) SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container. **Default:** `[]` -### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=securityContext.runAsNonRoot) +### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot) **Default:** `true` -### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=service.annotations) +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations) **Default:** `{}` -### [service.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=service.port) +### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port) **Default:** `8080` -### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=service.targetPort) +### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort) Override the value in `console.config.server.listenPort` if not `nil` **Default:** `nil` -### [service.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=service.type) +### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type) **Default:** `"ClusterIP"` -### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations) +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations) Annotations to add to the service account. **Default:** `{}` -### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create) +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create) Specifies whether a service account should be created. **Default:** `true` -### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name) +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name) The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template **Default:** `""` -### [strategy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=strategy) +### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy) **Default:** `{}` -### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations) **Default:** `[]` -### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=topologySpreadConstraints) +### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints) **Default:** `{}` diff --git a/charts/redpanda/redpanda/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/charts/console/templates/_helpers.tpl index 94756f199..945780675 100644 --- a/charts/redpanda/redpanda/charts/console/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/charts/console/templates/_helpers.tpl @@ -77,15 +77,19 @@ Create the name of the service account to use {{/* Console's HTTP server Port. -The port is defined from the service targetPort bu can be overridden -in the provided config and if that is missing defaults to 8080. +The port is defined from the provided config but can be overridden +by setting service.targetPort and if that is missing defaults to 8080. */}} {{- define "console.containerPort" -}} {{- $listenPort := 8080 -}} -{{- if .Values.console.config.server -}} -{{- $listenPort = .Values.console.config.server.listenPort -}} +{{- if .Values.service.targetPort -}} +{{- $listenPort = .Values.service.targetPort -}} +{{- end -}} +{{- if and .Values.console .Values.console.config .Values.console.config.server -}} + {{- .Values.console.config.server.listenPort | default $listenPort -}} +{{- else -}} + {{- $listenPort -}} {{- end -}} -{{- .Values.service.targetPort | default $listenPort -}} {{- end -}} {{/* diff --git a/charts/redpanda/redpanda/charts/console/templates/service.yaml b/charts/redpanda/redpanda/charts/console/templates/service.yaml index f853c4a95..522b07429 100644 --- a/charts/redpanda/redpanda/charts/console/templates/service.yaml +++ b/charts/redpanda/redpanda/charts/console/templates/service.yaml @@ -27,7 +27,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: {{ include "console.containerPort" . }} + targetPort: {{ .Values.service.targetPort }} protocol: TCP name: http {{- if and (contains "NodePort" .Values.service.type) .Values.service.nodePort }} diff --git a/charts/redpanda/redpanda/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/charts/console/templates/tests/test-connection.yaml index 36b266778..10615fddb 100644 --- a/charts/redpanda/redpanda/charts/console/templates/tests/test-connection.yaml +++ b/charts/redpanda/redpanda/charts/console/templates/tests/test-connection.yaml @@ -1,3 +1,4 @@ +{{- if .Values.tests.enabled }} apiVersion: v1 kind: Pod metadata: @@ -17,3 +18,4 @@ spec: args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}'] restartPolicy: Never priorityClassName: {{ .Values.priorityClassName }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/charts/console/values.schema.json b/charts/redpanda/redpanda/charts/console/values.schema.json index c558bfbc3..e2359da45 100644 --- a/charts/redpanda/redpanda/charts/console/values.schema.json +++ b/charts/redpanda/redpanda/charts/console/values.schema.json @@ -304,6 +304,14 @@ }, "strategy": { "type": "object" + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } } diff --git a/charts/redpanda/redpanda/charts/console/values.yaml b/charts/redpanda/redpanda/charts/console/values.yaml index a77f593c8..9459d84b4 100644 --- a/charts/redpanda/redpanda/charts/console/values.yaml +++ b/charts/redpanda/redpanda/charts/console/values.yaml @@ -269,3 +269,6 @@ deployment: create: true strategy: {} + +tests: + enabled: true diff --git a/charts/redpanda/redpanda/templates/_configmap.tpl b/charts/redpanda/redpanda/templates/_configmap.tpl index 28e1b7b89..988a133f3 100644 --- a/charts/redpanda/redpanda/templates/_configmap.tpl +++ b/charts/redpanda/redpanda/templates/_configmap.tpl @@ -131,22 +131,6 @@ bootstrap.yaml: | audit_enabled: false {{- end }} {{- end }} -{{- if and (include "is-licensed" . | fromJson).bool (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} - {{- $tieredStorageConfig := (include "storage-tiered-config" .|fromJson) }} - {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_cache_directory" }} - {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}} - {{- end }} - {{- range $key, $element := $tieredStorageConfig}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{- if eq $key "cloud_storage_cache_size" }} - {{- dict $key (include "SI-to-bytes" $element) | toYaml | nindent 2 -}} - {{- else }} - {{- dict $key $element | toYaml | nindent 2 -}} - {{- end }} - {{- end }} - {{- end }} -{{- end }} redpanda.yaml: | config_file: /etc/redpanda/redpanda.yaml diff --git a/charts/redpanda/redpanda/templates/_helpers.tpl b/charts/redpanda/redpanda/templates/_helpers.tpl index 3e1378d24..453d18911 100644 --- a/charts/redpanda/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.tpl @@ -869,25 +869,79 @@ REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM {{- end -}} {{- end -}} -{{- define "storage-tiered-credentials-secret-key" -}} -{{- $oldCondtion := (and .Values.storage.tiered.credentialsSecretRef.name .Values.storage.tiered.credentialsSecretRef.key) -}} -{{- $newCondtion := (and .Values.storage.tiered.credentialsSecretRef.secretKey.name .Values.storage.tiered.credentialsSecretRef.secretKey.key) -}} -{{- $configurationKey := (dig "configurationKey" "" .Values.storage.tiered.credentialsSecretRef) -}} -{{- if empty $configurationKey -}} - {{- $configurationKey = .Values.storage.tiered.credentialsSecretRef.secretKey.configurationKey -}} +{{/* secret-ref-or-value + in: {Value: string?, SecretKey: string?, SecretName: string?} + out: corev1.Envvar | nil + secret-ref-or-value converts a set of values into a structure suitable for + use as an environment variable or nil. +*/}} +{{- define "secret-ref-or-value" -}} + {{- if and (empty .Value) (or (empty .SecretName) (empty .SecretKey)) -}} + {{- mustToJson nil -}} + {{- else -}} + {{- $out := (dict + "name" .Name + "value" .Value + "valueFrom" (dict + "secretKeyRef" (dict + "name" .SecretName + "key" .SecretKey + ) + ) + ) -}} + {{- if empty .Value -}} + {{- $_ := unset $out "value" -}} + {{- else -}} + {{- $_ := unset $out "valueFrom" -}} + {{- end -}} + {{- mustToJson $out -}} + {{- end -}} {{- end -}} -{{- $key := (dig "key" "" .Values.storage.tiered.credentialsSecretRef) -}} -{{- if empty $key -}} - {{- $key = .Values.storage.tiered.credentialsSecretRef.secretKey.key -}} -{{- end -}} -{{- $name := (dig "name" "" .Values.storage.tiered.credentialsSecretRef) -}} -{{- if empty $name -}} - {{- $name = .Values.storage.tiered.credentialsSecretRef.secretKey.name -}} -{{- end -}} -{{- toJson (dict - "bool" (or $oldCondtion $newCondtion) - "configurationKey" $configurationKey - "key" $key - "name" $name -) -}} + +{{- define "tiered-storage-env-vars" -}} + {{- $config := (include "storage-tiered-config" . | fromJson) -}} + [ + {{- if and (include "is-licensed" . | fromJson).bool (dig "cloud_storage_enabled" false $config) -}} + {{include "secret-ref-or-value" (dict + "Name" "RPK_CLOUD_STORAGE_SECRET_KEY" + "Value" (dig "cloud_storage_secret_key" nil $config) + "SecretName" (dig "tiered" "credentialsSecretRef" "secretKey" "name" nil .Values.storage) + "SecretKey" (dig "tiered" "credentialsSecretRef" "secretKey" "key" nil .Values.storage) + )}} + , + {{include "secret-ref-or-value" (dict + "Name" "RPK_CLOUD_STORAGE_ACCESS_KEY" + "Value" (dig "cloud_storage_access_key" nil $config) + "SecretName" (dig "tiered" "credentialsSecretRef" "accessKey" "name" nil .Values.storage) + "SecretKey" (dig "tiered" "credentialsSecretRef" "accessKey" "key" nil .Values.storage) + )}} + + {{/* Because these keys can be set via secrets, they're special + cased above. Remove them so they don't get duplicated. */}} + {{- $_ := unset $config "cloud_storage_access_key" -}} + {{- $_ := unset $config "cloud_storage_secret_key" -}} + + {{/* iterate over the sorted keys of $config for deterministic output */}} + {{- range $i, $key := ($config | keys | sortAlpha) -}} + {{- $value := (get $config $key) -}} + + {{/* Special case for cache size */}} + {{- if eq $key "cloud_storage_cache_size" -}} + {{- $value = (include "SI-to-bytes" $value | int64) -}} + {{- end -}} + + , + + {{/* Only include values that are truthy OR that are booleans */}} + {{- if or (eq (typeOf $value) "bool") $value -}} + {{include "secret-ref-or-value" (dict + "Name" (printf "RPK_%s" ($key | upper)) + "Value" ($value | toJson) + )}} + {{- else -}} + null + {{- end -}} + {{- end -}} + {{- end -}} + ] {{- end -}} diff --git a/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml index cee5a1386..d5e21be13 100644 --- a/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml +++ b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml @@ -286,6 +286,26 @@ limitations under the License. "secret" $secretConfig "enterprise" $enterprise "image" $values.console.image + "autoscaling" .Values.console.autoscaling + "replicaCount" .Values.console.replicaCount + "strategy" .Values.console.strategy + "podAnnotations" .Values.console.podAnnotations + "podLabels" .Values.console.podLabels + "imagePullSecrets" .Values.console.imagePullSecrets + "podSecurityContext" .Values.console.podSecurityContext + "secretMounts" .Values.console.secretMounts + "initContainers" .Values.console.initContainers + "extraArgs" .Values.console.extraArgs + "securityContext" .Values.console.securityContext + "livenessProbe" .Values.console.livenessProbe + "readinessProbe" .Values.console.readinessProbe + "resources" .Values.console.resources + "extraContainers" .Values.console.extraContainers + "nodeSelector" .Values.console.nodeSelector + "affinity" .Values.console.affinity + "topologySpreadConstraints" .Values.console.topologySpreadConstraints + "priorityClassName" .Values.console.priorityClassName + "tolerations" .Values.console.tolerations )}} {{ if not (empty $command) }} diff --git a/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml b/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml index b1317e7a1..25071ebfb 100644 --- a/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml +++ b/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml @@ -35,7 +35,7 @@ metadata: # job is considered part of the release. "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation - "helm.sh/hook-weight": "-10" + "helm.sh/hook-weight": "-5" {{- with .Values.post_install_job.