andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[AUTOMATED] Auto-update charts on main-source (#990) 

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
pull/993/head
github-actions[bot] 2024-03-15 10:19:45 -06:00 committed by GitHub
parent a9afca1814
commit a5820e5da9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
678 changed files with 29819 additions and 6054 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/argo/argo-cd-6.2.3.tgz
View File

Binary file not shown.

BIN
assets/argo/argo-cd-6.7.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/airflow-17.2.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/cassandra-10.12.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/kafka-27.1.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/mariadb-16.5.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/mysql-9.23.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/postgresql-14.3.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/redis-18.19.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/spark-8.9.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/tomcat-10.17.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/wordpress-20.1.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/zookeeper-12.12.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/cert-manager/cert-manager-v1.14.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/clastix/kamaji-0.15.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/cloudcasa/cloudcasa-3.4.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/cockroach-labs/cockroachdb-12.0.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/crate/crate-operator-2.38.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/crowdstrike/falcon-sensor-1.26.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/datadog/datadog-3.57.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/datadog/datadog-operator-1.5.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/dell/csi-vxflexos-2.9.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/haproxy/haproxy-1.38.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/hashicorp/consul-1.4.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/hpe/hpe-csi-driver-2.4.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/instana/instana-agent-1.2.71.tgz Normal file
View File

Binary file not shown.

BIN
assets/jenkins/jenkins-5.1.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/jfrog/artifactory-ha-107.77.7.tgz Normal file
View File

Binary file not shown.

BIN
assets/jfrog/artifactory-jcr-107.77.7.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-6.5.501.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-6.5.601.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-6.5.801.tgz Normal file
View File

Binary file not shown.

BIN
assets/kong/kong-2.38.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/kubecost/cost-analyzer-2.0.2.tgz
View File

Binary file not shown.

BIN
assets/kubecost/cost-analyzer-2.1.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/kuma/kuma-2.6.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-1.16.11.tgz
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.3.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-crds-2024.3.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/loft/loft-3.4.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/minio/minio-operator-5.0.13.tgz Normal file
View File

Binary file not shown.

BIN
assets/nats/nats-1.1.10.tgz Normal file
View File

Binary file not shown.

BIN
assets/new-relic/nri-bundle-5.0.69.tgz Normal file
View File

Binary file not shown.

BIN
assets/ngrok/kubernetes-ingress-controller-0.12.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/psmdb-operator-1.15.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/pxc-db-1.14.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/pxc-operator-1.14.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-5.7.34.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.1.8.tgz Normal file
View File

Binary file not shown.

BIN
assets/stackstate/stackstate-k8s-agent-1.0.76.tgz Normal file
View File

Binary file not shown.

BIN
assets/trilio/k8s-triliovault-operator-4.0.2.tgz Normal file
View File

Binary file not shown.

6
charts/argo/argo-cd/Chart.yaml
View File

@ -1,7 +1,7 @@
annotations: annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: changed - kind: changed
description: Updated Redis image tag to 7.2.4 description: Bump argo-cd to v2.10.3
artifacthub.io/signKey: | artifacthub.io/signKey: |
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc url: https://argoproj.github.io/argo-helm/pgp_keys.asc
@ -11,7 +11,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/kube-version: '>=1.23.0-0'
catalog.cattle.io/release-name: argo-cd catalog.cattle.io/release-name: argo-cd
apiVersion: v2 apiVersion: v2
appVersion: v2.10.1 appVersion: v2.10.3
dependencies: dependencies:
- condition: redis-ha.enabled - condition: redis-ha.enabled
name: redis-ha name: redis-ha
@ -33,4 +33,4 @@ name: argo-cd
sources: sources:
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
- https://github.com/argoproj/argo-cd - https://github.com/argoproj/argo-cd
version: 6.2.3 version: 6.7.2

22
charts/argo/argo-cd/README.md
View File

@ -278,6 +278,15 @@ For full list of changes please check ArtifactHub [changelog].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version. Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
### 6.4.0
Added support for application controller dynamic cluster distribution.
Please refer to [the docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution) for more information.
Added env variables to handle the non-standard names generated by the helm chart.
Here are the [docs](https://argo-cd.readthedocs.io/en/release-2.9/user-guide/environment-variables/)
and [code](https://github.com/argoproj/argo-cd/blob/99723143b96ceec9ef5b0a7feb7b4f4b0dce3497/common/common.go#L252)
### 6.1.0 ### 6.1.0
Added support for global domain used by all components. Added support for global domain used by all components.
@ -720,12 +729,15 @@ NAME: my-release
| controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource | | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource |
| controller.containerPorts.metrics | int | `8082` | Metrics container port | | controller.containerPorts.metrics | int | `8082` | Metrics container port |
| controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context | | controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
| controller.deploymentAnnotations | object | `{}` | Annotations for the application controller Deployment |
| controller.dnsConfig | object | `{}` | [DNS configuration] | | controller.dnsConfig | object | `{}` | [DNS configuration] |
| controller.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for application controller pods | | controller.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for application controller pods |
| controller.dynamicClusterDistribution | bool | `false` | Enable dynamic cluster distribution (alpha) Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution |
| controller.env | list | `[]` | Environment variables to pass to application controller | | controller.env | list | `[]` | Environment variables to pass to application controller |
| controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller | | controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller |
| controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller | | controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller |
| controller.extraContainers | list | `[]` | Additional containers to be added to the application controller pod | | controller.extraContainers | list | `[]` | Additional containers to be added to the application controller pod |
| controller.heartbeatTime | int | `10` | Application controller heartbeat time Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution |
| controller.hostNetwork | bool | `false` | Host Network for application controller pods | | controller.hostNetwork | bool | `false` | Host Network for application controller pods |
| controller.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application controller | | controller.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application controller |
| controller.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application controller | | controller.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application controller |
@ -940,7 +952,7 @@ NAME: my-release
| server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server | | server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server |
| server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| server.ingress.annotations | object | `{}` | Additional ingress annotations | | server.ingress.annotations | object | `{}` | Additional ingress annotations |
| server.ingress.aws.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service | | server.ingress.aws.backendProtocolVersion | string | `"GRPC"` | Backend protocol version for the AWS ALB gRPC service |
| server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service | | server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
| server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` | | server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` |
| server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server | | server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server |
@ -1077,6 +1089,9 @@ NAME: my-release
| dex.initImage.tag | string | `""` (defaults to global.image.tag) | Argo CD init image tag | | dex.initImage.tag | string | `""` (defaults to global.image.tag) | Argo CD init image tag |
| dex.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Dex >= 2.28.0 | | dex.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Dex >= 2.28.0 |
| dex.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | dex.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| dex.livenessProbe.httpPath | string | `"/healthz/live"` | Http path to use for the liveness probe |
| dex.livenessProbe.httpPort | string | `"metrics"` | Http port to use for the liveness probe |
| dex.livenessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) |
| dex.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | | dex.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| dex.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | | dex.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| dex.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | dex.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
@ -1109,6 +1124,9 @@ NAME: my-release
| dex.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the dex pods | | dex.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the dex pods |
| dex.readinessProbe.enabled | bool | `false` | Enable Kubernetes readiness probe for Dex >= 2.28.0 | | dex.readinessProbe.enabled | bool | `false` | Enable Kubernetes readiness probe for Dex >= 2.28.0 |
| dex.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | dex.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| dex.readinessProbe.httpPath | string | `"/healthz/ready"` | Http path to use for the readiness probe |
| dex.readinessProbe.httpPort | string | `"metrics"` | Http port to use for the readiness probe |
| dex.readinessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) |
| dex.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | | dex.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| dex.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | | dex.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| dex.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | dex.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
@ -1284,6 +1302,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules | | applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
| applicationSet.allowAnyNamespace | bool | `false` | Enable ApplicationSet in any namespace feature |
| applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) | | applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
| applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate | | applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate |
| applicationSet.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) | | applicationSet.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) |
@ -1446,6 +1465,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret | | notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret |
| notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret | | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret |
| notifications.secret.labels | object | `{}` | key:value pairs of labels to be added to the secret | | notifications.secret.labels | object | `{}` | key:value pairs of labels to be added to the secret |
| notifications.secret.name | string | `"argocd-notifications-secret"` | notifications controller Secret name |
| notifications.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | notifications.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| notifications.serviceAccount.create | bool | `true` | Create notifications controller service account | | notifications.serviceAccount.create | bool | `true` | Create notifications controller service account |

357
charts/argo/argo-cd/templates/argocd-application-controller/deployment.yaml Normal file
View File

@ -0,0 +1,357 @@
{{- if .Values.controller.dynamicClusterDistribution }}
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.controller.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
template:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.controller.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
containers:
- args:
- /usr/local/bin/argocd-application-controller
- --metrics-port={{ .Values.controller.containerPorts.metrics }}
{{- if .Values.controller.metrics.applicationLabels.enabled }}
{{- range .Values.controller.metrics.applicationLabels.labels }}
- --metrics-application-labels
- {{ . }}
{{- end }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
name: {{ .Values.controller.name }}
env:
{{- with (concat .Values.global.env .Values.controller.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION
value: "true"
- name: ARGOCD_CONTROLLER_HEARTBEAT_TIME
value: {{ .Values.controller.heartbeatTime | quote }}
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: {{ template "argo-cd.controller.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.hard.reconciliation
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.error.grace.period.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: repo.server
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.status.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.operation.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.format
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.level
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.metrics.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.resource.health.persist
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.app.state.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.default.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sharding.algorithm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.kubectl.parallelism.limit
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.diff.server.side
optional: true
{{- with .Values.controller.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.controller.containerPorts.metrics }}
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.controller.resources | nindent 10 }}
{{- with .Values.controller.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
workingDir: /home/argocd
volumeMounts:
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
{{- with .Values.controller.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.controller.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
- name: argocd-home
emptyDir: {}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}