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -68,25 +68,69 @@ spec: containers: - name: {{ template "redpanda.name" . }}-post-install image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - {{- if not ( empty (include "enterprise-secret" . ) ) }} - env: - - name: REDPANDA_LICENSE - valueFrom: - secretKeyRef: - name: {{ include "enterprise-secret-name" . }} - key: {{ include "enterprise-secret-key" . }} - {{- end }} + {{ (dict "env" (prepend + (include "tiered-storage-env-vars" . | fromJsonArray) + (include "secret-ref-or-value" (dict + "Name" "REDPANDA_LICENSE" + "Value" (include "enterprise-license" .) + "SecretName" (include "enterprise-secret-name" .) + "SecretKey" (include "enterprise-secret-key" .) + ) | fromJson) + | compact)) | toYaml | nindent 8 }} command: ["bash","-c"] args: - | set -e {{- if (include "redpanda-atleast-22-2-0" . | fromJson).bool }} - {{- if not (empty (include "enterprise-secret" . )) }} - rpk cluster license set "$REDPANDA_LICENSE" - {{- else if not (empty (include "enterprise-license" . )) }} - rpk cluster license set {{ include "enterprise-license" . | quote }} - {{- end }} + if [[ -n "$REDPANDA_LICENSE" ]] then + rpk cluster license set "$REDPANDA_LICENSE" + fi {{- end }} + + {{/* ### Here be dragons ### + This block of bash configures cluster configuration settings by + pulling them from environment variables. + + This allows us to support configurations from secrets or their raw + values. + + WARNING: There is a small race condition here. `rpk cluster config + import` will reset any values that are not specified. To work + around this, we first export the the configuration. If there's a + change to the configuration while we're updating the exported + config on disk, said change will be reverted. + + TODO(chrisseto): Consolidate all cluster configuration setting to + this job. + */}} + + {{/* First: dump the existing cluster configuration. + + We need to use config import to handle conditional configurations + (e.g. cloud_storage_enabled). Maintaining a DAG of configurations + is not an option for the helm chart. */}} + rpk cluster config export -f /tmp/cfg.yml + + {{/* Second: For each environment variable with the prefix RPK + ("${!RPK_@}"), use `rpk redpanda config set` to update the exported + config. + + Lots of Bash Jargon here: + "${KEY#*RPK_}" => Strip the RPK_ prefix from KEY. + "${config,,}" => config.toLower() + "${!KEY}" => Dynamic variable resolution. ie: What is the value of the variable with a name equal to the value of $KEY? + */}} + for KEY in "${!RPK_@}"; do + config="${KEY#*RPK_}" + rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}" + done + + {{/* + The updated file is then loaded via `rpk cluster config import` which + ensures that conditional configurations (cloud_storage_enabled) + "see" all their dependent keys. + */}} + rpk cluster config import -f /tmp/cfg.yml {{- with .Values.post_install_job.resources }} resources: {{- toYaml . | nindent 10 }} diff --git a/charts/redpanda/redpanda/templates/post-upgrade.yaml b/charts/redpanda/redpanda/templates/post-upgrade.yaml index 0ec2f0499..548048abe 100644 --- a/charts/redpanda/redpanda/templates/post-upgrade.yaml +++ b/charts/redpanda/redpanda/templates/post-upgrade.yaml @@ -32,7 +32,8 @@ metadata: {{- end }} annotations: "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-weight": "-10" {{- with .Values.post_upgrade_job.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -73,7 +74,6 @@ spec: args: - | set -e - rpk cluster config import -f /etc/redpanda/bootstrap.yaml {{- range $key, $value := .Values.config.cluster }} {{- if eq $key "default_topic_replications" }} {{/* "sub (add $i (mod $i 2)) 1" calculates the closest odd number less than or equal to $i: 1=1, 2=1, 3=3, ... */}} diff --git a/charts/redpanda/redpanda/templates/secrets.yaml b/charts/redpanda/redpanda/templates/secrets.yaml index 7e472d130..2989dd6c8 100644 --- a/charts/redpanda/redpanda/templates/secrets.yaml +++ b/charts/redpanda/redpanda/templates/secrets.yaml @@ -351,18 +351,6 @@ stringData: rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}" {{- end }} {{- end }} - {{- if (include "storage-tiered-credentials-secret-key" . | fromJson).bool }} - set +x - echo Setting {{ (include "storage-tiered-credentials-secret-key" . | fromJson).configurationKey }} configuration - rpk cluster config --config "$CONFIG" set {{ (include "storage-tiered-credentials-secret-key" . | fromJson).configurationKey }} $CLOUD_STORAGE_SECRET_KEY - set -x - {{- end }} - {{- if and .Values.storage.tiered.credentialsSecretRef.accessKey.name .Values.storage.tiered.credentialsSecretRef.accessKey.key }} - set +x - echo Setting {{ .Values.storage.tiered.credentialsSecretRef.accessKey.configurationKey }} configuration - rpk cluster config --config "$CONFIG" set {{ .Values.storage.tiered.credentialsSecretRef.accessKey.configurationKey }} $CLOUD_STORAGE_ACCESS_KEY - set -x - {{- end }} {{- if .Values.statefulset.initContainers.fsValidator.enabled}} --- apiVersion: v1 diff --git a/charts/redpanda/redpanda/templates/statefulset.yaml b/charts/redpanda/redpanda/templates/statefulset.yaml index d8f8aa821..3493d61d8 100644 --- a/charts/redpanda/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/redpanda/templates/statefulset.yaml @@ -163,20 +163,6 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.hostIP - {{- if (include "storage-tiered-credentials-secret-key" . | fromJson).bool }} - - name: CLOUD_STORAGE_SECRET_KEY - valueFrom: - secretKeyRef: - key: {{ (include "storage-tiered-credentials-secret-key" . | fromJson).key }} - name: {{ (include "storage-tiered-credentials-secret-key" . | fromJson).name }} - {{- end }} - {{- if and .Values.storage.tiered.credentialsSecretRef.accessKey.name .Values.storage.tiered.credentialsSecretRef.accessKey.key }} - - name: CLOUD_STORAGE_ACCESS_KEY - valueFrom: - secretKeyRef: - key: {{ .Values.storage.tiered.credentialsSecretRef.accessKey.key }} - name: {{ .Values.storage.tiered.credentialsSecretRef.accessKey.name }} - {{- end }} securityContext: {{ include "container-security-context" . | nindent 12 }} volumeMounts: {{ include "common-mounts" . | nindent 12 }} {{- if dig "initContainers" "configurator" "extraVolumeMounts" false .Values.statefulset -}} @@ -237,7 +223,7 @@ spec: - -c - | set -e - RESULT=$(curl --silent --fail -k {{ include "admin-tls-curl-flags" . }} "{{ include "admin-http-protocol" . }}://{{ include "admin-api-urls" . }}/v1/status/ready") + RESULT=$(curl --silent --fail -k -m 5 {{ include "admin-tls-curl-flags" . }} "{{ include "admin-http-protocol" . }}://{{ include "admin-api-urls" . }}/v1/status/ready") echo $RESULT echo $RESULT | grep ready initialDelaySeconds: {{ .Values.statefulset.startupProbe.initialDelaySeconds }} @@ -249,7 +235,7 @@ spec: command: - /bin/sh - -c - - curl --silent --fail -k {{ include "admin-tls-curl-flags" . }} "{{ include "admin-http-protocol" . }}://{{ include "admin-api-urls" . }}/v1/status/ready" + - curl --silent --fail -k -m 5 {{ include "admin-tls-curl-flags" . }} "{{ include "admin-http-protocol" . }}://{{ include "admin-api-urls" . }}/v1/status/ready" initialDelaySeconds: {{ .Values.statefulset.livenessProbe.initialDelaySeconds }} failureThreshold: {{ .Values.statefulset.livenessProbe.failureThreshold }} periodSeconds: {{ .Values.statefulset.livenessProbe.periodSeconds }} @@ -266,8 +252,9 @@ spec: - -c - | set -x - rpk cluster health - rpk cluster health | grep 'Healthy:.*true' + RESULT=$(rpk cluster health) + echo $RESULT + echo $RESULT | grep 'Healthy:.*true' initialDelaySeconds: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }} failureThreshold: {{ .Values.statefulset.readinessProbe.failureThreshold }} periodSeconds: {{ .Values.statefulset.readinessProbe.periodSeconds }} @@ -283,7 +270,7 @@ spec: - name: {{ lower $name }} containerPort: {{ $listener.port }} {{- range $externalName, $external := $listener.external }} - {{- if $external.port }} + {{- if and $external.port (or $external.enabled (and $values.external.enabled (dig "enabled" true $external))) }} - name: {{ lower $name | trunc 6 }}-{{ lower $externalName | trunc 8 }} containerPort: {{ $external.port }} {{- end }} diff --git a/charts/redpanda/redpanda/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/templates/tests/test-api-status.yaml index 5acf4e4a4..330a2c4a4 100644 --- a/charts/redpanda/redpanda/templates/tests/test-api-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-api-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool) -}} +{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}} apiVersion: v1 kind: Pod metadata: diff --git a/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml index 4f407fa18..743b6bf3f 100644 --- a/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml @@ -18,7 +18,7 @@ This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met as part of setting auditLogging being enabled. */}} -{{- if and .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} +{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} {{- $rpk := deepCopy . }} {{- $sasl := .Values.auth.sasl }} {{- $_ := set $rpk "rpk" "rpk" }} diff --git a/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml index 9f8556036..14c803b75 100644 --- a/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.connectors.enabled .Values.console.enabled }} +{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }} {{- $sasl := .Values.auth.sasl }} {{- $root := deepCopy . }} {{- $values := .Values }} diff --git a/charts/redpanda/redpanda/templates/tests/test-console.yaml b/charts/redpanda/redpanda/templates/tests/test-console.yaml index 656e74ebc..dd458339b 100644 --- a/charts/redpanda/redpanda/templates/tests/test-console.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-console.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.console.enabled -}} +{{- if and .Values.tests.enabled .Values.console.enabled -}} apiVersion: v1 kind: Pod metadata: diff --git a/charts/redpanda/redpanda/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/templates/tests/test-internal-external-tls-secrets.yaml index 4d0f671b4..aabc38e37 100644 --- a/charts/redpanda/redpanda/templates/tests/test-internal-external-tls-secrets.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-internal-external-tls-secrets.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} +{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} {{- $values := .Values }} {{- $root := deepCopy . }} apiVersion: v1 diff --git a/charts/redpanda/redpanda/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/templates/tests/test-kafka-internal-tls-status.yaml index 1b6d0ba9f..007abfdf2 100644 --- a/charts/redpanda/redpanda/templates/tests/test-kafka-internal-tls-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-kafka-internal-tls-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} +{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} {{- $service := .Values.listeners.kafka -}} {{- $cert := get .Values.tls.certs $service.tls.cert -}} {{- $root := deepCopy . }} diff --git a/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml index 928ffc8fd..bf0a21d1c 100644 --- a/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if dig "kafka_nodelete_topics" "[]" $.Values.config.cluster }} +{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }} {{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} {{- $sasl := .Values.auth.sasl }} {{- $root := deepCopy . }} diff --git a/charts/redpanda/redpanda/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/templates/tests/test-kafka-produce-consume.yaml index 0dd387800..7eabb94c1 100644 --- a/charts/redpanda/redpanda/templates/tests/test-kafka-produce-consume.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-kafka-produce-consume.yaml @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.tests.enabled }} {{- $sasl := .Values.auth.sasl }} {{- $root := deepCopy . }} {{- $rpk := deepCopy . }} @@ -85,3 +86,4 @@ spec: resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} securityContext: {{ include "container-security-context" . | nindent 8 }} volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/templates/tests/test-kafka-sasl-status.yaml index e10f694ee..0c6015758 100644 --- a/charts/redpanda/redpanda/templates/tests/test-kafka-sasl-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-kafka-sasl-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if (include "sasl-enabled" . | fromJson).bool }} +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }} {{- $rpk := deepCopy . }} {{- $sasl := .Values.auth.sasl }} {{- $_ := set $rpk "rpk" "rpk" }} diff --git a/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml index 20fc8f483..60253fb9c 100644 --- a/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "is-licensed" . | fromJson).bool .Values.console.enabled }} +{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }} apiVersion: v1 kind: Pod metadata: diff --git a/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml index ef521d09d..5c72e1d9f 100644 --- a/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.tests.enabled }} apiVersion: v1 kind: Pod metadata: @@ -62,3 +63,4 @@ spec: secret: secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle defaultMode: 0o775 + {{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/templates/tests/test-loadbalancer-tls.yaml index d1cde8df0..ccb7c368d 100644 --- a/charts/redpanda/redpanda/templates/tests/test-loadbalancer-tls.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-loadbalancer-tls.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} {{- $values := .Values }} {{- $root := deepCopy . }} apiVersion: v1 diff --git a/charts/redpanda/redpanda/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/templates/tests/test-nodeport-tls.yaml index 21ce0bb97..5b53186ed 100644 --- a/charts/redpanda/redpanda/templates/tests/test-nodeport-tls.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-nodeport-tls.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} {{- $values := .Values }} {{- $root := deepCopy . }} apiVersion: v1 diff --git a/charts/redpanda/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml index fa6a695f4..a12ff4804 100644 --- a/charts/redpanda/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} +{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} {{- $service := .Values.listeners.http -}} {{- $cert := get .Values.tls.certs $service.tls.cert -}} {{- $root := deepCopy . }} diff --git a/charts/redpanda/redpanda/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/templates/tests/test-pandaproxy-status.yaml index b57284b27..4f5ee6bb7 100644 --- a/charts/redpanda/redpanda/templates/tests/test-pandaproxy-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-pandaproxy-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} +{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} {{- $sasl := .Values.auth.sasl }} apiVersion: v1 kind: Pod diff --git a/charts/redpanda/redpanda/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/templates/tests/test-prometheus-targets.yaml index 8b23e2860..81f83a34e 100644 --- a/charts/redpanda/redpanda/templates/tests/test-prometheus-targets.