4
charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml
View File

@ -1,3 +1,4 @@
{{- if not .Values.controller.dynamicClusterDistribution | default false }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
@ -77,6 +78,8 @@ spec:
{{- end }} {{- end }}
- name: ARGOCD_CONTROLLER_REPLICAS - name: ARGOCD_CONTROLLER_REPLICAS
value: {{ .Values.controller.replicas | quote }} value: {{ .Values.controller.replicas | quote }}
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: {{ template "argo-cd.controller.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT - name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -350,3 +353,4 @@ spec:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }} dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}

89
charts/argo/argo-cd/templates/argocd-applicationset/clusterrole.yaml Normal file
View File

@ -0,0 +1,89 @@
{{- if .Values.applicationSet.allowAnyNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- argoproj.io
resources:
- appprojects
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- update
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}

17
charts/argo/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.applicationSet.allowAnyNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-cd.applicationSet.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

4
charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml
View File

@ -24,7 +24,7 @@ spec:
http: http:
paths: paths:
{{- with .Values.applicationSet.ingress.extraPaths }} {{- with .Values.applicationSet.ingress.extraPaths }}
{{- toYaml . | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
- path: {{ .Values.applicationSet.ingress.path }} - path: {{ .Values.applicationSet.ingress.path }}
pathType: {{ .Values.applicationSet.ingress.pathType }} pathType: {{ .Values.applicationSet.ingress.pathType }}
@ -46,7 +46,7 @@ spec:
number: {{ $.Values.applicationSet.service.port }} number: {{ $.Values.applicationSet.service.port }}
{{- end }} {{- end }}
{{- with .Values.applicationSet.ingress.extraRules }} {{- with .Values.applicationSet.ingress.extraRules }}
{{- toYaml . | nindent 4 }} {{- tpl (toYaml .) $ | nindent 4 }}
{{- end }} {{- end }}
{{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }} {{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }}
tls: tls:

2
charts/argo/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: argocd-notifications-secret name: {{ .Values.notifications.secret.name }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}

4
charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml
View File

@ -38,14 +38,12 @@ rules:
verbs: verbs:
- get - get
{{- end }} {{- end }}
{{- if .Values.notifications.secret.create }}
- apiGroups: - apiGroups:
- "" - ""
resourceNames: resourceNames:
- argocd-notifications-secret - {{ .Values.notifications.secret.name }}
resources: resources:
- secrets - secrets
verbs: verbs:
- get - get
{{- end }}
{{- end }} {{- end }}

1
charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml
View File

@ -66,6 +66,7 @@ spec:
- --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }} - --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
- --namespace={{ .Release.Namespace }} - --namespace={{ .Release.Namespace }}
- --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
- --secret-name={{ .Values.notifications.secret.name }}
{{- range .Values.notifications.extraArgs }} {{- range .Values.notifications.extraArgs }}
- {{ . | squote }} - {{ . | squote }}
{{- end }} {{- end }}

2
charts/argo/argo-cd/templates/argocd-notifications/role.yaml
View File

@ -37,7 +37,7 @@ rules:
- apiGroups: - apiGroups:
- "" - ""
resourceNames: resourceNames:
- argocd-notifications-secret - {{ .Values.notifications.secret.name }}
resources: resources:
- secrets - secrets
verbs: verbs:

2
charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml
View File

@ -85,6 +85,8 @@ spec:
- name: USER_NAME - name: USER_NAME
value: argocd value: argocd
{{- end }} {{- end }}
- name: ARGOCD_REPO_SERVER_NAME
value: {{ template "argo-cd.repoServer.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT - name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

4
charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml
View File

@ -26,7 +26,7 @@ spec:
http: http:
paths: paths:
{{- with .Values.server.ingress.extraPaths }} {{- with .Values.server.ingress.extraPaths }}
{{- toYaml . | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
- path: {{ .Values.server.ingress.path }} - path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingressGrpc.pathType }} pathType: {{ $.Values.server.ingressGrpc.pathType }}
@ -55,7 +55,7 @@ spec:
number: {{ $servicePort }} number: {{ $servicePort }}
{{- end }} {{- end }}
{{- with .Values.server.ingress.extraRules }} {{- with .Values.server.ingress.extraRules }}
{{- toYaml . | nindent 4 }} {{- tpl (toYaml .) $ | nindent 4 }}
{{- end }} {{- end }}
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
tls: tls:

2
charts/argo/argo-cd/templates/argocd-server/deployment.yaml
View File

@ -75,6 +75,8 @@ spec:
{{- with (concat .Values.global.env .Values.server.env) }} {{- with (concat .Values.global.env .Values.server.env) }}
{{- toYaml . | nindent 10 }} {{- toYaml . | nindent 10 }}
{{- end }} {{- end }}
- name: ARGOCD_SERVER_NAME
value: {{ template "argo-cd.server.fullname" . }}
- name: ARGOCD_SERVER_INSECURE - name: ARGOCD_SERVER_INSECURE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

4
charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml
View File

@ -31,7 +31,7 @@ spec:
http: http:
paths: paths:
{{- with .Values.server.ingress.extraPaths }} {{- with .Values.server.ingress.extraPaths }}
{{- toYaml . | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
- path: {{ .Values.server.ingress.path }} - path: {{ .Values.server.ingress.path }}
pathType: {{ .Values.server.ingress.pathType }} pathType: {{ .Values.server.ingress.pathType }}
@ -53,7 +53,7 @@ spec:
number: {{ $servicePort }} number: {{ $servicePort }}
{{- end }} {{- end }}
{{- with .Values.server.ingress.extraRules }} {{- with .Values.server.ingress.extraRules }}
{{- toYaml . | nindent 4 }} {{- tpl (toYaml .) $ | nindent 4 }}
{{- end }} {{- end }}
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
tls: tls:

8
charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml
View File

@ -1,4 +1,4 @@
{{- if and .Values.server.ingressGrpc.enabled (eq .Values.server.ingress.controller "generic") -}} {{- if .Values.server.ingressGrpc.enabled -}}
{{- $hostname := printf "grpc.%s" (.Values.server.ingress.hostname | default .Values.global.domain) -}} {{- $hostname := printf "grpc.%s" (.Values.server.ingress.hostname | default .Values.global.domain) -}}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
@ -25,7 +25,7 @@ spec:
http: http:
paths: paths:
{{- with .Values.server.ingressGrpc.extraPaths }} {{- with .Values.server.ingressGrpc.extraPaths }}
{{- toYaml . | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
- path: {{ .Values.server.ingressGrpc.path }} - path: {{ .Values.server.ingressGrpc.path }}
pathType: {{ .Values.server.ingressGrpc.pathType }} pathType: {{ .Values.server.ingressGrpc.pathType }}
@ -47,13 +47,13 @@ spec:
number: {{ $.Values.server.service.servicePortHttps }} number: {{ $.Values.server.service.servicePortHttps }}
{{- end }} {{- end }}
{{- with .Values.server.ingressGrpc.extraRules }} {{- with .Values.server.ingressGrpc.extraRules }}
{{- toYaml . | nindent 4 }} {{- tpl (toYaml .) $ | nindent 4 }}
{{- end }} {{- end }}
{{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }} {{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }}
tls: tls:
{{- if .Values.server.ingressGrpc.tls }} {{- if .Values.server.ingressGrpc.tls }}
- hosts: - hosts:
- {{ $hostname }} - {{ .Values.server.ingressGrpc.hostname | default $hostname }}
secretName: argocd-server-grpc-tls secretName: argocd-server-grpc-tls
{{- end }} {{- end }}
{{- with .Values.server.ingressGrpc.extraTls }} {{- with .Values.server.ingressGrpc.extraTls }}

4
charts/argo/argo-cd/templates/argocd-server/ingress.yaml
View File

@ -26,7 +26,7 @@ spec:
http: http:
paths: paths:
{{- with .Values.server.ingress.extraPaths }} {{- with .Values.server.ingress.extraPaths }}
{{- toYaml . | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
- path: {{ .Values.server.ingress.path }} - path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingress.pathType }} pathType: {{ $.Values.server.ingress.pathType }}
@ -48,7 +48,7 @@ spec:
number: {{ $servicePort }} number: {{ $servicePort }}
{{- end }} {{- end }}
{{- with .Values.server.ingress.extraRules }} {{- with .Values.server.ingress.extraRules }}
{{- toYaml . | nindent 4 }} {{- tpl (toYaml .) $ | nindent 4 }}
{{- end }} {{- end }}
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
tls: tls:

10
charts/argo/argo-cd/templates/dex/deployment.yaml
View File

@ -99,8 +99,9 @@ spec:
{{- if .Values.dex.livenessProbe.enabled }} {{- if .Values.dex.livenessProbe.enabled }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz/live path: {{ .Values.dex.livenessProbe.httpPath }}
port: metrics port: {{ .Values.dex.livenessProbe.httpPort }}
scheme: {{ .Values.dex.livenessProbe.httpScheme }}
initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }} initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }} periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }}
@ -110,8 +111,9 @@ spec:
{{- if .Values.dex.readinessProbe.enabled }} {{- if .Values.dex.readinessProbe.enabled }}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /healthz/ready path: {{ .Values.dex.readinessProbe.httpPath }}
port: metrics port: {{ .Values.dex.readinessProbe.httpPort }}
scheme: {{ .Values.dex.readinessProbe.httpScheme }}
initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }} initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }} periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }} timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }}

2
charts/argo/argo-cd/templates/redis/deployment.yaml
View File

@ -193,7 +193,7 @@ spec:
- name: health - name: health
configMap: configMap:
name: {{ include "argo-cd.redis.fullname" . }}-health-configmap name: {{ include "argo-cd.redis.fullname" . }}-health-configmap
defaultMode: 0755 defaultMode: 493
{{- with .Values.redis.volumes }} {{- with .Values.redis.volumes }}
{{- toYaml . | nindent 8}} {{- toYaml . | nindent 8}}
{{- end }} {{- end }}

79
charts/argo/argo-cd/values.yaml
View File

@ -577,8 +577,22 @@ controller:
# -- The number of application controller pods to run. # -- The number of application controller pods to run.
# Additional replicas will cause sharding of managed clusters across number of replicas. # Additional replicas will cause sharding of managed clusters across number of replicas.
## With dynamic cluster distribution turned on, sharding of the clusters will gracefully
## rebalance if the number of replica's changes or one becomes unhealthy. (alpha)
replicas: 1 replicas: 1
# -- Enable dynamic cluster distribution (alpha)
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution
## This is done using a deployment instead of a statefulSet
## When replicas are added or removed, the sharding algorithm is re-run to ensure that the
## clusters are distributed according to the algorithm. If the algorithm is well-balanced,
## like round-robin, then the shards will be well-balanced.
dynamicClusterDistribution: false
# -- Application controller heartbeat time
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution
heartbeatTime: 10
# -- Maximum number of controller revisions that will be maintained in StatefulSet history # -- Maximum number of controller revisions that will be maintained in StatefulSet history
revisionHistoryLimit: 5 revisionHistoryLimit: 5
@ -662,6 +676,9 @@ controller:
# -- Annotations for the application controller StatefulSet # -- Annotations for the application controller StatefulSet
statefulsetAnnotations: {} statefulsetAnnotations: {}
# -- Annotations for the application controller Deployment
deploymentAnnotations: {}
# -- Annotations to be added to application controller pods # -- Annotations to be added to application controller pods
podAnnotations: {} podAnnotations: {}
@ -1039,6 +1056,12 @@ dex:
livenessProbe: livenessProbe:
# -- Enable Kubernetes liveness probe for Dex >= 2.28.0 # -- Enable Kubernetes liveness probe for Dex >= 2.28.0
enabled: false enabled: false
# -- Http path to use for the liveness probe
httpPath: /healthz/live
# -- Http port to use for the liveness probe
httpPort: metrics
# -- Scheme to use for for the liveness probe (can be HTTP or HTTPS)
httpScheme: HTTP
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3 failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated # -- Number of seconds after the container has started before [probe] is initiated
@ -1053,6 +1076,12 @@ dex:
readinessProbe: readinessProbe:
# -- Enable Kubernetes readiness probe for Dex >= 2.28.0 # -- Enable Kubernetes readiness probe for Dex >= 2.28.0
enabled: false enabled: false
# -- Http path to use for the readiness probe
httpPath: /healthz/ready
# -- Http port to use for the readiness probe
httpPort: metrics
# -- Scheme to use for for the liveness probe (can be HTTP or HTTPS)
httpScheme: HTTP
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3 failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated # -- Number of seconds after the container has started before [probe] is initiated
@ -2009,6 +2038,7 @@ server:
# -- Additional ingress paths # -- Additional ingress paths
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
## Note: Supports use of custom Helm templates
extraPaths: [] extraPaths: []
# - path: /* # - path: /*
# pathType: Prefix # pathType: Prefix
@ -2020,15 +2050,17 @@ server:
# -- Additional ingress rules # -- Additional ingress rules
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
## Note: Supports use of custom Helm templates
extraRules: [] extraRules: []
# - host: example.example.com # - http:
# http: # paths:
# path: / # - path: /
# pathType: Prefix
# backend: # backend:
# service: # service:
# name: example-svc # name: '{{ include "argo-cd.server.fullname" . }}'
# port: # port:
# name: http # name: '{{ .Values.server.service.servicePortHttpsName }}'
# -- Additional TLS configuration # -- Additional TLS configuration
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
@ -2042,8 +2074,9 @@ server:
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode
aws: aws:
# -- Backend protocol version for the AWS ALB gRPC service # -- Backend protocol version for the AWS ALB gRPC service
## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features ## This tells AWS to send traffic from the ALB using gRPC.
backendProtocolVersion: HTTP2 ## For more information: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html#health-check-settings
backendProtocolVersion: GRPC
# -- Service type for the AWS ALB gRPC service # -- Service type for the AWS ALB gRPC service
## Can be of type NodePort or ClusterIP depending on which mode you are running. ## Can be of type NodePort or ClusterIP depending on which mode you are running.
## Instance mode needs type NodePort, IP mode needs type ClusterIP ## Instance mode needs type NodePort, IP mode needs type ClusterIP
@ -2114,6 +2147,7 @@ server:
# -- Additional ingress paths for dedicated [gRPC-ingress] # -- Additional ingress paths for dedicated [gRPC-ingress]
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
## Note: Supports use of custom Helm templates
extraPaths: [] extraPaths: []
# - path: /* # - path: /*
# pathType: Prefix # pathType: Prefix
@ -2125,15 +2159,17 @@ server:
# -- Additional ingress rules # -- Additional ingress rules
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
## Note: Supports use of custom Helm templates
extraRules: [] extraRules: []
# - host: example.example.com # - http:
# http: # paths:
# path: / # - path: /
# pathType: Prefix
# backend: # backend:
# service: # service:
# name: example-svc # name: '{{ include "argo-cd.server.fullname" . }}'
# port: # port:
# name: http # name: '{{ .Values.server.service.servicePortHttpName }}'
# -- Additional TLS configuration for dedicated [gRPC-ingress] # -- Additional TLS configuration for dedicated [gRPC-ingress]
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
@ -2874,15 +2910,17 @@ applicationSet:
# -- Additional ingress rules # -- Additional ingress rules
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
## Note: Supports use of custom Helm templates
extraRules: [] extraRules: []
# - host: example.example.com # - http:
# http: # paths:
# path: / # - path: /api/webhook
# pathType: Prefix
# backend: # backend:
# service: # service:
# name: example-svc # name: '{{ include "argo-cd.applicationSet.fullname" . }}'
# port: # port:
# name: http # name: '{{ .Values.applicationSet.service.portName }}'
# -- Additional ingress TLS configuration # -- Additional ingress TLS configuration
# @default -- `[]` (See [values.yaml]) # @default -- `[]` (See [values.yaml])
@ -2890,7 +2928,8 @@ applicationSet:
# - secretName: argocd-applicationset-tls # - secretName: argocd-applicationset-tls
# hosts: # hosts:
# - argocd-applicationset.example.com # - argocd-applicationset.example.com
# -- Enable ApplicationSet in any namespace feature
allowAnyNamespace: false
## Notifications controller ## Notifications controller
notifications: notifications:
# -- Enable notifications controller # -- Enable notifications controller
@ -2978,8 +3017,12 @@ notifications:
secret: secret:
# -- Whether helm chart creates notifications controller secret # -- Whether helm chart creates notifications controller secret
## If true, will create a secret with the name below. Otherwise, will assume existence of a secret with that name.
create: true create: true
# -- notifications controller Secret name
name: "argocd-notifications-secret"
# -- key:value pairs of annotations to be added to the secret # -- key:value pairs of annotations to be added to the secret
annotations: {} annotations: {}

10
charts/bitnami/airflow/Chart.lock
View File

@ -1,12 +1,12 @@
dependencies: dependencies:
- name: redis - name: redis
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 18.13.0 version: 18.19.2
- name: postgresql - name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 13.4.4 version: 14.3.3
- name: common - name: common
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 2.15.3 version: 2.19.0
digest: sha256:dd4296369ab03a8c9f1940b4fc34ba57020a63afa6f761220f4f1249ab9e9e08 digest: sha256:ef8c5318de55f20f28fd5f98a2201bf883baab63e2faf37ef4b4d05ec14a0635
generated: "2024-02-14T12:34:36.945245545+01:00" generated: "2024-03-13T11:46:34.191714+01:00"

24
charts/bitnami/airflow/Chart.yaml
View File

@ -5,21 +5,21 @@ annotations:
catalog.cattle.io/release-name: airflow catalog.cattle.io/release-name: airflow
category: WorkFlow category: WorkFlow
images: | images: |
- name: airflow-exporter
image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r448
- name: airflow-scheduler
image: docker.io/bitnami/airflow-scheduler:2.8.1-debian-11-r4
- name: airflow-worker
image: docker.io/bitnami/airflow-worker:2.8.1-debian-11-r4
- name: airflow - name: airflow
image: docker.io/bitnami/airflow:2.8.1-debian-11-r4 image: docker.io/bitnami/airflow:2.8.3-debian-12-r0
- name: airflow-exporter
image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-12-r27
- name: airflow-scheduler
image: docker.io/bitnami/airflow-scheduler:2.8.3-debian-12-r0
- name: airflow-worker
image: docker.io/bitnami/airflow-worker:2.8.3-debian-12-r0
- name: git - name: git
image: docker.io/bitnami/git:2.43.0-debian-11-r9 image: docker.io/bitnami/git:2.44.0-debian-12-r0
- name: os-shell - name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r96 image: docker.io/bitnami/os-shell:12-debian-12-r16
licenses: Apache-2.0 licenses: Apache-2.0
apiVersion: v2 apiVersion: v2
appVersion: 2.8.1 appVersion: 2.8.3
dependencies: dependencies:
- condition: redis.enabled - condition: redis.enabled
name: redis name: redis
@ -28,7 +28,7 @@ dependencies:
- condition: postgresql.enabled - condition: postgresql.enabled
name: postgresql name: postgresql
repository: file://./charts/postgresql repository: file://./charts/postgresql
version: 13.x.x version: 14.x.x
- name: common - name: common
repository: file://./charts/common repository: file://./charts/common
tags: tags:
@ -50,4 +50,4 @@ maintainers:
name: airflow name: airflow
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/airflow - https://github.com/bitnami/charts/tree/main/bitnami/airflow
version: 16.7.0 version: 17.2.4