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-prometheus-targets.yaml @@ -15,7 +15,7 @@ limitations under the License. */}} -{{- if .Values.monitoring.enabled }} +{{- if and .Values.tests.enabled .Values.monitoring.enabled }} apiVersion: v1 kind: Pod metadata: diff --git a/charts/redpanda/redpanda/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/templates/tests/test-rack-awareness.yaml index f54d24520..82a31937f 100644 --- a/charts/redpanda/redpanda/templates/tests/test-rack-awareness.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-rack-awareness.yaml @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} +{{- if .Values.tests.enabled }} apiVersion: v1 kind: Pod metadata: @@ -57,3 +58,4 @@ spec: volumeMounts: {{ include "default-mounts" . | nindent 8 }} securityContext: {{ include "container-security-context" . | nindent 8 }} volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/templates/tests/test-rpk-debug-bundle.yaml index a04ee7814..3230f0881 100644 --- a/charts/redpanda/redpanda/templates/tests/test-rpk-debug-bundle.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-rpk-debug-bundle.yaml @@ -21,7 +21,7 @@ This test currently fails because of a bug where when multiple containers exist The api returns an error. We should be requesting logs from each container. -{{- if and .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} +{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} {{- $sasl := .Values.auth.sasl }} {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }} diff --git a/charts/redpanda/redpanda/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/templates/tests/test-sasl-updated.yaml index 840c7724f..242a0639d 100644 --- a/charts/redpanda/redpanda/templates/tests/test-sasl-updated.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-sasl-updated.yaml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} {{- $rpk := deepCopy . }} {{- $sasl := .Values.auth.sasl }} {{- $_ := set $rpk "rpk" "rpk" }} diff --git a/charts/redpanda/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml b/charts/redpanda/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml index a5983f64b..fe580f50e 100644 --- a/charts/redpanda/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-schemaregistry-internal-tls-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} +{{- if and .Values.tests.enabled (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} {{- $service := .Values.listeners.schemaRegistry -}} {{- $cert := get .Values.tls.certs $service.tls.cert -}} {{- $root := deepCopy . }} diff --git a/charts/redpanda/redpanda/templates/tests/test-schemaregistry-status.yaml b/charts/redpanda/redpanda/templates/tests/test-schemaregistry-status.yaml index 01847ba4f..8cdc9d5a0 100644 --- a/charts/redpanda/redpanda/templates/tests/test-schemaregistry-status.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-schemaregistry-status.yaml @@ -14,7 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (not (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool) .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool }} +{{- if and .Values.tests.enabled (not (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool) .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool }} {{- $sasl := .Values.auth.sasl }} {{- $randNumber := randNumeric 3 }} apiVersion: v1 diff --git a/charts/redpanda/redpanda/values.schema.json b/charts/redpanda/redpanda/values.schema.json index a0de8380c..28ff1041b 100644 --- a/charts/redpanda/redpanda/values.schema.json +++ b/charts/redpanda/redpanda/values.schema.json @@ -711,7 +711,7 @@ "type": "object", "properties": { "cpu": { - "type": "integer" + "type": ["integer", "string"] }, "memory": { "type": "string", @@ -723,7 +723,7 @@ "type": "object", "properties": { "cpu": { - "type": "integer" + "type": ["integer", "string"] }, "memory": { "type": "string", @@ -748,7 +748,7 @@ "type": "object", "properties": { "cpu": { - "type": "integer" + "type": ["integer", "string"] }, "memory": { "type": "string", @@ -760,7 +760,7 @@ "type": "object", "properties": { "cpu": { - "type": "integer" + "type": ["integer", "string"] }, "memory": { "type": "string", @@ -1523,7 +1523,12 @@ "type": "object" }, "tunable": { - "type": "object" + "type": "object", + "additionalProperties": true, + "properties": { + "log_retention_ms": {"type": "integer"}, + "group_initial_rebalance_delay": {"type": "integer"} + } }, "node": { "type": "object" @@ -1637,6 +1642,14 @@ "type": ["integer", "null"] } } + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } } diff --git a/charts/redpanda/redpanda/values.yaml b/charts/redpanda/redpanda/values.yaml index ece008e26..7c1cdeb87 100644 --- a/charts/redpanda/redpanda/values.yaml +++ b/charts/redpanda/redpanda/values.yaml @@ -1028,11 +1028,11 @@ config: # create_topic_timeout_ms: 2000ms # Timeout (ms) to wait for new topic creation # default_num_windows: 10 # Default number of quota tracking windows # default_window_sec: 1000ms # Default quota tracking window size in milliseconds - # log_retention_ms: 10080min # delete segments older than this (default 1 week) + # log_retention_ms: 6.048e+8 # delete segments older than this (default 1 week) # disable_batch_cache: false # Disable batch cache in log manager # fetch_reads_debounce_timeout: 1ms # Time to wait for next read in fetch request when requested min bytes wasn't reached # fetch_session_eviction_timeout_ms: 60s # Minimum time before which unused session will get evicted from sessions; Maximum time after which inactive session will be deleted is two time given configuration valuecache - # group_initial_rebalance_delay: 300ms # Extra delay (ms) added to rebalance phase to wait for new members + # group_initial_rebalance_delay: 300 # Extra delay (ms) added to rebalance phase to wait for new members # group_new_member_join_timeout: 30000ms # Timeout for new member joins # group_topic_partitions: 1 # Number of partitions in the internal group membership topic # id_allocator_batch_size: 1000 # ID allocator allocates messages in batches (each batch is a one log record) and then serves requests from memory without touching the log until the batch is exhausted @@ -1202,3 +1202,6 @@ config: # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server # rpc_server_tls: validate # TLS configuration for RPC server # superusers: None # List of superuser usernames + +tests: + enabled: true diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index 0706381f9..bd444f34f 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.1.36 +appVersion: 2.1.92 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.1.3 +version: 2.1.8 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index 7a596e919..fc52c2303 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.1.3 +### Upgrade to 2.1.8 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.3/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.8/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index 7a596e919..fc52c2303 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.1.3 +### Upgrade to 2.1.8 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.3/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.8/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/templates/configmap.yaml b/charts/speedscale/speedscale-operator/templates/configmap.yaml index 6fecf2923..af735e288 100644 --- a/charts/speedscale/speedscale-operator/templates/configmap.yaml +++ b/charts/speedscale/speedscale-operator/templates/configmap.yaml @@ -38,3 +38,4 @@ data: PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }} DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }} SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }} + FORWARDER_CONFIG: {{ .Values.forwarder | toJson | quote }} diff --git a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml index d4b47d2c9..213747b1b 100644 --- a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml +++ b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.15.0 creationTimestamp: null name: trafficreplays.speedscale.com spec: @@ -62,8 +62,8 @@ spec: - none type: string collectLogs: - description: CollectLogs enables or disables log collection from target - workload. Defaults to true. + description: 'CollectLogs enables or disables log collection from + target workload. Defaults to true. DEPRECATED: use TestReport.ActualConfig.Cluster.CollectLogs' type: boolean configChecksum: description: ConfigChecksum, managed my the operator, is the SHA1 @@ -84,6 +84,9 @@ spec: - responder-only - generator-only type: string + needsReport: + description: Indicates whether a responder-only replay needs a report. + type: boolean proxyMode: description: ProxyMode defines proxy operational mode used with injected sidecar. DEPRECATED @@ -259,6 +262,13 @@ spec: - kind - name type: object + routing: + description: Routing configures how workloads route egress traffic + to responders + enum: + - hostalias + - nat + type: string sidecar: description: 'TODO: this is not implemented, come back and replace deprecated Sidecar with workload specific settings Sidecar @@ -435,5 +445,5 @@ status: acceptedNames: kind: "" plural: "" - conditions: null - storedVersions: null + conditions: [] + storedVersions: [] diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index c3ff09974..23b5a46e4 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.1.36 + tag: v2.1.92 pullPolicy: Always # Log level for Speedscale components. @@ -120,3 +120,14 @@ operator: # tls_out: false # reinitialize_iptables: false sidecar: {} + +# Forwarder settings +# forwarder: +# resources: +# limits: +# cpu: 500m +# memory: 500M +# requests: +# cpu: 300m +# memory: 250M +forwarder: {} diff --git a/charts/stackstate/stackstate-k8s-agent/Chart.yaml b/charts/stackstate/stackstate-k8s-agent/Chart.yaml index 65ed8ea2a..a7b7f8be6 100644 --- a/charts/stackstate/stackstate-k8s-agent/Chart.yaml +++ b/charts/stackstate/stackstate-k8s-agent/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: stackstate-k8s-agent apiVersion: v2 -appVersion: 2.19.1 +appVersion: 3.0.0 dependencies: - alias: httpHeaderInjectorWebhook name: http-header-injector @@ -21,4 +21,4 @@ maintainers: - email: ops@stackstate.com name: Stackstate name: stackstate-k8s-agent -version: 1.0.70 +version: 1.0.76 diff --git a/charts/stackstate/stackstate-k8s-agent/README.md b/charts/stackstate/stackstate-k8s-agent/README.md index 0d2d27e9d..27dbffafd 100644 --- a/charts/stackstate/stackstate-k8s-agent/README.md +++ b/charts/stackstate/stackstate-k8s-agent/README.md @@ -2,7 +2,7 @@ Helm chart for the StackState Agent. -Current chart version is `1.0.70` +Current chart version is `1.0.76` **Homepage:** @@ -61,7 +61,7 @@ stackstate/stackstate-k8s-agent | checksAgent.enabled | bool | `true` | Enable / disable runnning cluster checks in a separately deployed pod | | checksAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | checksAgent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| checksAgent.image.tag | string | `"6f4db72d"` | Default container image tag. | +| checksAgent.image.tag | string | `"3bc9e882"` | Default container image tag. | | checksAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | checksAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | checksAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -101,15 +101,20 @@ stackstate/stackstate-k8s-agent | clusterAgent.collection.kubernetesResources.daemonsets | bool | `true` | Enable / disable collection of DaemonSets. | | clusterAgent.collection.kubernetesResources.deployments | bool | `true` | Enable / disable collection of Deployments. | | clusterAgent.collection.kubernetesResources.endpoints | bool | `true` | Enable / disable collection of Endpoints. If endpoints are disabled then StackState won't be able to connect a Service to Pods that serving it | +| clusterAgent.collection.kubernetesResources.horizontalpodautoscalers | bool | `true` | Enable / disable collection of HorizontalPodAutoscalers. | | clusterAgent.collection.kubernetesResources.ingresses | bool | `true` | Enable / disable collection of Ingresses. | | clusterAgent.collection.kubernetesResources.jobs | bool | `true` | Enable / disable collection of Jobs. | +| clusterAgent.collection.kubernetesResources.limitranges | bool | `true` | Enable / disable collection of LimitRanges. | | clusterAgent.collection.kubernetesResources.namespaces | bool | `true` | Enable / disable collection of Namespaces. | | clusterAgent.collection.kubernetesResources.persistentvolumeclaims | bool | `true` | Enable / disable collection of PersistentVolumeClaims. Disabling these will not let StackState connect PersistentVolumes to pods they are attached to | | clusterAgent.collection.kubernetesResources.persistentvolumes | bool | `true` | Enable / disable collection of