15
charts/bitnami/airflow/README.md
View File

@ -56,10 +56,11 @@ The command removes all the Kubernetes components associated with the chart and
### Global parameters ### Global parameters
| Name | Description | Value | | Name | Description | Value |
| ------------------------- | ----------------------------------------------- | ----- | | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` | | `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | | `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
### Common parameters ### Common parameters
@ -155,9 +156,11 @@ The command removes all the Kubernetes components associated with the chart and
| `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` | | `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` |
| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` | | `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` |
| `web.containerSecurityContext.runAsGroup` | Set Airflow web containers' Security Context runAsGroup | `0` |
| `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` | | `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` |
| `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` | | `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` |
| `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` | | `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` |
| `web.containerSecurityContext.readOnlyRootFilesystem` | Set web container's Security Context readOnlyRootFilesystem | `false` |
| `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `web.lifecycleHooks` | for the Airflow web container(s) to automate configuration before or after startup | `{}` | | `web.lifecycleHooks` | for the Airflow web container(s) to automate configuration before or after startup | `{}` |
@ -236,9 +239,11 @@ The command removes all the Kubernetes components associated with the chart and
| `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` | | `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` |
| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` | | `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` |
| `scheduler.containerSecurityContext.runAsGroup` | Set Airflow scheduler containers' Security Context runAsGroup | `0` |
| `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` | | `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` |
| `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` | | `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` |
| `scheduler.containerSecurityContext.allowPrivilegeEscalation` | Set scheduler container's Security Context allowPrivilegeEscalation | `false` | | `scheduler.containerSecurityContext.allowPrivilegeEscalation` | Set scheduler container's Security Context allowPrivilegeEscalation | `false` |
| `scheduler.containerSecurityContext.readOnlyRootFilesystem` | Set scheduler container's Security Context readOnlyRootFilesystem | `false` |
| `scheduler.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `scheduler.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `scheduler.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `scheduler.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `scheduler.lifecycleHooks` | for the Airflow scheduler container(s) to automate configuration before or after startup | `{}` | | `scheduler.lifecycleHooks` | for the Airflow scheduler container(s) to automate configuration before or after startup | `{}` |
@ -324,9 +329,11 @@ The command removes all the Kubernetes components associated with the chart and
| `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` | | `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` |
| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` | | `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` |
| `worker.containerSecurityContext.runAsGroup` | Set Airflow worker containers' Security Context runAsGroup | `0` |
| `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` |
| `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` | | `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` |
| `worker.containerSecurityContext.allowPrivilegeEscalation` | Set worker container's Security Context allowPrivilegeEscalation | `false` | | `worker.containerSecurityContext.allowPrivilegeEscalation` | Set worker container's Security Context allowPrivilegeEscalation | `false` |
| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set worker container's Security Context readOnlyRootFilesystem | `false` |
| `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `worker.lifecycleHooks` | for the Airflow worker container(s) to automate configuration before or after startup | `{}` | | `worker.lifecycleHooks` | for the Airflow worker container(s) to automate configuration before or after startup | `{}` |
@ -486,9 +493,11 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` | | `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` |
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` |
| `metrics.containerSecurityContext.runAsGroup` | Set Airflow exporter containers' Security Context runAsGroup | `0` |
| `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` |
| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` |
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` |
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set metrics container's Security Context readOnlyRootFilesystem | `false` |
| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `metrics.lifecycleHooks` | for the Airflow exporter container(s) to automate configuration before or after startup | `{}` | | `metrics.lifecycleHooks` | for the Airflow exporter container(s) to automate configuration before or after startup | `{}` |
@ -765,6 +774,10 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading ## Upgrading
### To 17.0.0
This major release bumps the PostgreSQL chart version to [14.x.x](https://github.com/bitnami/charts/pull/22750); no major issues are expected during the upgrade.
### To 16.0.0 ### To 16.0.0
This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version.

4
charts/bitnami/airflow/charts/common/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
category: Infrastructure category: Infrastructure
licenses: Apache-2.0 licenses: Apache-2.0
apiVersion: v2 apiVersion: v2
appVersion: 2.14.1 appVersion: 2.19.0
description: A Library Helm Chart for grouping common logic between bitnami charts. description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself. This chart is not deployable by itself.
home: https://bitnami.com home: https://bitnami.com
@ -20,4 +20,4 @@ name: common
sources: sources:
- https://github.com/bitnami/charts - https://github.com/bitnami/charts
type: library type: library
version: 2.15.3 version: 2.19.0

39
charts/bitnami/airflow/charts/common/templates/_compatibility.tpl Normal file
View File

@ -0,0 +1,39 @@
{{/*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return true if the detected platform is Openshift
Usage:
{{- include "common.compatibility.isOpenshift" . -}}
*/}}
{{- define "common.compatibility.isOpenshift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
Usage:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
*/}}
{{- define "common.compatibility.renderSecurityContext" -}}
{{- $adaptedContext := .secContext -}}
{{- if .context.Values.global.compatibility -}}
{{- if .context.Values.global.compatibility.openshift -}}
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .secContext.seLinuxOptions -}}
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

30
charts/bitnami/airflow/charts/common/templates/_resources.tpl
View File

@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production
{{ include "common.resources.preset" (dict "type" "nano") -}} {{ include "common.resources.preset" (dict "type" "nano") -}}
*/}} */}}
{{- define "common.resources.preset" -}} {{- define "common.resources.preset" -}}
{{/* The limits are the requests increased by 50% */}} {{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
{{- $presets := dict {{- $presets := dict
"nano" (dict "nano" (dict
"requests" (dict "cpu" "100m" "memory" "128Mi") "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "150m" "memory" "192Mi") "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
) )
"micro" (dict "micro" (dict
"requests" (dict "cpu" "250m" "memory" "256Mi") "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "375m" "memory" "384Mi") "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
) )
"small" (dict "small" (dict
"requests" (dict "cpu" "500m" "memory" "512Mi") "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "750m" "memory" "768Mi") "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
) )
"medium" (dict "medium" (dict
"requests" (dict "cpu" "500m" "memory" "1024Mi") "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "750m" "memory" "1536Mi") "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
) )
"large" (dict "large" (dict
"requests" (dict "cpu" "1.0" "memory" "2048Mi") "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "1.5" "memory" "3072Mi") "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
) )
"xlarge" (dict "xlarge" (dict
"requests" (dict "cpu" "2.0" "memory" "4096Mi") "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "3.0" "memory" "6144Mi") "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
) )
"2xlarge" (dict "2xlarge" (dict
"requests" (dict "cpu" "4.0" "memory" "8192Mi") "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "6.0" "memory" "12288Mi") "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
) )
}} }}
{{- if hasKey $presets .type -}} {{- if hasKey $presets .type -}}

6
charts/bitnami/airflow/charts/postgresql/Chart.lock
View File

@ -1,6 +1,6 @@
dependencies: dependencies:
- name: common - name: common
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 2.14.1 version: 2.19.0
digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2023-12-20T20:39:13.141839286Z" generated: "2024-03-11T20:27:44.112846437Z"

10
charts/bitnami/airflow/charts/postgresql/Chart.yaml
View File

@ -2,14 +2,14 @@ annotations:
category: Database category: Database
images: | images: |
- name: os-shell - name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r95 image: docker.io/bitnami/os-shell:12-debian-12-r16
- name: postgres-exporter - name: postgres-exporter
image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r7 image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
- name: postgresql - name: postgresql
image: docker.io/bitnami/postgresql:16.1.0-debian-11-r25 image: docker.io/bitnami/postgresql:16.2.0-debian-12-r8
licenses: Apache-2.0 licenses: Apache-2.0
apiVersion: v2 apiVersion: v2
appVersion: 16.1.0 appVersion: 16.2.0
dependencies: dependencies:
- name: common - name: common
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
@ -34,4 +34,4 @@ maintainers:
name: postgresql name: postgresql
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql - https://github.com/bitnami/charts/tree/main/bitnami/postgresql
version: 13.4.4 version: 14.3.3