PersistentVolumes. | +| clusterAgent.collection.kubernetesResources.poddisruptionbudgets | bool | `true` | Enable / disable collection of PodDisruptionBudgets. | | clusterAgent.collection.kubernetesResources.replicasets | bool | `true` | Enable / disable collection of ReplicaSets. | +| clusterAgent.collection.kubernetesResources.replicationcontrollers | bool | `true` | Enable / disable collection of ReplicationControllers. | | clusterAgent.collection.kubernetesResources.resourcequotas | bool | `true` | Enable / disable collection of ResourceQuotas. | | clusterAgent.collection.kubernetesResources.secrets | bool | `true` | Enable / disable collection of Secrets. | | clusterAgent.collection.kubernetesResources.statefulsets | bool | `true` | Enable / disable collection of StatefulSets. | +| clusterAgent.collection.kubernetesResources.storageclasses | bool | `true` | Enable / disable collection of StorageClasses. | | clusterAgent.collection.kubernetesResources.volumeattachments | bool | `true` | Enable / disable collection of Volume Attachments. Used to bind Nodes to Persistent Volumes. | | clusterAgent.collection.kubernetesTimeout | int | `10` | Default timeout (in seconds) when obtaining information from the Kubernetes API. | | clusterAgent.collection.kubernetesTopology | bool | `true` | Enable / disable the cluster agent topology collection. | @@ -121,7 +126,7 @@ stackstate/stackstate-k8s-agent | clusterAgent.enabled | bool | `true` | Enable / disable the cluster agent. | | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | clusterAgent.image.repository | string | `"stackstate/stackstate-k8s-cluster-agent"` | Base container image repository. | -| clusterAgent.image.tag | string | `"6f4db72d"` | Default container image tag. | +| clusterAgent.image.tag | string | `"3bc9e882"` | Default container image tag. | | clusterAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | clusterAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | clusterAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -145,6 +150,7 @@ stackstate/stackstate-k8s-agent | clusterAgent.service.port | int | `5005` | Change the Cluster Agent service port | | clusterAgent.service.targetPort | int | `5005` | Change the Cluster Agent service targetPort | | clusterAgent.serviceaccount.annotations | object | `{}` | Annotations for the service account for the cluster agent pods | +| clusterAgent.skipSslValidation | bool | `false` | If true, ignores the server certificate being signed by an unknown authority. | | clusterAgent.strategy | object | `{"type":"RollingUpdate"}` | The strategy for the Deployment object. | | clusterAgent.tolerations | list | `[]` | Toleration labels for pod assignment. | | fullnameOverride | string | `""` | Override the fullname of the chart. | @@ -152,6 +158,8 @@ stackstate/stackstate-k8s-agent | global.extraEnv.secret | object | `{}` | Extra secret environment variables to inject into pods via a `Secret` object. | | global.imagePullCredentials | object | `{}` | Globally define credentials for pulling images. | | global.imagePullSecrets | list | `[]` | Secrets / credentials needed for container image registry. | +| global.proxy.url | string | `""` | Proxy for all traffic to stackstate | +| global.skipSslValidation | bool | `false` | Enable tls validation from client | | httpHeaderInjectorWebhook.enabled | bool | `false` | Enable the webhook for injection http header injection sidecar proxy | | logsAgent.affinity | object | `{}` | Affinity settings for pod assignment. | | logsAgent.enabled | bool | `true` | Enable / disable k8s pod log collection | @@ -165,6 +173,7 @@ stackstate/stackstate-k8s-agent | logsAgent.resources.requests.cpu | string | `"20m"` | Memory resource requests. | | logsAgent.resources.requests.memory | string | `"100Mi"` | | | logsAgent.serviceaccount.annotations | object | `{}` | Annotations for the service account for the daemonset pods | +| logsAgent.skipSslValidation | bool | `false` | If true, ignores the server certificate being signed by an unknown authority. | | logsAgent.tolerations | list | `[]` | Toleration labels for pod assignment. | | logsAgent.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":100},"type":"RollingUpdate"}` | The update strategy for the DaemonSet object. | | nameOverride | string | `""` | Override the name of the chart. | @@ -179,7 +188,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.agent.env | object | `{}` | Additional environment variables for the agent container | | nodeAgent.containers.agent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | nodeAgent.containers.agent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| nodeAgent.containers.agent.image.tag | string | `"6f4db72d"` | Default container image tag. | +| nodeAgent.containers.agent.image.tag | string | `"3bc9e882"` | Default container image tag. | | nodeAgent.containers.agent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | nodeAgent.containers.agent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | nodeAgent.containers.agent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -203,7 +212,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.processAgent.image.pullPolicy | string | `"IfNotPresent"` | Process-agent container image pull policy. | | nodeAgent.containers.processAgent.image.registry | string | `nil` | | | nodeAgent.containers.processAgent.image.repository | string | `"stackstate/stackstate-k8s-process-agent"` | Process-agent container image repository. | -| nodeAgent.containers.processAgent.image.tag | string | `"432a2730"` | Default process-agent container image tag. | +| nodeAgent.containers.processAgent.image.tag | string | `"2df5d4d6"` | Default process-agent container image tag. | | nodeAgent.containers.processAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off # If not set, fall back to the value of agent.logLevel. | | nodeAgent.containers.processAgent.procVolumeReadOnly | bool | `true` | Configure whether /host/proc is read only for the process agent container | | nodeAgent.containers.processAgent.resources.limits.cpu | string | `"125m"` | Memory resource limits. | diff --git a/charts/stackstate/stackstate-k8s-agent/templates/_container-agent.yaml b/charts/stackstate/stackstate-k8s-agent/templates/_container-agent.yaml index 033ca11ec..ab3967c74 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/_container-agent.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/_container-agent.yaml @@ -79,8 +79,9 @@ value: {{ .Values.processAgent.checkIntervals.process | quote }} - name: STS_PROCESS_AGENT_URL value: {{ include "stackstate-k8s-agent.stackstate.url" . }} + - name: STS_SKIP_SSL_VALIDATION - value: {{ .Values.nodeAgent.skipSslValidation | quote }} + value: {{ or .Values.global.skipSslValidation .Values.nodeAgent.skipSslValidation | quote }} - name: STS_SKIP_KUBELET_TLS_VERIFY value: {{ .Values.nodeAgent.skipKubeletTLSVerify | quote }} - name: STS_STS_URL @@ -89,9 +90,11 @@ - name: STS_CRI_SOCKET_PATH value: {{ .Values.nodeAgent.containerRuntime.customSocketPath }} {{- end }} - {{- range $key, $value := .Values.nodeAgent.containers.agent.env }} - - name: {{ $key }} - value: {{ $value | quote }} + {{- if .Values.global.proxy.url }} + - name: STS_PROXY_HTTPS + value: {{ .Values.global.proxy.url | quote }} + - name: STS_PROXY_HTTP + value: {{ .Values.global.proxy.url | quote }} {{- end }} {{- range $key, $value := .Values.global.extraEnv.open }} - name: {{ $key }} @@ -104,6 +107,10 @@ name: {{ include "stackstate-k8s-agent.fullname" . }} key: {{ $key }} {{- end }} + {{- range $key, $value := .Values.nodeAgent.containers.agent.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} {{- if .Values.nodeAgent.containers.agent.livenessProbe.enabled }} livenessProbe: httpGet: diff --git a/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml b/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml index fa6ceb592..367274d45 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml @@ -76,7 +76,7 @@ - name: STS_PROCESS_AGENT_URL value: {{ include "stackstate-k8s-agent.stackstate.url" . }} - name: STS_SKIP_SSL_VALIDATION - value: {{ .Values.nodeAgent.skipSslValidation | quote }} + value: {{ or .Values.global.skipSslValidation .Values.nodeAgent.skipSslValidation | quote }} - name: STS_SKIP_KUBELET_TLS_VERIFY value: {{ .Values.nodeAgent.skipKubeletTLSVerify | quote }} - name: STS_STS_URL @@ -87,9 +87,11 @@ - name: STS_CRI_SOCKET_PATH value: {{ .Values.nodeAgent.containerRuntime.customSocketPath }} {{- end }} - {{- range $key, $value := .Values.nodeAgent.containers.processAgent.env }} - - name: {{ $key }} - value: {{ $value | quote }} + {{- if .Values.global.proxy.url }} + - name: STS_PROXY_HTTPS + value: {{ .Values.global.proxy.url | quote }} + - name: STS_PROXY_HTTP + value: {{ .Values.global.proxy.url | quote }} {{- end }} {{- range $key, $value := .Values.global.extraEnv.open }} - name: {{ $key }} @@ -102,6 +104,10 @@ name: {{ include "stackstate-k8s-agent.fullname" . }} key: {{ $key }} {{- end }} + {{- range $key, $value := .Values.nodeAgent.containers.processAgent.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} {{- with .Values.nodeAgent.containers.processAgent.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/stackstate/stackstate-k8s-agent/templates/checks-agent-deployment.yaml b/charts/stackstate/stackstate-k8s-agent/templates/checks-agent-deployment.yaml index 4530fc616..16cf08292 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/checks-agent-deployment.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/checks-agent-deployment.yaml @@ -90,9 +90,15 @@ spec: - name: STS_PROCESS_AGENT_ENABLED value: "false" - name: STS_SKIP_SSL_VALIDATION - value: {{ .Values.checksAgent.skipSslValidation | quote }} + value: {{ or .Values.global.skipSslValidation .Values.checksAgent.skipSslValidation | quote }} - name: STS_STS_URL value: {{ include "stackstate-k8s-agent.stackstate.url" . }} + {{- if .Values.global.proxy.url }} + - name: STS_PROXY_HTTPS + value: {{ .Values.global.proxy.url | quote }} + - name: STS_PROXY_HTTP + value: {{ .Values.global.proxy.url | quote }} + {{- end }} {{- range $key, $value := .Values.global.extraEnv.open }} - name: {{ $key }} value: {{ $value | quote }} diff --git a/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-clusterrole.yaml b/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-clusterrole.yaml index 6a7b27d18..c329c77b2 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-clusterrole.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-clusterrole.yaml @@ -100,6 +100,49 @@ rules: {{- if $kubeRes.volumeattachments }} - volumeattachments {{- end }} + {{- if $kubeRes.storageclasses }} + - storageclasses + {{- end }} + verbs: + - get + - list + - watch +- apiGroups: + - "policy" + resources: + {{- if $kubeRes.poddisruptionbudgets }} + - poddisruptionbudgets + {{- end }} + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + {{- if $kubeRes.replicationcontrollers }} + - replicationcontrollers + {{- end }} + verbs: + - get + - list + - watch +- apiGroups: + - "autoscaling" + resources: + {{- if $kubeRes.horizontalpodautoscalers }} + - horizontalpodautoscalers + {{- end }} + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + {{- if $kubeRes.limitranges }} + - limitranges + {{- end }} verbs: - get - list diff --git a/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-deployment.yaml b/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-deployment.yaml index 60c50803a..57b688831 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-deployment.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/cluster-agent-deployment.yaml @@ -75,6 +75,8 @@ spec: value: {{.Values.stackstate.cluster.name | quote }} - name: STS_SKIP_VALIDATE_CLUSTERNAME value: "true" + - name: STS_SKIP_SSL_VALIDATION + value: {{ or .Values.global.skipSslValidation .Values.clusterAgent.skipSslValidation | quote }} - name: STS_COLLECT_KUBERNETES_METRICS value: {{ .Values.clusterAgent.collection.kubernetesMetrics | quote }} - name: STS_COLLECT_KUBERNETES_TIMEOUT @@ -93,6 +95,12 @@ spec: - name: STS_CONFIGMAP_MAX_DATASIZE value: {{ .Values.clusterAgent.config.configMap.maxDataSize | quote }} {{- end}} + {{- if .Values.global.proxy.url }} + - name: STS_PROXY_HTTPS + value: {{ .Values.global.proxy.url | quote }} + - name: STS_PROXY_HTTP + value: {{ .Values.global.proxy.url | quote }} + {{- end }} {{- range $key, $value := .Values.global.extraEnv.open }} - name: {{ $key }} value: {{ $value | quote }} diff --git a/charts/stackstate/stackstate-k8s-agent/templates/logs-agent-configmap.yaml b/charts/stackstate/stackstate-k8s-agent/templates/logs-agent-configmap.yaml index c934777ef..1f1170aaa 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/logs-agent-configmap.