82
charts/bitnami/airflow/charts/postgresql/README.md
View File

@ -67,7 +67,7 @@ kubectl delete pvc -l release=my-release
### Global parameters ### Global parameters
| Name | Description | Value | | Name | Description | Value |
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` | | `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | | `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
@ -80,6 +80,7 @@ kubectl delete pvc -l release=my-release
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | | `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | | `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | | `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
### Common parameters ### Common parameters
@ -160,7 +161,7 @@ kubectl delete pvc -l release=my-release
### PostgreSQL Primary parameters ### PostgreSQL Primary parameters
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | | `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | | `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | | `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
@ -204,9 +205,8 @@ kubectl delete pvc -l release=my-release
| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | | `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` | | `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` |
| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | | `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
| `primary.podSecurityContext.enabled` | Enable security context | `true` | | `primary.podSecurityContext.enabled` | Enable security context | `true` |
| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
@ -215,6 +215,7 @@ kubectl delete pvc -l release=my-release
| `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | | `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@ -248,6 +249,13 @@ kubectl delete pvc -l release=my-release
| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | | `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | | `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | | `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
| `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `primary.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `primary.service.type` | Kubernetes Service type | `ClusterIP` | | `primary.service.type` | Kubernetes Service type | `ClusterIP` |
| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | | `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | | `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
@ -278,7 +286,7 @@ kubectl delete pvc -l release=my-release
### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) ### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
| Name | Description | Value | | Name | Description | Value |
| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------- |
| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | | `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | | `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | | `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
@ -309,9 +317,8 @@ kubectl delete pvc -l release=my-release
| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | | `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` | | `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `none` |
| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | | `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | | `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
@ -320,6 +327,7 @@ kubectl delete pvc -l release=my-release
| `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | | `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@ -353,6 +361,13 @@ kubectl delete pvc -l release=my-release
| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | | `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | | `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | | `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
| `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `readReplicas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | | `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | | `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | | `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
@ -383,7 +398,7 @@ kubectl delete pvc -l release=my-release
### Backup parameters ### Backup parameters
| Name | Description | Value | | Name | Description | Value |
| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | | `backup.enabled` | Enable the logical dump of the database "regularly" | `false` |
| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | | `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` |
| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | | `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` |
@ -401,6 +416,7 @@ kubectl delete pvc -l release=my-release
| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | | `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@ -411,6 +427,8 @@ kubectl delete pvc -l release=my-release
| `backup.cronjob.labels` | Set the cronjob labels | `{}` | | `backup.cronjob.labels` | Set the cronjob labels | `{}` |
| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | | `backup.cronjob.annotations` | Set the cronjob annotations | `{}` |
| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | | `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` |
| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `none` |
| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` |
| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | | `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` |
| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | | `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` |
| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | | `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` |
@ -421,37 +439,18 @@ kubectl delete pvc -l release=my-release
| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | | `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` |
| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | | `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` |
### NetworkPolicy parameters
| Name | Description | Value |
| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable network policies | `false` |
| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` |
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` |
### Volume Permissions parameters ### Volume Permissions parameters
| Name | Description | Value | | Name | Description | Value |
| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` |
@ -474,7 +473,7 @@ kubectl delete pvc -l release=my-release
### Metrics Parameters ### Metrics Parameters
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------------------- | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `metrics.enabled` | Start a prometheus exporter | `false` | | `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` | | `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` |
| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` | | `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` |
@ -487,6 +486,7 @@ kubectl delete pvc -l release=my-release
| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | | `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@ -515,8 +515,8 @@ kubectl delete pvc -l release=my-release
| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | | `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` | | `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | | `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | | `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | | `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
@ -562,6 +562,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg
## Configuration and installation details ## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) ### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
@ -787,6 +793,12 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading ## Upgrading
### To 14.0.0
This major version adapts the NetworkPolicy objects to the most recent Bitnami standards. Now there is a separate object for `primary` and for `readReplicas`, being located in their corresponding sections. It is also enabled by default in other to comply with the best security standards.
Check the parameter section for the new value structure.
### To 13.0.0 ### To 13.0.0
This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x. This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x.

2
charts/bitnami/airflow/charts/postgresql/charts/common/.helmignore
View File

@ -20,3 +20,5 @@
.idea/ .idea/
*.tmproj *.tmproj
.vscode/ .vscode/
# img folder
img/

4
charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
category: Infrastructure category: Infrastructure
licenses: Apache-2.0 licenses: Apache-2.0
apiVersion: v2 apiVersion: v2
appVersion: 2.14.1 appVersion: 2.19.0
description: A Library Helm Chart for grouping common logic between bitnami charts. description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself. This chart is not deployable by itself.
home: https://bitnami.com home: https://bitnami.com
@ -20,4 +20,4 @@ name: common
sources: sources:
- https://github.com/bitnami/charts - https://github.com/bitnami/charts
type: library type: library
version: 2.14.1 version: 2.19.0

2
charts/bitnami/airflow/charts/postgresql/charts/common/README.md
View File

@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
## License ## License
Copyright &copy; 2023 VMware, Inc. Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

39
charts/bitnami/airflow/charts/postgresql/charts/common/templates/_compatibility.tpl Normal file
View File

@ -0,0 +1,39 @@
{{/*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return true if the detected platform is Openshift
Usage:
{{- include "common.compatibility.isOpenshift" . -}}
*/}}
{{- define "common.compatibility.isOpenshift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
Usage:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
*/}}
{{- define "common.compatibility.renderSecurityContext" -}}
{{- $adaptedContext := .secContext -}}
{{- if .context.Values.global.compatibility -}}
{{- if .context.Values.global.compatibility.openshift -}}
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .secContext.seLinuxOptions -}}
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

50
charts/bitnami/airflow/charts/postgresql/charts/common/templates/_resources.tpl Normal file
View File

@ -0,0 +1,50 @@
{{/*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return a resource request/limit object based on a given preset.
These presets are for basic testing and not meant to be used in production
{{ include "common.resources.preset" (dict "type" "nano") -}}
*/}}
{{- define "common.resources.preset" -}}
{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
{{- $presets := dict
"nano" (dict
"requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
)
"micro" (dict
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
)
"small" (dict
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
)
"medium" (dict
"requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
)
"large" (dict
"requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
)
"xlarge" (dict
"requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
)
"2xlarge" (dict
"requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
)
}}
{{- if hasKey $presets .type -}}
{{- index $presets .type | toYaml -}}
{{- else -}}
{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
{{- end -}}
{{- end -}}

67
charts/bitnami/airflow/charts/postgresql/charts/common/templates/_warnings.tpl
View File

@ -13,7 +13,70 @@ Usage:
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
{{- end }} {{- end }}
{{- end -}}
{{/*
Warning about not setting the resource object in all deployments.
Usage:
{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
Example:
{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
The list in the example assumes that the following values exist:
- csiProvider.provider.resources
- server.resources
- volumePermissions.resources
- resources
*/}}
{{- define "common.warnings.resources" -}}
{{- $values := .context.Values -}}
{{- $printMessage := false -}}
{{ $affectedSections := list -}}
{{- range .sections -}}
{{- if eq . "" -}}
{{/* Case where the resources section is at the root (one main deployment in the chart) */}}
{{- if not (index $values "resources") -}}
{{- $affectedSections = append $affectedSections "resources" -}}
{{- $printMessage = true -}}
{{- end -}}
{{- else -}}
{{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
{{- $keys := split "." . -}}
{{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
{{- $section := $values -}}
{{- range $keys -}}
{{- $section = index $section . -}}
{{- end -}}
{{- if not (index $section "resources") -}}
{{/* If the section has enabled=false or replicaCount=0, do not include it */}}
{{- if and (hasKey $section "enabled") -}}
{{- if index $section "enabled" -}}
{{/* enabled=true */}}
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- else if and (hasKey $section "replicaCount") -}}
{{/* We need a casting to int because number 0 is not treated as an int by default */}}
{{- if (gt (index $section "replicaCount" | int) 0) -}}
{{/* replicaCount > 0 */}}
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- else -}}
{{/* Default case, add it to the affected sections */}}
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $printMessage }}
WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
{{- range $affectedSections }}
- {{ . }}
{{- end }}
+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
{{- end -}}
{{- end -}} {{- end -}}

1
charts/bitnami/airflow/charts/postgresql/templates/NOTES.txt
View File

@ -113,3 +113,4 @@ WARNING: The configured password will be ignored on new installation in case whe
{{- include "postgresql.v1.validateValues" . -}} {{- include "postgresql.v1.validateValues" . -}}
{{- include "common.warnings.rollingTag" .Values.image -}} {{- include "common.warnings.rollingTag" .Values.image -}}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }}

14
charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml
View File

@ -77,7 +77,7 @@ spec:
{{- if .Values.tls.autoGenerated }} {{- if .Values.tls.autoGenerated }}
value: /tmp/certs/ca.crt value: /tmp/certs/ca.crt
{{- else }} {{- else }}
value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }}
{{- end }} {{- end }}
{{- end }} {{- end }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
@ -89,8 +89,16 @@ spec:
- name: datadir - name: datadir
mountPath: {{ .Values.backup.cronjob.storage.mountPath }} mountPath: {{ .Values.backup.cronjob.storage.mountPath }}
subPath: {{ .Values.backup.cronjob.storage.subPath }} subPath: {{ .Values.backup.cronjob.storage.subPath }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }} {{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 14 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.backup.cronjob.resources }}
resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }}
{{- else if ne .Values.backup.cronjob.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }}
{{- end }} {{- end }}
restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
{{- if .Values.backup.cronjob.podSecurityContext.enabled }} {{- if .Values.backup.cronjob.podSecurityContext.enabled }}
@ -111,4 +119,6 @@ spec:
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
{{- end }} {{- end }}
- name: empty-dir
emptyDir: {}
{{- end }} {{- end }}

34
charts/bitnami/airflow/charts/postgresql/templates/networkpolicy-egress.yaml
View File

@ -1,34 +0,0 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
policyTypes:
- Egress
egress:
{{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- to:
- namespaceSelector: {}
{{- end }}
{{- if .Values.networkPolicy.egressRules.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

87
charts/bitnami/airflow/charts/postgresql/templates/primary/networkpolicy.yaml
View File