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/logs-agent-configmap.yaml @@ -16,6 +16,12 @@ data: - url: {{ tpl .Values.stackstate.url . }}/logs/k8s?api_key=${STS_API_KEY} external_labels: sts_cluster_name: {{ .Values.stackstate.cluster.name | quote }} + {{- if .Values.global.proxy.url }} + proxy_url: {{ .Values.global.proxy.url | quote }} + {{- end }} + tls_config: + insecure_skip_verify: {{ or .Values.global.skipSslValidation .Values.logsAgent.skipSslValidation }} + positions: filename: /tmp/positions.yaml diff --git a/charts/stackstate/stackstate-k8s-agent/values.yaml b/charts/stackstate/stackstate-k8s-agent/values.yaml index d90671fc0..a5e1ce39d 100644 --- a/charts/stackstate/stackstate-k8s-agent/values.yaml +++ b/charts/stackstate/stackstate-k8s-agent/values.yaml @@ -12,6 +12,11 @@ global: imagePullSecrets: [] # global.imagePullCredentials -- Globally define credentials for pulling images. imagePullCredentials: {} + proxy: + # global.proxy.url -- Proxy for all traffic to stackstate + url: "" + # global.skipSslValidation -- Enable tls validation from client + skipSslValidation: false # nameOverride -- Override the name of the chart. nameOverride: "" @@ -99,7 +104,7 @@ nodeAgent: # nodeAgent.containers.agent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # nodeAgent.containers.agent.image.tag -- Default container image tag. - tag: "6f4db72d" + tag: "3bc9e882" # nodeAgent.containers.agent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent processAgent: @@ -158,7 +163,7 @@ nodeAgent: # nodeAgent.containers.processAgent.image.repository -- Process-agent container image repository. repository: stackstate/stackstate-k8s-process-agent # nodeAgent.containers.processAgent.image.tag -- Default process-agent container image tag. - tag: "432a2730" + tag: "2df5d4d6" # nodeAgent.containers.processAgent.image.pullPolicy -- Process-agent container image pull policy. pullPolicy: IfNotPresent # nodeAgent.containers.processAgent.env -- Additional environment variables for the process-agent container @@ -276,6 +281,16 @@ clusterAgent: ## for example tags.stackstate/version becomes tags_stackstate_version. annotationsAsTags: {} kubernetesResources: + # clusterAgent.collection.kubernetesResources.limitranges -- Enable / disable collection of LimitRanges. + limitranges: true + # clusterAgent.collection.kubernetesResources.horizontalpodautoscalers -- Enable / disable collection of HorizontalPodAutoscalers. + horizontalpodautoscalers: true + # clusterAgent.collection.kubernetesResources.replicationcontrollers -- Enable / disable collection of ReplicationControllers. + replicationcontrollers: true + # clusterAgent.collection.kubernetesResources.poddisruptionbudgets -- Enable / disable collection of PodDisruptionBudgets. + poddisruptionbudgets: true + # clusterAgent.collection.kubernetesResources.storageclasses -- Enable / disable collection of StorageClasses. + storageclasses: true # clusterAgent.collection.kubernetesResources.volumeattachments -- Enable / disable collection of Volume Attachments. Used to bind Nodes to Persistent Volumes. volumeattachments: true # clusterAgent.collection.kubernetesResources.namespaces -- Enable / disable collection of Namespaces. @@ -330,11 +345,14 @@ clusterAgent: # clusterAgent.enabled -- Enable / disable the cluster agent. enabled: true + # clusterAgent.skipSslValidation -- If true, ignores the server certificate being signed by an unknown authority. + skipSslValidation: false + image: # clusterAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-cluster-agent # clusterAgent.image.tag -- Default container image tag. - tag: "6f4db72d" + tag: "3bc9e882" # clusterAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent @@ -414,6 +432,9 @@ logsAgent: # logsAgent.enabled -- Enable / disable k8s pod log collection enabled: true + # logsAgent.skipSslValidation -- If true, ignores the server certificate being signed by an unknown authority. + skipSslValidation: false + # logsAgent.priorityClassName -- Priority class for logsAgent pods. priorityClassName: "" @@ -486,7 +507,7 @@ checksAgent: # checksAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # checksAgent.image.tag -- Default container image tag. - tag: "6f4db72d" + tag: "3bc9e882" # checksAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent diff --git a/charts/trilio/k8s-triliovault-operator/Chart.yaml b/charts/trilio/k8s-triliovault-operator/Chart.yaml index d1283aa41..84aa55723 100644 --- a/charts/trilio/k8s-triliovault-operator/Chart.yaml +++ b/charts/trilio/k8s-triliovault-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: k8s-triliovault-operator apiVersion: v2 -appVersion: 4.0.1 +appVersion: 4.0.2 dependencies: - condition: observability.enabled name: observability @@ -21,4 +21,4 @@ maintainers: name: k8s-triliovault-operator sources: - https://github.com/trilioData/k8s-triliovault-operator -version: 4.0.1 +version: 4.0.2 diff --git a/charts/trilio/k8s-triliovault-operator/templates/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/templates/clusterrole.yaml index b7e6d433a..443e499d4 100644 --- a/charts/trilio/k8s-triliovault-operator/templates/clusterrole.yaml +++ b/charts/trilio/k8s-triliovault-operator/templates/clusterrole.yaml @@ -19,6 +19,7 @@ rules: - apiextensions.k8s.io resources: - customresourcedefinitions + - customresourcedefinitions/finalizers verbs: - create - update @@ -29,12 +30,18 @@ rules: resources: - serviceaccounts - services - - services/finalizers - secrets - events - pods - endpoints - configmaps + - secrets/finalizers + - events/finalizers + - pods/finalizers + - endpoints/finalizers + - configmaps/finalizers + - services/finalizers + - serviceaccounts/finalizers verbs: - create - update @@ -45,6 +52,8 @@ rules: resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations + - validatingwebhookconfigurations/finalizers + - mutatingwebhookconfigurations/finalizers verbs: - create - update @@ -54,6 +63,7 @@ rules: - apps resources: - deployments + - deployments/finalizers verbs: - create - update @@ -66,6 +76,10 @@ rules: - clusterrolebindings - roles - rolebindings + - clusterroles/finalizers + - clusterrolebindings/finalizers + - roles/finalizers + - rolebindings/finalizers verbs: - create - update @@ -83,12 +97,14 @@ rules: - "" resources: - namespaces + - namespaces/finalizers verbs: - update - apiGroups: - batch resources: - cronjobs + - cronjobs/finalizers verbs: - create - delete @@ -98,6 +114,7 @@ rules: - batch resources: - jobs + - jobs/finalizers verbs: - create - delete @@ -105,6 +122,7 @@ rules: - policy resources: - poddisruptionbudgets + - poddisruptionbudgets/finalizers verbs: - create - update @@ -115,6 +133,8 @@ rules: resources: - ingresses - ingressclasses + - ingresses/finalizers + - ingressclasses/finalizers verbs: - create - patch @@ -126,9 +146,3 @@ rules: - ingresses/status verbs: - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - delete diff --git a/charts/trilio/k8s-triliovault-operator/values.yaml b/charts/trilio/k8s-triliovault-operator/values.yaml index 7fd49ceab..c37db86aa 100644 --- a/charts/trilio/k8s-triliovault-operator/values.yaml +++ b/charts/trilio/k8s-triliovault-operator/values.yaml @@ -4,7 +4,7 @@ operator-webhook-init: repository: operator-webhook-init k8s-triliovault-operator: repository: k8s-triliovault-operator -tag: "4.0.1" +tag: "4.0.2" # create image pull secrets and specify the name here. imagePullSecret: "" priorityClassName: "" @@ -183,8 +183,8 @@ podLabels: linkerd.io/inject: disabled relatedImages: tags: - tvk: "4.0.1" - event: "4.0.1" + tvk: "4.0.2" + event: "4.0.2" control-plane: image: "control-plane" metamover: diff --git a/index.yaml b/index.yaml index dcc8dd5d9..71f86aed6 100644 --- a/index.yaml +++ b/index.yaml @@ -80,6 +80,63 @@ entries: - assets/datawiza/access-broker-0.1.1.tgz version: 0.1.1 airflow: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Airflow + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: airflow + category: WorkFlow + images: | + - name: airflow + image: docker.io/bitnami/airflow:2.8.3-debian-12-r0 + - name: airflow-exporter + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-12-r27 + - name: airflow-scheduler + image: docker.io/bitnami/airflow-scheduler:2.8.3-debian-12-r0 + - name: airflow-worker + image: docker.io/bitnami/airflow-worker:2.8.3-debian-12-r0 + - name: git + image: docker.io/bitnami/git:2.44.0-debian-12-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 2.8.3 + created: "2024-03-15T00:32:08.981339764Z" + dependencies: + - condition: redis.enabled + name: redis + repository: file://./charts/redis + version: 18.x.x + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 14.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Airflow is a tool to express and execute workflows as directed + acyclic graphs (DAGs). It includes utilities to schedule tasks, monitor task + progress and handle task dependencies. + digest: e33a212163f10af3920e5e79e55f67970cfc0f0494ef9be71b7d456f53ae6fc0 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/airflow-1.svg + keywords: + - apache + - airflow + - workflow + - dag + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: airflow + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/airflow + urls: + - assets/bitnami/airflow-17.2.4.tgz + version: 17.2.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Airflow @@ -2755,7 +2812,7 @@ entries: - annotations: artifacthub.io/changes: | - kind: changed - description: Updated Redis image tag to 7.2.4 + description: Bump argo-cd to v2.10.3 artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -2765,8 +2822,8 @@ entries: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 - appVersion: v2.10.1 - created: "2024-02-21T10:02:21.70978822Z" + appVersion: v2.10.3 + created: "2024-03-15T00:32:07.838872385Z" dependencies: - condition: redis-ha.enabled name: redis-ha @@ -2774,7 +2831,46 @@ entries: version: 4.26.1 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. - digest: 284d1eb097969b7e54b77d6f8998f74308c1be84d701eda6e9f8eca70018d513 + digest: f1c2eadccbf1096791a686f96eff45fd5017a4f6945a381c45cba077eaa019e5 + home: https://github.com/argoproj/argo-helm + icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png + keywords: + - argoproj + - argocd + - gitops + kubeVersion: '>=1.23.0-0' + maintainers: + - name: argoproj + url: https://argoproj.github.io/ + name: argo-cd + sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd + urls: + - assets/argo/argo-cd-6.7.2.tgz + version: 6.7.2 + - annotations: + artifacthub.io/changes: | + - kind: changed + description: Updated Redis image tag to 7.2.4 + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Argo CD + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: argo-cd + apiVersion: v2 + appVersion: v2.10.1 + created: "2024-03-15T00:31:38.700864091Z" + dependencies: + - condition: redis-ha.enabled + name: redis-ha + repository: file://./charts/redis-ha + version: 4.26.1 + description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery + tool for Kubernetes. + digest: 34ec082a8dbdb682146e29aa9095fc94548d6ce4b728d8cae0de0e1b384d3b66 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -6395,6 +6491,39 @@ entries: - assets/argo/argo-cd-5.8.0.tgz version: 5.8.0 artifactory-ha: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.77.7 + created: "2024-03-15T00:32:13.553031538Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 1f4b8aa46964e6596f7dea12e2823cb80b4b87dcd514803647c19f2d1f6de59f + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.77.7.tgz + version: 107.77.7 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA @@ -7907,6 +8036,40 @@ entries: - assets/jfrog/artifactory-ha-3.0.1400.tgz version: 3.0.1400 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.77.7 + created: "2024-03-15T00:32:13.901944538Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.77.7 + description: JFrog Container Registry + digest: 3979f8c384f3e36d6b90587a2f8a248e37f241f8cb323671b1e94207ae959577 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.77.7.tgz + version: 107.77.7 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -12010,6 +12173,48 @@ entries: - assets/asserts/asserts-1.6.0.tgz version: 1.6.0 cassandra: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Cassandra + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: cassandra + category: Database + images: | + - name: cassandra + image: docker.io/bitnami/cassandra:4.1.4-debian-12-r4 + - name: cassandra-exporter + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-12-r17 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 4.1.4 + created: "2024-03-15T00:32:09.000527825Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Cassandra is an open source distributed database management + system designed to handle large amounts of data across many servers, providing + high availability with no single point of failure. + digest: 3424bcb53a5196818eddce3d112c186f1e68057d286bdbf9851cd9ef55c693cd + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/cassandra-4.svg + keywords: + - cassandra + - database + - nosql + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: cassandra + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/cassandra + urls: + - assets/bitnami/cassandra-10.12.1.tgz + version: 10.12.