@ -3,59 +3,76 @@ Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0 SPDX-License-Identifier: APACHE-2.0
*/}} */}}
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} {{- if .Values.primary.networkPolicy.enabled }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata: metadata:
name: {{ printf "%s-ingress" (include "postgresql.v1.primary.fullname" .) }} name: {{ include "postgresql.v1.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary app.kubernetes.io/component: primary
{{- if .Values.commonAnnotations }} {{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
{{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
podSelector: podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }} matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: primary app.kubernetes.io/component: primary
ingress: policyTypes:
{{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - Ingress
- from: - Egress
{{- if .Values.networkPolicy.metrics.namespaceSelector }} {{- if .Values.primary.networkPolicy.allowExternalEgress }}
- namespaceSelector: egress:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {}
{{- end }} {{- else }}
{{- if .Values.networkPolicy.metrics.podSelector }} egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to read-replicas
- ports:
- port: {{ .Values.containerPorts.postgresql }}
to:
- podSelector: - podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
app.kubernetes.io/component: read
{{- if .Values.primary.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
ports: {{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- if .Values.metrics.enabled }}
- port: {{ .Values.metrics.containerPorts.metrics }} - port: {{ .Values.metrics.containerPorts.metrics }}
{{- end }} {{- end }}
{{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} {{- if not .Values.primary.networkPolicy.allowExternal }}
- from: from:
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "postgresql.v1.primary.fullname" . }}-client: "true"
{{- if .Values.primary.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector: - namespaceSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} matchLabels:
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }} {{- end }}
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} {{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
- podSelector: podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} matchLabels:
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }} {{- end }}
ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- end }} {{- end }}
{{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }}
- from:
{{- $readPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $readPodLabels "context" $ ) | nindent 14 }}
app.kubernetes.io/component: read
ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- end }} {{- end }}
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} {{- end }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} {{- if .Values.primary.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

41
charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml
View File

@ -80,7 +80,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
{{- end }} {{- end }}
{{- if .Values.primary.podSecurityContext.enabled }} {{- if .Values.primary.podSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }}
{{- end }} {{- end }}
hostNetwork: {{ .Values.primary.hostNetwork }} hostNetwork: {{ .Values.primary.hostNetwork }}
hostIPC: {{ .Values.primary.hostIPC }} hostIPC: {{ .Values.primary.hostIPC }}
@ -92,10 +92,12 @@ spec:
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.primary.resources }} {{- if .Values.primary.resources }}
resources: {{- toYaml .Values.primary.resources | nindent 12 }} resources: {{- toYaml .Values.primary.resources | nindent 12 }}
{{- else if ne .Values.primary.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
# We don't require a privileged container in this case # We don't require a privileged container in this case
{{- if .Values.primary.containerSecurityContext.enabled }} {{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
{{- end }} {{- end }}
command: command:
- /bin/sh - /bin/sh
@ -104,6 +106,9 @@ spec:
cp /tmp/certs/* /opt/bitnami/postgresql/certs/ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: raw-certificates - name: raw-certificates
mountPath: /tmp/certs mountPath: /tmp/certs
- name: postgresql-certificates - name: postgresql-certificates
@ -114,6 +119,8 @@ spec:
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.volumePermissions.resources }} {{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
command: command:
- /bin/sh - /bin/sh
@ -152,13 +159,14 @@ spec:
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
{{- if .Values.primary.persistence.enabled }} - name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: data - name: data
mountPath: {{ .Values.primary.persistence.mountPath }} mountPath: {{ .Values.primary.persistence.mountPath }}
{{- if .Values.primary.persistence.subPath }} {{- if .Values.primary.persistence.subPath }}
subPath: {{ .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }}
{{- end }} {{- end }}
{{- end }}
{{- if .Values.shmVolume.enabled }} {{- if .Values.shmVolume.enabled }}
- name: dshm - name: dshm
mountPath: /dev/shm mountPath: /dev/shm
@ -179,7 +187,7 @@ spec:
image: {{ include "postgresql.v1.image" . }} image: {{ include "postgresql.v1.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.primary.containerSecurityContext.enabled }} {{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.diagnosticMode.enabled }} {{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@ -442,11 +450,25 @@ spec:
{{- end }} {{- end }}
{{- if .Values.primary.resources }} {{- if .Values.primary.resources }}
resources: {{- toYaml .Values.primary.resources | nindent 12 }} resources: {{- toYaml .Values.primary.resources | nindent 12 }}
{{- else if ne .Values.primary.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.primary.lifecycleHooks }} {{- if .Values.primary.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/logs
subPath: app-logs-dir
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
- name: custom-init-scripts - name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d/ mountPath: /docker-entrypoint-initdb.d/
@ -491,7 +513,7 @@ spec:
image: {{ include "postgresql.v1.metrics.image" . }} image: {{ include "postgresql.v1.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.containerSecurityContext.enabled }} {{- if .Values.metrics.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.diagnosticMode.enabled }} {{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@ -555,6 +577,9 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.auth.usePasswordFiles }} {{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password - name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/ mountPath: /opt/bitnami/postgresql/secrets/
@ -566,12 +591,16 @@ spec:
{{- end }} {{- end }}
{{- if .Values.metrics.resources }} {{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.primary.sidecars }} {{- if .Values.primary.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
- name: postgresql-config - name: postgresql-config
configMap: configMap:

77
charts/bitnami/airflow/charts/postgresql/templates/read/networkpolicy.yaml
View File

@ -3,12 +3,13 @@ Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0 SPDX-License-Identifier: APACHE-2.0
*/}} */}}
{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} {{- if eq .Values.architecture "replication" }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} {{- if .Values.readReplicas.networkPolicy.enabled }}
kind: NetworkPolicy kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata: metadata:
name: {{ printf "%s-ingress" (include "postgresql.v1.readReplica.fullname" .) }} name: {{ include "postgresql.v1.readReplica.fullname" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: read app.kubernetes.io/component: read
{{- if .Values.commonAnnotations }} {{- if .Values.commonAnnotations }}
@ -19,21 +20,61 @@ spec:
podSelector: podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: read app.kubernetes.io/component: read
ingress: policyTypes:
{{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} - Ingress
- from: - Egress
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} {{- if .Values.readReplicas.networkPolicy.allowExternalEgress }}
- namespaceSelector: egress:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {}
{{- end }} {{- else }}
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} egress:
- podSelector: # Allow dns resolution
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - ports:
{{- end }} - port: 53
ports: protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to primary
- ports:
- port: {{ .Values.containerPorts.postgresql }} - port: {{ .Values.containerPorts.postgresql }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
app.kubernetes.io/component: primary
{{- if .Values.readReplicas.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} {{- end }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} ingress:
- ports:
- port: {{ .Values.containerPorts.postgresql }}
{{- if .Values.metrics.enabled }}
- port: {{ .Values.metrics.containerPorts.metrics }}
{{- end }}
{{- if not .Values.readReplicas.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "postgresql.v1.readReplica.fullname" . }}-client: "true"
{{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.readReplicas.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

45
charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml
View File

@ -78,7 +78,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
{{- end }} {{- end }}
{{- if .Values.readReplicas.podSecurityContext.enabled }} {{- if .Values.readReplicas.podSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }}
{{- end }} {{- end }}
hostNetwork: {{ .Values.readReplicas.hostNetwork }} hostNetwork: {{ .Values.readReplicas.hostNetwork }}
hostIPC: {{ .Values.readReplicas.hostIPC }} hostIPC: {{ .Values.readReplicas.hostIPC }}
@ -90,10 +90,12 @@ spec:
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.readReplicas.resources }} {{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
# We don't require a privileged container in this case # We don't require a privileged container in this case
{{- if .Values.readReplicas.containerSecurityContext.enabled }} {{- if .Values.readReplicas.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
{{- end }} {{- end }}
command: command:
- /bin/sh - /bin/sh
@ -102,6 +104,9 @@ spec:
cp /tmp/certs/* /opt/bitnami/postgresql/certs/ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: raw-certificates - name: raw-certificates
mountPath: /tmp/certs mountPath: /tmp/certs
- name: postgresql-certificates - name: postgresql-certificates
@ -112,6 +117,8 @@ spec:
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.readReplicas.resources }} {{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
command: command:
- /bin/sh - /bin/sh
@ -150,13 +157,14 @@ spec:
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
{{ if .Values.readReplicas.persistence.enabled }} - name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: data - name: data
mountPath: {{ .Values.readReplicas.persistence.mountPath }} mountPath: {{ .Values.readReplicas.persistence.mountPath }}
{{- if .Values.readReplicas.persistence.subPath }} {{- if .Values.readReplicas.persistence.subPath }}
subPath: {{ .Values.readReplicas.persistence.subPath }} subPath: {{ .Values.readReplicas.persistence.subPath }}
{{- end }} {{- end }}
{{- end }}
{{- if .Values.shmVolume.enabled }} {{- if .Values.shmVolume.enabled }}
- name: dshm - name: dshm
mountPath: /dev/shm mountPath: /dev/shm
@ -177,7 +185,7 @@ spec:
image: {{ include "postgresql.v1.image" . }} image: {{ include "postgresql.v1.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.readReplicas.containerSecurityContext.enabled }} {{- if .Values.readReplicas.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.diagnosticMode.enabled }} {{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@ -369,11 +377,25 @@ spec:
{{- end }} {{- end }}
{{- if .Values.readReplicas.resources }} {{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.readReplicas.lifecycleHooks }} {{- if .Values.readReplicas.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/logs
subPath: app-logs-dir
{{- if .Values.auth.usePasswordFiles }} {{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password - name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/ mountPath: /opt/bitnami/postgresql/secrets/
@ -406,7 +428,7 @@ spec:
image: {{ include "postgresql.v1.metrics.image" . }} image: {{ include "postgresql.v1.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.containerSecurityContext.enabled }} {{- if .Values.metrics.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.diagnosticMode.enabled }} {{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@ -462,6 +484,9 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.auth.usePasswordFiles }} {{- if .Values.auth.usePasswordFiles }}
- name: postgresql-password - name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/ mountPath: /opt/bitnami/postgresql/secrets/
@ -473,6 +498,8 @@ spec:
{{- end }} {{- end }}
{{- if .Values.metrics.resources }} {{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.readReplicas.sidecars }} {{- if .Values.readReplicas.sidecars }}
@ -509,6 +536,8 @@ spec:
sizeLimit: {{ .Values.shmVolume.sizeLimit }} sizeLimit: {{ .Values.shmVolume.sizeLimit }}
{{- end }} {{- end }}
{{- end }} {{- end }}
- name: empty-dir
emptyDir: {}
{{- if .Values.readReplicas.extraVolumes }} {{- if .Values.readReplicas.extraVolumes }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
{{- end }} {{- end }}
@ -526,7 +555,9 @@ spec:
whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }} whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }}
{{- end }} {{- end }}
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data name: data
{{- if .Values.readReplicas.persistence.annotations }} {{- if .Values.readReplicas.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}