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Cassandra @@ -13468,6 +13673,40 @@ entries: - assets/bitnami/cassandra-9.7.3.tgz version: 9.7.3 cert-manager: + - annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E + url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: cert-manager + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/namespace: cert-manager + catalog.cattle.io/release-name: cert-manager + apiVersion: v1 + appVersion: v1.14.4 + created: "2024-03-15T00:32:11.471194291Z" + description: A Helm chart for cert-manager + digest: f5652e1ed861b9d6f753c6164cdd24f6f954a5ae3e5baaecbb61b14db54429a4 + home: https://github.com/cert-manager/cert-manager + icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png + keywords: + - cert-manager + - kube-lego + - letsencrypt + - tls + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: cert-manager-maintainers@googlegroups.com + name: cert-manager-maintainers + url: https://cert-manager.io + name: cert-manager + sources: + - https://github.com/cert-manager/cert-manager + urls: + - assets/cert-manager/cert-manager-v1.14.4.tgz + version: v1.14.4 - annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/prerelease: "false" @@ -14916,6 +15155,34 @@ entries: - assets/citrix/citrix-ingress-controller-1.19.600.tgz version: 1.19.600 cloudcasa: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CloudCasa + catalog.cattle.io/kube-version: '>=1.20.0-0' + catalog.cattle.io/release-name: cloudcasa + apiVersion: v2 + appVersion: 3.1.0 + created: "2024-03-15T00:32:11.544723566Z" + description: CloudCasa backup service for Kubernetes and cloud-native applications. + Offering CloudCasa Pro and CloudCasa Velero management services. + digest: 219b3b18015c8538664466b2aaf102ea23613859960f1aec716d8e3ebb280619 + home: https://cloudcasa.io + icon: https://partner-charts.rancher.io/assets/logos/cloudcasa.png + keywords: + - backup + - restore + - migration + - catalogic + - cloudcasa + - velero + kubeVersion: '>=1.20.0-0' + maintainers: + - email: support@cloudcasa.io + name: CloudCasa Support + name: cloudcasa + urls: + - assets/cloudcasa/cloudcasa-3.4.2.tgz + version: 3.4.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CloudCasa @@ -15147,6 +15414,27 @@ entries: - assets/cloudcasa/cloudcasa-0.1.000.tgz version: 0.1.000 cockroachdb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CockroachDB + catalog.cattle.io/kube-version: '>=1.8-0' + catalog.cattle.io/release-name: cockroachdb + apiVersion: v1 + appVersion: 23.2.2 + created: "2024-03-15T00:32:11.593395432Z" + description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. + digest: c14645ce54d317f23d07b0d8cca42fdccd3488d98b7a35809ecf13f43a7927d8 + home: https://www.cockroachlabs.com + icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png + maintainers: + - email: helm-charts@cockroachlabs.com + name: cockroachlabs + name: cockroachdb + sources: + - https://github.com/cockroachdb/cockroach + urls: + - assets/cockroach-labs/cockroachdb-12.0.2.tgz + version: 12.0.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CockroachDB @@ -16449,6 +16737,47 @@ entries: - assets/confluent/confluent-for-kubernetes-0.174.2101.tgz version: 0.174.2101 consul: + - annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.18.0 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.4.0 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.4.0 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul + apiVersion: v2 + appVersion: 1.18.0 + created: "2024-03-15T00:32:12.974982975Z" + description: Official HashiCorp Consul Chart + digest: fc09e68dfc9ae7aa6c388db8f1e336e65976174584b33383ec97e276f37f7b01 + home: https://www.consul.io + icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png + kubeVersion: '>=1.22.0-0' + name: consul + sources: + - https://github.com/hashicorp/consul + - https://github.com/hashicorp/consul-k8s + urls: + - assets/hashicorp/consul-1.4.0.tgz + version: 1.4.0 - annotations: artifacthub.io/images: | - name: consul @@ -17243,11 +17572,29 @@ entries: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 - appVersion: 2.0.2 - created: "2024-02-09T14:31:36.181461841Z" + appVersion: 2.1.1 + created: "2024-03-15T00:32:28.020881641Z" description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor cloud costs. - digest: ed363aae17afbde55bace477a1828d21c971127c99d0cd567ed65673f8ea0edc + digest: 2e35cc466afbbd833875a1cafd9961df41b618f7629537578c030f8bccf979f9 + icon: https://partner-charts.rancher.io/assets/logos/kubecost.png + name: cost-analyzer + urls: + - assets/kubecost/cost-analyzer-2.1.1.tgz + version: 2.1.1 + - annotations: + artifacthub.io/links: | + - name: Homepage + url: https://www.kubecost.com + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kubecost + catalog.cattle.io/release-name: cost-analyzer + apiVersion: v2 + appVersion: 2.0.2 + created: "2024-03-15T00:32:15.033534144Z" + description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor + cloud costs. + digest: ef2e6392e4a02784020e9b7ec15bc76bf53e432059bf373c5ce38db76199aaf6 icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer urls: @@ -18248,6 +18595,28 @@ entries: - assets/kubecost/cost-analyzer-1.70.000.tgz version: 1.70.000 crate-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CrateDB Operator + catalog.cattle.io/release-name: crate-operator + apiVersion: v2 + appVersion: 2.38.1 + created: "2024-03-15T00:32:11.740483973Z" + dependencies: + - condition: crate-operator-crds.enabled + name: crate-operator-crds + repository: file://./charts/crate-operator-crds + version: 2.38.1 + description: Crate Operator - Helm chart for installing and upgrading Crate Operator. + digest: 7418fa6429eb85609cbe3fec76cf2a4859162407fabbcf355e7bbb7299091d0d + icon: https://raw.githubusercontent.com/crate/crate/master/docs/_static/crate-logo.svg + maintainers: + - name: Crate.io + name: crate-operator + type: application + urls: + - assets/crate/crate-operator-2.38.1.tgz + version: 2.38.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CrateDB Operator @@ -19336,6 +19705,32 @@ entries: - assets/dell/csi-unity-2.4.0.tgz version: 2.4.0 csi-vxflexos: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerFlex + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/namespace: vxflexos + catalog.cattle.io/release-name: vxflexos + apiVersion: v2 + appVersion: 2.9.2 + created: "2024-03-15T00:32:12.39460703Z" + description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a VxFlex + OS StorageClass. ' + digest: 1f3e28e73faed3ed978277bc81f495e6dd575b4210b4194f073cab0a0ecd2f84 + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-vxflexos + sources: + - https://github.com/dell/csi-vxflexos + urls: + - assets/dell/csi-vxflexos-2.9.2.tgz + version: 2.9.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerFlex @@ -20010,6 +20405,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2024-03-15T00:32:12.275415838Z" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 1.0.1 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: 5d04cbd5233f1f41c0211915bb9c1736b1a69fd9ea4109df849563550b2d301a + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.57.3.tgz + version: 3.57.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -23102,6 +23534,39 @@ entries: - assets/datadog/datadog-2.4.200.tgz version: 2.4.200 datadog-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog Operator + catalog.cattle.io/release-name: datadog-operator + apiVersion: v2 + appVersion: 1.4.0 + created: "2024-03-15T00:32:12.368245852Z" + dependencies: + - alias: datadogCRDs + condition: installCRDs + name: datadog-crds + repository: file://./charts/datadog-crds + tags: + - install-crds + version: =1.4.0 + description: Datadog Operator + digest: 56dd826fa89c31c98dd0c5d4273d8d60a358beace5c801bb04d8654f43e0c6e4 + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog-operator + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-operator-1.5.1.tgz + version: 1.5.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog Operator @@ -25505,6 +25970,38 @@ entries: - assets/f5/f5-bigip-ctlr-0.0.1901.tgz version: 0.0.1901 falcon-sensor: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CrowdStrike Falcon Platform + catalog.cattle.io/kube-version: '>1.22.0-0' + catalog.cattle.io/release-name: falcon-sensor + apiVersion: v2 + appVersion: 1.26.1 + created: "2024-03-15T00:32:11.762140582Z" + description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes + clusters. + digest: 75e8ebf0eb7a0064b560be3586d2e779a9f2a31c0f0e9e6e78ebaaea3170f0bd + home: https://crowdstrike.com + icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg + keywords: + - CrowdStrike + - Falcon + - EDR + - kubernetes + - security + - monitoring + - alerting + kubeVersion: '>1.22.0-0' + maintainers: + - email: integrations@crowdstrike.com + name: CrowdStrike Solutions Architecture + name: falcon-sensor + sources: + - https://github.com/CrowdStrike/falcon-helm + type: application + urls: + - assets/crowdstrike/falcon-sensor-1.26.1.tgz + version: 1.26.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CrowdStrike Falcon Platform @@ -28505,6 +29002,34 @@ entries: - assets/gopaddle/gopaddle-4.2.5.tgz version: 4.2.5 haproxy: + - annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.11.0 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 1.11.0 + created: "2024-03-15T00:32:12.814337049Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 83f9a2d22af81f5413ff5c8f7c3b7b88f7de3aa2700d21b9f2e74f27bdc7a8d3 + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.22.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.38.2.tgz + version: 1.38.2 - annotations: artifacthub.io/changes: | - Allow setting hostIP for daemonset (#220) @@ -29999,6 +30524,49 @@ entries: - assets/hpe/hpe-array-exporter-1.0.1.tgz version: 1.0.1 hpe-csi-driver: + - annotations: + artifacthub.io/category: storage + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Release Highlights + url: https://scod.hpedev.io/csi_driver/index.html#latest_release + - name: Release Notes + url: https://github.com/hpe-storage/csi-driver/tree/master/release-notes + - name: Documentation + url: https://scod.hpedev.io/csi_driver + - name: Chart Source + url: https://github.com/hpe-storage/co-deployments + artifacthub.io/prerelease: "false" + artifacthub.io/recommendations: | + - url: https://artifacthub.io/packages/olm/community-operators/hpe-csi-operator + - url: https://artifacthub.io/packages/helm/hpe-storage/hpe-csi-info-metrics + - url: https://artifacthub.io/packages/helm/hpe-storage/hpe-array-exporter + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HPE CSI Driver for Kubernetes + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/namespace: hpe-storage + catalog.cattle.io/release-name: hpe-csi-driver + apiVersion: v1 + appVersion: 2.4.1 + created: "2024-03-15T00:32:12.99945583Z" + description: A Helm chart for installing the HPE CSI Driver for Kubernetes + digest: 67108baaa7c56cc96f8f0842c305a603c976fbd313547e28f0d8cb937a400870 + home: https://hpe.com/storage/containers + icon: https://raw.githubusercontent.com/hpe-storage/co-deployments/master/docs/assets/hpedev.png + keywords: + - HPE + - Storage + - CSI + maintainers: + - email: dev-hi-containers@hpe.com + name: datamattsson + name: hpe-csi-driver + sources: + - https://github.com/hpe-storage/csi-driver + urls: + - assets/hpe/hpe-csi-driver-2.4.1.tgz + version: 2.4.1 - annotations: artifacthub.io/category: storage artifacthub.io/containsSecurityUpdates: "true" @@ -30326,6 +30894,36 @@ entries: - assets/hpe/hpe-csi-info-metrics-1.0.1.tgz version: 1.0.1 instana-agent: + - annotations: + artifacthub.io/links: | + - name: Instana website + url: https://www.instana.com + - name: Instana Helm charts + url: https://github.com/instana/helm-charts + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Instana Agent + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: instana-agent + apiVersion: v2 + appVersion: 1.268.0 + created: "2024-03-15T00:32:13.051189573Z" + description: Instana Agent for Kubernetes + digest: a13ba5375492f47ae0e7f57e00fe576f9aef26462835155db3a2e0faaba13fd3 + home: https://www.instana.com/ + icon: https://agents.instana.io/helm/stan-logo-2020.png + maintainers: + - email: felix.marx@ibm.com + name: FelixMarxIBM + - email: henning.treu@ibm.com + name: htreu + - email: torsten.kohn@ibm.com + name: tkohn + name: instana-agent + sources: + - https://github.com/instana/instana-agent-docker + urls: + - assets/instana/instana-agent-1.2.71.tgz + version: 1.2.71 - annotations: artifacthub.io/links: | - name: Instana website @@ -31658,6 +32256,63 @@ entries: - assets/jaeger/jaeger-operator-2.36.0.tgz version: 2.36.0 jenkins: + - annotations: + artifacthub.io/category: integration-delivery + artifacthub.io/changes: | + - Add `agent.restrictedPssSecurityContext` to automatically inject in the jnlp container a securityContext that is suitable for the use of the restricted Pod Security Standard + artifacthub.io/images: | + - name: jenkins + image: docker.io/jenkins/jenkins:2.440.1-jdk17 + - name: k8s-sidecar + image: docker.io/kiwigrid/k8s-sidecar:1.26.1 + - name: inbound-agent + image: jenkins/inbound-agent:3206.vb_15dcf73f6a_9-3 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins + - name: Jenkins + url: https://www.jenkins.io/ + - name: support + url: https://github.com/jenkinsci/helm-charts/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jenkins + catalog.cattle.io/kube-version: '>=1.14-0' + catalog.cattle.io/release-name: jenkins + apiVersion: v2 + appVersion: 2.440.1 + created: "2024-03-15T00:32:13.230549232Z" + description: 'Jenkins - Build great things at any scale! As the leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. ' + digest: 03421a97251101e25f33929579e4927d3187222dffe6ed3a2697a188e4042334 + home: https://www.jenkins.io/ + icon: https://get.jenkins.io/art/jenkins-logo/logo.svg + keywords: + - jenkins + - ci + - devops + maintainers: + - email: maor.friedman@redhat.com + name: maorfr + - email: mail@torstenwalter.de + name: torstenwalter + - email: garridomota@gmail.com + name: mogaal + - email: wmcdona89@gmail.com + name: wmcdona89 + - email: timjacomb1@gmail.com + name: timja + name: jenkins + sources: + - https://github.com/jenkinsci/jenkins + - https://github.com/jenkinsci/docker-inbound-agent + - https://github.com/maorfr/kube-tasks + - https://github.com/jenkinsci/configuration-as-code-plugin + type: application + urls: + - assets/jenkins/jenkins-5.1.0.tgz + version: 5.1.0 - annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | @@ -34045,6 +34700,34 @@ entries: - assets/jenkins/jenkins-4.2.9.tgz version: 4.2.9 k8s-triliovault-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: k8s-triliovault-operator + apiVersion: v2 + appVersion: 4.0.2 + created: "2024-03-15T00:32:48.967808945Z" + dependencies: + - condition: observability.enabled + name: observability + repository: file://./charts/observability + version: ^0.1.0 + description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. + digest: 99d23ae3e989cc5422fbe8d90983ee7ec03822eb37aa0cb39b89a76aada3c187 + home: https://github.com/trilioData/k8s-triliovault-operator + icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png + kubeVersion: '>=1.19.0-0' + maintainers: + - email: prafull.ladha@trilio.io + name: prafull11 + name: k8s-triliovault-operator + sources: + - https://github.com/trilioData/k8s-triliovault-operator + urls: + - assets/trilio/k8s-triliovault-operator-4.0.2.tgz + version: 4.0.