338
charts/bitnami/airflow/charts/postgresql/values.yaml
View File

@ -42,7 +42,15 @@ global:
service: service:
ports: ports:
postgresql: "" postgresql: ""
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
## @section Common parameters ## @section Common parameters
## ##
@ -81,7 +89,6 @@ diagnosticMode:
## ##
args: args:
- infinity - infinity
## @section PostgreSQL common parameters ## @section PostgreSQL common parameters
## ##
@ -98,7 +105,7 @@ diagnosticMode:
image: image:
registry: docker.io registry: docker.io
repository: bitnami/postgresql repository: bitnami/postgresql
tag: 16.1.0-debian-11-r25 tag: 16.2.0-debian-12-r8
digest: "" digest: ""
## Specify a imagePullPolicy ## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@ -286,7 +293,6 @@ tls:
## @param tls.crlFilename File containing a Certificate Revocation List ## @param tls.crlFilename File containing a Certificate Revocation List
## ##
crlFilename: "" crlFilename: ""
## @section PostgreSQL Primary parameters ## @section PostgreSQL Primary parameters
## ##
primary: primary:
@ -439,15 +445,21 @@ primary:
lifecycleHooks: {} lifecycleHooks: {}
## PostgreSQL Primary resource requests and limits ## PostgreSQL Primary resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers
## ##
resources: resourcesPreset: "none"
limits: {} ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
requests: ## Example:
memory: 256Mi ## resources:
cpu: 250m ## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Pod Security Context ## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param primary.podSecurityContext.enabled Enable security context ## @param primary.podSecurityContext.enabled Enable security context
@ -467,6 +479,7 @@ primary:
## @param primary.containerSecurityContext.enabled Enabled containers' Security Context ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context
## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param primary.containerSecurityContext.privileged Set container's Security Context privileged ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged
## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@ -478,6 +491,7 @@ primary:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
privileged: false privileged: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
@ -602,6 +616,61 @@ primary:
## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s)
## ##
extraPodSpec: {} extraPodSpec: {}
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param primary.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## PostgreSQL Primary service configuration ## PostgreSQL Primary service configuration
## ##
service: service:
@ -723,7 +792,6 @@ primary:
## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted ## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
## ##
whenDeleted: Retain whenDeleted: Retain
## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) ## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
## ##
readReplicas: readReplicas:
@ -814,15 +882,21 @@ readReplicas:
lifecycleHooks: {} lifecycleHooks: {}
## PostgreSQL read only resource requests and limits ## PostgreSQL read only resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers ## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production).
## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers
## ##
resources: resourcesPreset: "none"
limits: {} ## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
requests: ## Example:
memory: 256Mi ## resources:
cpu: 250m ## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Pod Security Context ## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param readReplicas.podSecurityContext.enabled Enable security context ## @param readReplicas.podSecurityContext.enabled Enable security context
@ -842,6 +916,7 @@ readReplicas:
## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context
## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged
## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@ -853,6 +928,7 @@ readReplicas:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
privileged: false privileged: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
@ -977,6 +1053,61 @@ readReplicas:
## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s)
## ##
extraPodSpec: {} extraPodSpec: {}
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## PostgreSQL read only service configuration ## PostgreSQL read only service configuration
## ##
service: service:
@ -1098,8 +1229,6 @@ readReplicas:
## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
## ##
whenDeleted: Retain whenDeleted: Retain
## @section Backup parameters ## @section Backup parameters
## This section implements a trivial logical dump cronjob of the database. ## This section implements a trivial logical dump cronjob of the database.
## This only comes with the consistency guarantees of the dump program. ## This only comes with the consistency guarantees of the dump program.
@ -1141,6 +1270,7 @@ backup:
## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context
## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged
## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@ -1151,6 +1281,7 @@ backup:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
privileged: false privileged: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
@ -1164,7 +1295,6 @@ backup:
- /bin/sh - /bin/sh
- -c - -c
- "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"
## @param backup.cronjob.labels Set the cronjob labels ## @param backup.cronjob.labels Set the cronjob labels
labels: {} labels: {}
## @param backup.cronjob.annotations Set the cronjob annotations ## @param backup.cronjob.annotations Set the cronjob annotations
@ -1173,6 +1303,22 @@ backup:
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
## ##
nodeSelector: {} nodeSelector: {}
## backup cronjob container resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory
## Example:
resources: {}
## resources:
## requests:
## cpu: 1
## memory: 512Mi
## limits:
## cpu: 2
## memory: 1024Mi
storage: storage:
## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)
## If defined, PVC must be created manually before volume will be bound ## If defined, PVC must be created manually before volume will be bound
@ -1213,103 +1359,6 @@ backup:
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details
## ##
selector: {} selector: {}
## @section NetworkPolicy parameters
##
## Add networkpolicies
##
networkPolicy:
## @param networkPolicy.enabled Enable network policies
##
enabled: false
## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus)
## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
##
metrics:
enabled: false
## e.g:
## namespaceSelector:
## label: monitoring
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: monitoring
##
podSelector: {}
## Ingress Rules
##
ingressRules:
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin.
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s).
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s).
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node.
##
primaryAccessOnlyFrom:
enabled: false
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: access
##
podSelector: {}
## custom ingress rules
## e.g:
## customRules:
## - from:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: []
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin.
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s).
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s).
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes.
##
readReplicasAccessOnlyFrom:
enabled: false
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: access
##
podSelector: {}
## custom ingress rules
## e.g:
## CustomRules:
## - from:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: []
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
## @param networkPolicy.egressRules.customRules Custom network policy rule
##
egressRules:
# Deny connections to external. This is not compatible with an external database.
denyConnectionsToExternal: false
## Additional custom egress rules
## e.g:
## customRules:
## - to:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: []
## @section Volume Permissions parameters ## @section Volume Permissions parameters
## ##
@ -1330,7 +1379,7 @@ volumePermissions:
image: image:
registry: docker.io registry: docker.io
repository: bitnami/os-shell repository: bitnami/os-shell
tag: 11-debian-11-r95 tag: 12-debian-12-r16
digest: "" digest: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets. ## Optionally specify an array of imagePullSecrets.
@ -1343,12 +1392,21 @@ volumePermissions:
pullSecrets: [] pullSecrets: []
## Init container resource requests and limits ## Init container resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
## ##
resources: resourcesPreset: "none"
limits: {} ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
requests: {} ## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Init container' Security Context ## Init container' Security Context
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
## and not the below volumePermissions.containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser
@ -1373,7 +1431,6 @@ volumePermissions:
## ##
serviceBindings: serviceBindings:
enabled: false enabled: false
## Service account for PostgreSQL to use. ## Service account for PostgreSQL to use.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
## ##
@ -1415,10 +1472,8 @@ rbac:
## ##
psp: psp:
create: false create: false
## @section Metrics Parameters ## @section Metrics Parameters
## ##
metrics: metrics:
## @param metrics.enabled Start a prometheus exporter ## @param metrics.enabled Start a prometheus exporter
## ##
@ -1433,7 +1488,7 @@ metrics:
image: image:
registry: docker.io registry: docker.io
repository: bitnami/postgres-exporter repository: bitnami/postgres-exporter
tag: 0.15.0-debian-11-r7 tag: 0.15.0-debian-12-r14
digest: "" digest: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets. ## Optionally specify an array of imagePullSecrets.
@ -1477,6 +1532,7 @@ metrics:
## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@ -1488,6 +1544,7 @@ metrics:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
privileged: false privileged: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
@ -1555,12 +1612,21 @@ metrics:
metrics: 9187 metrics: 9187
## PostgreSQL Prometheus exporter resource requests and limits ## PostgreSQL Prometheus exporter resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
## ##
resources: resourcesPreset: "none"
limits: {} ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
requests: {} ## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Service configuration ## Service configuration
## ##
service: service:

6
charts/bitnami/airflow/charts/redis/Chart.lock
View File

@ -1,6 +1,6 @@
dependencies: dependencies:
- name: common - name: common
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 2.14.1 version: 2.19.0
digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2023-12-19T19:11:00.40217662Z" generated: "2024-03-08T15:56:40.04210215Z"