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator @@ -34969,6 +35652,90 @@ entries: - assets/trilio/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.8 + created: "2024-03-15T00:32:14.424545991Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.12.0 + description: Kasten’s K10 Data Management Platform + digest: 7fafff9ce2eeeb342be45d8bb55aae277e90540d4e35d0c7be3c99bff67bc921 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.801.tgz + version: 6.5.801 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.6 + created: "2024-03-15T00:32:14.413468937Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.12.0 + description: Kasten’s K10 Data Management Platform + digest: fd98ac136a84b610b01c76d9597b3c7036aaafb60cbe4d9e9fdd04aca61a27f9 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.601.tgz + version: 6.5.601 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.5 + created: "2024-03-15T00:32:14.401983619Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.12.0 + description: Kasten’s K10 Data Management Platform + digest: ef454cba8999faacb9a7e7dcfa3d38a37a121b18364d18a34ca07ee4ca6ac2d2 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.501.tgz + version: 6.5.501 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -36022,6 +36789,58 @@ entries: - assets/kasten/k10-4.5.900.tgz version: 4.5.900 kafka: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Kafka + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: kafka + category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-12-r11 + - name: kafka + image: docker.io/bitnami/kafka:3.7.0-debian-12-r0 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-12-r19 + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.7.0 + created: "2024-03-15T00:32:09.538421585Z" + dependencies: + - condition: zookeeper.enabled + name: zookeeper + repository: file://./charts/zookeeper + version: 12.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Kafka is a distributed streaming platform designed to build + real-time pipelines and can be used as a message broker or as a replacement + for a log aggregation solution for big data applications. + digest: bad7663ea804de828c60133a83540019f6df86bda199080a37ce28448c9a3596 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg + keywords: + - kafka + - zookeeper + - streaming + - producer + - consumer + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: kafka + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/kafka + urls: + - assets/bitnami/kafka-27.1.2.tgz + version: 27.1.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Kafka @@ -39211,6 +40030,33 @@ entries: - assets/bitnami/kafka-19.0.1.tgz version: 19.0.1 kamaji: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kamaji + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: kamaji + apiVersion: v2 + appVersion: v0.4.2 + created: "2024-03-15T00:32:11.538455113Z" + description: Kamaji is a Kubernetes Control Plane Manager. + digest: 883794a30937788f3c2e525a4f1c117a5b495c8b303d1d76695dacbbf3a8cd63 + home: https://github.com/clastix/kamaji + icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png + kubeVersion: '>=1.21.0-0' + maintainers: + - email: dario@tranchitella.eu + name: Dario Tranchitella + - email: me@maxgio.it + name: Massimiliano Giovagnoli + - email: me@bsctl.io + name: Adriano Pezzuto + name: kamaji + sources: + - https://github.com/clastix/kamaji + type: application + urls: + - assets/clastix/kamaji-0.15.1.tgz + version: 0.15.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kamaji @@ -39862,6 +40708,31 @@ entries: - assets/elastic/kibana-7.17.3.tgz version: 7.17.3 kong: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong + apiVersion: v2 + appVersion: "3.6" + created: "2024-03-15T00:32:14.684610233Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: The Cloud-Native Ingress and API-management + digest: ac890a22d4318cfaf7be7bdb18138a61a189d0efcf40e0c8f2ec2838568453fa + home: https://konghq.com/ + icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png + maintainers: + - email: team-k8s@konghq.com + name: team-k8s-bot + name: kong + sources: + - https://github.com/Kong/charts/tree/main/charts/kong + urls: + - assets/kong/kong-2.38.0.tgz + version: 2.38.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kong Gateway @@ -41116,6 +41987,35 @@ entries: - assets/kubemq/kubemq-crds-2.3.7.tgz version: 2.3.7 kubernetes-ingress-controller: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: ngrok Ingress Controller + catalog.cattle.io/release-name: kubernetes-ingress-controller + apiVersion: v2 + appVersion: 0.10.2 + created: "2024-03-15T00:32:47.568820151Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: A Kubernetes ingress controller built using ngrok. + digest: a7425901381b56d4a3ab6fe7b24659174385c69eb654c3f1c3353f8ce7779b28 + home: https://ngrok.com + icon: https://assets-global.website-files.com/63ed4bc7a4b189da942a6b8c/6411ffa0b395a44345ed2b1a_Frame%201.svg + keywords: + - ngrok + - networking + - ingress + - edge + - api gateway + name: kubernetes-ingress-controller + sources: + - https://github.com/ngrok/kubernetes-ingress-controller + urls: + - assets/ngrok/kubernetes-ingress-controller-0.12.2.tgz + version: 0.12.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: ngrok Ingress Controller @@ -41896,6 +42796,33 @@ entries: - assets/avesha/kubeslice-worker-0.4.5.tgz version: 0.4.5 kuma: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma + apiVersion: v2 + appVersion: 2.6.2 + created: "2024-03-15T00:32:28.082835088Z" + description: A Helm chart for the Kuma Control Plane + digest: 5532b6cb1694c23cf850dca451e0682d4302206cef5889ebe77ab33a8a84e8d4 + home: https://github.com/kumahq/kuma + icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg + keywords: + - service mesh + - control plane + maintainers: + - email: austin.cawley@gmail.com + name: austince + - email: jakub.dyszkiewicz@konghq.com + name: jakubdyszkiewicz + - email: nikolay.nikolaev@konghq.com + name: nickolaev + name: kuma + type: application + urls: + - assets/kuma/kuma-2.6.2.tgz + version: 2.6.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kuma @@ -42493,21 +43420,53 @@ entries: version: 0.8.101 linkerd-control-plane: - annotations: + catalog.cattle.io/auto-install: linkerd-crds catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd Control Plane catalog.cattle.io/featured: "5" - catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 - appVersion: stable-2.14.10 - created: "2024-02-21T10:03:03.425971454Z" + appVersion: edge-24.3.3 + created: "2024-03-15T00:32:46.910361969Z" dependencies: - name: partials repository: file://./charts/partials version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: 2334c627f6e50c4c915d0dd17d47b8cbffe554f6ad26a8432794048c2de62251 + digest: ec36bcf3bbf5c190652ed9117608256832c17703b726a4eb274171d9ee68ffa0 + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-2024.3.3.tgz + version: 2024.3.3 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 + appVersion: stable-2.14.10 + created: "2024-03-15T00:32:28.094608761Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 479aaeb25ee3d62440d0e400fbb02d1f404ca52a53a9d09af93f3406fd4d4247 home: https://linkerd.io icon: https://linkerd.io/images/logo-only-200h.png keywords: @@ -42834,7 +43793,73 @@ entries: urls: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 + linkerd-crds: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds + apiVersion: v2 + created: "2024-03-15T00:32:46.91313212Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: e059e0dc2a412529d08c04be010dedd7718674cc170d0fe11b437e9e521cc48a + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-crds + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-crds-2024.3.3.tgz + version: 2024.3.3 loft: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Loft + catalog.cattle.io/kube-version: '>=1.22-0' + catalog.cattle.io/release-name: loft + apiVersion: v2 + created: "2024-03-15T00:32:46.936997892Z" + description: Secure Cluster Sharing, Self-Service Namespace Provisioning and Virtual + Clusters + digest: 3f316c676fd0b9bed820bd227b38655e44a08fd002f49751fba74871c2f29e54 + home: https://loft.sh + icon: https://static.loft.sh/loft/logo/loft-logo.svg + keywords: + - developer + - development + - sharing + - share + - multi-tenancy + - tenancy + - cluster + - space + - namespace + - vcluster + - vclusters + maintainers: + - email: info@loft.sh + name: Loft Labs, Inc. + url: https://twitter.com/loft_sh + name: loft + sources: + - https://github.com/loft-sh/loft + type: application + urls: + - assets/loft/loft-3.4.1.tgz + version: 3.4.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Loft @@ -43474,6 +44499,50 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.2.3-debian-12-r4 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.2.3 + created: "2024-03-15T00:32:09.679873802Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: 8d242783784e0c2f817477af44c07e6c5bd76b5de9abdd62bf77aacb9e2fb17d + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-16.5.0.tgz + version: 16.5.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -45585,6 +46654,32 @@ entries: - assets/metallb/metallb-0.13.7.tgz version: 0.13.7 minio-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: minio-operator + apiVersion: v2 + appVersion: v5.0.13 + created: "2024-03-15T00:32:46.960958082Z" + description: A Helm chart for MinIO Operator + digest: d53870383a7c46c2842395fccbc1fde244d98ecba28adcb5aca0180d92ce7000 + home: https://min.io + icon: https://min.io/resources/img/logo/MINIO_wordmark.png + keywords: + - storage + - object-storage + - S3 + maintainers: + - email: dev@minio.io + name: MinIO, Inc + name: minio-operator + sources: + - https://github.com/minio/operator + type: application + urls: + - assets/minio/minio-operator-5.0.13.tgz + version: 5.0.13 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Minio Operator @@ -46054,6 +47149,50 @@ entries: - assets/minio/minio-operator-4.4.1700.tgz version: 4.4.1700 mysql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MySQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mysql + category: Database + images: | + - name: mysql + image: docker.io/bitnami/mysql:8.0.36-debian-12-r8 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 8.0.36 + created: "2024-03-15T00:32:09.750483332Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MySQL is a fast, reliable, scalable, and easy to use open source + relational database system. Designed to handle mission-critical, heavy-load + production applications. + digest: c4bdcb8c67ce2260f77fc5b2fcc77b7f7e8f4c1cce3079827afaf4446b9f04eb + home: https://bitnami.com + icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png + keywords: + - mysql + - database + - sql + - cluster + - high availability + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mysql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mysql + urls: + - assets/bitnami/mysql-9.23.0.tgz + version: 9.23.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MySQL @@ -47650,6 +48789,31 @@ entries: - assets/bitnami/mysql-9.4.1.tgz version: 9.4.1 nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.10.12 + created: "2024-03-15T00:32:47.01203397Z" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: b83981300993931a3c2343ca521c07e2199a48c0765cde5dff7f5210fa4395da + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: + - nats + - messaging + - cncf + maintainers: + - email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io + name: nats + urls: + - assets/nats/nats-1.1.10.tgz + version: 1.1.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NATS Server @@ -49188,6 +50352,88 @@ entries: - assets/f5/nginx-service-mesh-0.2.100.tgz version: 0.2.100 nri-bundle: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: New Relic + catalog.cattle.io/release-name: nri-bundle + apiVersion: v2 + created: "2024-03-15T00:32:47.521210013Z" + dependencies: + - condition: infrastructure.enabled,newrelic-infrastructure.enabled + name: newrelic-infrastructure + repository: file://./charts/newrelic-infrastructure + version: 3.32.0 + - condition: prometheus.enabled,nri-prometheus.enabled + name: nri-prometheus + repository: file://./charts/nri-prometheus + version: 2.1.17 + - condition: newrelic-prometheus-agent.enabled + name: newrelic-prometheus-agent + repository: file://./charts/newrelic-prometheus-agent + version: 1.11.0 + - condition: webhook.enabled,nri-metadata-injection.enabled + name: nri-metadata-injection + repository: file://./charts/nri-metadata-injection + version: 4.18.2 + - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled + name: newrelic-k8s-metrics-adapter + repository: file://./charts/newrelic-k8s-metrics-adapter + version: 1.10.1 + - condition: ksm.enabled,kube-state-metrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + version: 5.12.1 + - condition: kubeEvents.enabled,nri-kube-events.enabled + name: nri-kube-events + repository: file://./charts/nri-kube-events + version: 3.9.2 + - condition: logging.enabled,newrelic-logging.enabled + name: newrelic-logging + repository: file://./charts/newrelic-logging + version: 1.21.2 + - condition: newrelic-pixie.enabled + name: newrelic-pixie + repository: file://./charts/newrelic-pixie + version: 2.1.3 + - alias: pixie-chart + condition: pixie-chart.enabled + name: pixie-operator-chart + repository: file://./charts/pixie-operator-chart + version: 0.1.4 + - condition: newrelic-infra-operator.enabled + name: newrelic-infra-operator + repository: file://./charts/newrelic-infra-operator + version: 2.10.0 + description: Groups together the individual charts for the New Relic Kubernetes + solution for a more comfortable deployment. + digest: f78e64efa9c8084342f67515af562b68ef861888a44e13fa1065e96a467d6df7 + home: https://github.com/newrelic/helm-charts + icon: https://newrelic.com/themes/custom/erno/assets/mediakit/new_relic_logo_vertical.svg + keywords: + - infrastructure + - newrelic + - monitoring + maintainers: + - name: juanjjaramillo + url: https://github.com/juanjjaramillo + - name: csongnr + url: https://github.com/csongnr + name: nri-bundle + sources: + - https://github.com/newrelic/nri-bundle/ + - https://github.com/newrelic/nri-bundle/tree/master/charts/nri-bundle + - https://github.com/newrelic/nri-kubernetes/tree/master/charts/newrelic-infrastructure + - https://github.com/newrelic/nri-prometheus/tree/master/charts/nri-prometheus + - https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent + - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection + - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/master/charts/newrelic-k8s-metrics-adapter + - https://github.com/newrelic/nri-kube-events/tree/master/charts/nri-kube-events + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie + - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator + urls: + - assets/new-relic/nri-bundle-5.0.69.tgz + version: 5.0.69 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: New Relic @@ -54210,6 +55456,51 @@ entries: - assets/portshift-operator/portshift-operator-0.1.000.tgz version: 0.1.000 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14 + - name: postgresql + image: docker.io/bitnami/postgresql:16.2.0-debian-12-r8 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 16.2.0 + created: "2024-03-15T00:32:10.052319647Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: fcfbd77f97ea7cb9adf317f5828dcd23d0081417e7ed0b5ccd050f860bf40e5e + home: https://bitnami.com + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/postgresql + urls: + - assets/bitnami/postgresql-14.3.3.tgz + version: 14.3.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -57410,6 +58701,29 @@ entries: - assets/percona/psmdb-db-1.13.0.tgz version: 1.13.0 psmdb-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-operator + apiVersion: v2 + appVersion: 1.15.0 + created: "2024-03-15T00:32:47.867009119Z" + description: A Helm chart for deploying the Percona Operator for MongoDB + digest: d5318817020580e091f6bb0be01834e9a8a75b3b553ab525acf8050acae0e13d + home: https://docs.percona.com/percona-operator-for-mongodb/ + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: psmdb-operator + urls: + - assets/percona/psmdb-operator-1.15.3.tgz + version: 1.15.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator for MongoDB @@ -57617,6 +58931,30 @@ entries: - assets/percona/psmdb-operator-1.13.1.tgz version: 1.13.1 pxc-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-db + apiVersion: v2 + appVersion: 1.14.0 + created: "2024-03-15T00:32:47.879900366Z" + description: A Helm chart for installing Percona XtraDB Cluster Databases using + the PXC Operator. + digest: cc1a2a27fccd0b8469460f2e9ad305a3a9c71c762f5517113cb0378825d7bd5b + home: https://www.percona.com/doc/kubernetes-operator-for-pxc/kubernetes.html + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: sergey.pronin@percona.com + name: spron-in + - email: natalia.marukovich@percona.com + name: nmarukovich + name: pxc-db + urls: + - assets/percona/pxc-db-1.14.0.tgz + version: 1.14.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona XtraDB Cluster @@ -57864,6 +59202,31 @@ entries: - assets/percona/pxc-db-1.12.0.tgz version: 1.12.0 pxc-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona + XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-operator + apiVersion: v2 + appVersion: 1.14.0 + created: "2024-03-15T00:32:47.888282551Z" + description: A Helm chart for deploying the Percona Operator for MySQL (based + on Percona XtraDB Cluster) + digest: 62ffeda860a09ff4b18e362953a9feadecd3c52590562d957451ed1d8bc7d32f + home: https://docs.percona.com/percona-operator-for-mysql/pxc/ + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: pxc-operator + urls: + - assets/percona/pxc-operator-1.14.0.tgz + version: 1.14.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona @@ -58183,6 +59546,52 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redis: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redis + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: redis + category: Database + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: redis + image: docker.io/bitnami/redis:7.2.4-debian-12-r9 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 7.2.4 + created: "2024-03-15T00:32:10.311489671Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Redis(R) is an open source, advanced key-value store. It is often + referred to as a data structure server since keys can contain strings, hashes, + lists, sets and sorted sets. + digest: fff602a9e65d934f5a1343e46604e07e7438cb3f96dc22ca14283d2f410e45c1 + home: https://bitnami.com + icon: https://redis.com/wp-content/uploads/2021/08/redis-logo.png + keywords: + - redis + - keyvalue + - database + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: redis + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/redis + urls: + - assets/bitnami/redis-18.19.2.tgz + version: 18.19.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Redis @@ -60767,6 +62176,50 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.3.7 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.8.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.3.7 + created: "2024-03-15T00:32:48.277734484Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 4c7cfc15d8dbee6345d58331f56c9f746bf791c6daa7378c40b9c04934342701 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.7.34.tgz + version: 5.7.34 - annotations: artifacthub.io/images: | - name: redpanda @@ -65240,6 +66693,43 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 spark: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Spark + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: spark + category: Infrastructure + images: | + - name: spark + image: docker.io/bitnami/spark:3.5.1-debian-12-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.1 + created: "2024-03-15T00:32:10.454089969Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Spark is a high-performance engine for large-scale computing + tasks, such as data processing, machine learning and real-time data streaming. + It includes APIs for Java, Python, Scala and R. + digest: ab47c15f1b9e7d0aaaba7d290c457bd5c822fa44ceec67c349a7299e207ddb09 + home: https://bitnami.com + icon: https://www.apache.org/logos/res/spark/default.png + keywords: + - apache + - spark + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: spark + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/spark + urls: + - assets/bitnami/spark-8.9.1.tgz + version: 8.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Spark @@ -66764,6 +68254,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.1.92 + created: "2024-03-15T00:32:48.366958064Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 1e5fc94577f0003a9e87e804e580fd61f0f572836b53f5df5f82b2f965297f3f + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.1.8.tgz + version: 2.1.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -69087,6 +70608,34 @@ entries: - assets/speedscale/speedscale-operator-0.9.12600.tgz version: 0.9.12600 stackstate-k8s-agent: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: StackState Agent + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: stackstate-k8s-agent + apiVersion: v2 + appVersion: 3.0.0 + created: "2024-03-15T00:32:48.388040861Z" + dependencies: + - alias: httpHeaderInjectorWebhook + name: http-header-injector + repository: file://./charts/http-header-injector + version: 0.0.8 + description: Helm chart for the StackState Agent. + digest: 6059ba3e2940a55e24adbed583699e3fcfb38e4743429ac9558307ebdab0d38b + home: https://github.com/StackVista/stackstate-agent + icon: https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/stackstate-k8s-agent/logo.svg + keywords: + - monitoring + - observability + - stackstate + maintainers: + - email: ops@stackstate.com + name: Stackstate + name: stackstate-k8s-agent + urls: + - assets/stackstate/stackstate-k8s-agent-1.0.76.tgz + version: 1.0.76 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: StackState Agent @@ -71264,6 +72813,51 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 tomcat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Tomcat + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: tomcat + category: ApplicationServer + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-12-r11 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: tomcat + image: docker.io/bitnami/tomcat:10.1.19-debian-12-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 10.1.19 + created: "2024-03-15T00:32:10.486733313Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Tomcat is an open-source web server designed to host and run + Java-based web applications. It is a lightweight server with a good performance + for applications running in production environments. + digest: 529055ffaf8753e53a723671291932c3005c014a48902b543b06488eee928265 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/tomcat.svg + keywords: + - tomcat + - java + - http + - web + - application server + - jsp + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: tomcat + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/tomcat + urls: + - assets/bitnami/tomcat-10.17.0.tgz + version: 10.17.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Tomcat @@ -75040,6 +76634,60 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.6-debian-12-r8 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: wordpress + image: docker.io/bitnami/wordpress:6.4.3-debian-12-r20 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.4.3 + created: "2024-03-15T00:32:11.323507922Z" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 6.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 16.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: 018b0dba3cf4ba3a1f0c62b091bf5109e2300d53cc9d50b87aeda4bb24bacfe0 + home: https://bitnami.com + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress + urls: + - assets/bitnami/wordpress-20.1.2.tgz + version: 20.1.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress @@ -81585,6 +83233,43 @@ entries: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 zookeeper: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Zookeeper + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: zookeeper + category: Infrastructure + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: zookeeper + image: docker.io/bitnami/zookeeper:3.9.2-debian-12-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.9.2 + created: "2024-03-15T00:32:11.394379636Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache ZooKeeper provides a reliable, centralized register of configuration + data and services for distributed applications. + digest: b4890b59415173661865047d48eac1b7a956051394937dc11c95aad6a0e20c6f + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/zookeeper.svg + keywords: + - zookeeper + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: zookeeper + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper + urls: + - assets/bitnami/zookeeper-12.12.1.tgz + version: 12.12.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Zookeeper