16
charts/bitnami/airflow/charts/redis/Chart.yaml
View File

@ -1,14 +1,16 @@
annotations: annotations:
category: Database category: Database
images: | images: |
- name: kubectl
image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3
- name: os-shell - name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r96 image: docker.io/bitnami/os-shell:12-debian-12-r16
- name: redis-exporter
image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2
- name: redis-sentinel
image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6
- name: redis - name: redis
image: docker.io/bitnami/redis:7.2.4-debian-11-r5 image: docker.io/bitnami/redis:7.2.4-debian-12-r9
- name: redis-exporter
image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4
- name: redis-sentinel
image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7
licenses: Apache-2.0 licenses: Apache-2.0
apiVersion: v2 apiVersion: v2
appVersion: 7.2.4 appVersion: 7.2.4
@ -33,4 +35,4 @@ maintainers:
name: redis name: redis
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/redis - https://github.com/bitnami/charts/tree/main/bitnami/redis
version: 18.13.0 version: 18.19.2

57
charts/bitnami/airflow/charts/redis/README.md
View File

@ -72,11 +72,12 @@ The command removes all the Kubernetes components associated with the chart and
### Global parameters ### Global parameters
| Name | Description | Value | | Name | Description | Value |
| ------------------------- | ------------------------------------------------------ | ----- | | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` | | `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | | `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.redis.password` | Global Redis&reg; password (overrides `auth.password`) | `""` | | `global.redis.password` | Global Redis&reg; password (overrides `auth.password`) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
### Common parameters ### Common parameters
@ -120,13 +121,14 @@ The command removes all the Kubernetes components associated with the chart and
| `auth.existingSecret` | The name of an existing secret with Redis&reg; credentials | `""` | | `auth.existingSecret` | The name of an existing secret with Redis&reg; credentials | `""` |
| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | | `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` |
| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | | `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` |
| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` |
| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | | `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` |
| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis&reg; nodes | `""` | | `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis&reg; nodes | `""` |
### Redis&reg; master configuration parameters ### Redis&reg; master configuration parameters
| Name | Description | Value | | Name | Description | Value |
| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------ | | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
| `master.count` | Number of Redis&reg; master instances to deploy (experimental, requires additional configuration) | `1` | | `master.count` | Number of Redis&reg; master instances to deploy (experimental, requires additional configuration) | `1` |
| `master.configuration` | Configuration for Redis&reg; master nodes | `""` | | `master.configuration` | Configuration for Redis&reg; master nodes | `""` |
| `master.disableCommands` | Array with Redis&reg; commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | | `master.disableCommands` | Array with Redis&reg; commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` |
@ -160,8 +162,8 @@ The command removes all the Kubernetes components associated with the chart and
| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `master.resources.limits` | The resources limits for the Redis&reg; master containers | `{}` | | `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` |
| `master.resources.requests` | The requested resources for the Redis&reg; master containers | `{}` | | `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `master.podSecurityContext.enabled` | Enabled Redis&reg; master pods' Security Context | `true` | | `master.podSecurityContext.enabled` | Enabled Redis&reg; master pods' Security Context | `true` |
| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
@ -173,6 +175,7 @@ The command removes all the Kubernetes components associated with the chart and
| `master.containerSecurityContext.runAsGroup` | Set Redis&reg; master containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsGroup` | Set Redis&reg; master containers' Security Context runAsGroup | `0` |
| `master.containerSecurityContext.runAsNonRoot` | Set Redis&reg; master containers' Security Context runAsNonRoot | `true` | | `master.containerSecurityContext.runAsNonRoot` | Set Redis&reg; master containers' Security Context runAsNonRoot | `true` |
| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis&reg; pod(s) privileges | `false` | | `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis&reg; pod(s) privileges | `false` |
| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
| `master.containerSecurityContext.seccompProfile.type` | Set Redis&reg; master containers' Security Context seccompProfile | `RuntimeDefault` | | `master.containerSecurityContext.seccompProfile.type` | Set Redis&reg; master containers' Security Context seccompProfile | `RuntimeDefault` |
| `master.containerSecurityContext.capabilities.drop` | Set Redis&reg; master containers' Security Context capabilities to drop | `["ALL"]` | | `master.containerSecurityContext.capabilities.drop` | Set Redis&reg; master containers' Security Context capabilities to drop | `["ALL"]` |
| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | | `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` |
@ -241,7 +244,7 @@ The command removes all the Kubernetes components associated with the chart and
### Redis&reg; replicas configuration parameters ### Redis&reg; replicas configuration parameters
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------ | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | | `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` |
| `replica.replicaCount` | Number of Redis&reg; replicas to deploy | `3` | | `replica.replicaCount` | Number of Redis&reg; replicas to deploy | `3` |
| `replica.configuration` | Configuration for Redis&reg; replicas nodes | `""` | | `replica.configuration` | Configuration for Redis&reg; replicas nodes | `""` |
@ -279,8 +282,8 @@ The command removes all the Kubernetes components associated with the chart and
| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `replica.resources.limits` | The resources limits for the Redis&reg; replicas containers | `{}` | | `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `none` |
| `replica.resources.requests` | The requested resources for the Redis&reg; replicas containers | `{}` | | `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `replica.podSecurityContext.enabled` | Enabled Redis&reg; replicas pods' Security Context | `true` | | `replica.podSecurityContext.enabled` | Enabled Redis&reg; replicas pods' Security Context | `true` |
| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
@ -292,6 +295,7 @@ The command removes all the Kubernetes components associated with the chart and
| `replica.containerSecurityContext.runAsGroup` | Set Redis&reg; replicas containers' Security Context runAsGroup | `0` | | `replica.containerSecurityContext.runAsGroup` | Set Redis&reg; replicas containers' Security Context runAsGroup | `0` |
| `replica.containerSecurityContext.runAsNonRoot` | Set Redis&reg; replicas containers' Security Context runAsNonRoot | `true` | | `replica.containerSecurityContext.runAsNonRoot` | Set Redis&reg; replicas containers' Security Context runAsNonRoot | `true` |
| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis&reg; replicas pod's Security Context allowPrivilegeEscalation | `false` | | `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis&reg; replicas pod's Security Context allowPrivilegeEscalation | `false` |
| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
| `replica.containerSecurityContext.seccompProfile.type` | Set Redis&reg; replicas containers' Security Context seccompProfile | `RuntimeDefault` | | `replica.containerSecurityContext.seccompProfile.type` | Set Redis&reg; replicas containers' Security Context seccompProfile | `RuntimeDefault` |
| `replica.containerSecurityContext.capabilities.drop` | Set Redis&reg; replicas containers' Security Context capabilities to drop | `["ALL"]` | | `replica.containerSecurityContext.capabilities.drop` | Set Redis&reg; replicas containers' Security Context capabilities to drop | `["ALL"]` |
| `replica.schedulerName` | Alternate scheduler for Redis&reg; replicas pods | `""` | | `replica.schedulerName` | Alternate scheduler for Redis&reg; replicas pods | `""` |
@ -364,7 +368,7 @@ The command removes all the Kubernetes components associated with the chart and
### Redis&reg; Sentinel configuration parameters ### Redis&reg; Sentinel configuration parameters
| Name | Description | Value | | Name | Description | Value |
| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | | ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
| `sentinel.enabled` | Use Redis&reg; Sentinel on Redis&reg; pods. | `false` | | `sentinel.enabled` | Use Redis&reg; Sentinel on Redis&reg; pods. | `false` |
| `sentinel.image.registry` | Redis&reg; Sentinel image registry | `REGISTRY_NAME` | | `sentinel.image.registry` | Redis&reg; Sentinel image registry | `REGISTRY_NAME` |
| `sentinel.image.repository` | Redis&reg; Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | | `sentinel.image.repository` | Redis&reg; Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` |
@ -427,13 +431,14 @@ The command removes all the Kubernetes components associated with the chart and
| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | | `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` |
| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | | `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` |
| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | | `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` |
| `sentinel.resources.limits` | The resources limits for the Redis&reg; Sentinel containers | `{}` | | `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `none` |
| `sentinel.resources.requests` | The requested resources for the Redis&reg; Sentinel containers | `{}` | | `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `sentinel.containerSecurityContext.enabled` | Enabled Redis&reg; Sentinel containers' Security Context | `true` | | `sentinel.containerSecurityContext.enabled` | Enabled Redis&reg; Sentinel containers' Security Context | `true` |
| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `sentinel.containerSecurityContext.runAsUser` | Set Redis&reg; Sentinel containers' Security Context runAsUser | `1001` | | `sentinel.containerSecurityContext.runAsUser` | Set Redis&reg; Sentinel containers' Security Context runAsUser | `1001` |
| `sentinel.containerSecurityContext.runAsGroup` | Set Redis&reg; Sentinel containers' Security Context runAsGroup | `0` | | `sentinel.containerSecurityContext.runAsGroup` | Set Redis&reg; Sentinel containers' Security Context runAsGroup | `0` |
| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis&reg; Sentinel containers' Security Context runAsNonRoot | `true` | | `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis&reg; Sentinel containers' Security Context runAsNonRoot | `true` |
| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis&reg; Sentinel containers' Security Context allowPrivilegeEscalation | `false` | | `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis&reg; Sentinel containers' Security Context allowPrivilegeEscalation | `false` |
| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis&reg; Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | | `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis&reg; Sentinel containers' Security Context seccompProfile | `RuntimeDefault` |
| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis&reg; Sentinel containers' Security Context capabilities to drop | `["ALL"]` | | `sentinel.containerSecurityContext.capabilities.drop` | Set Redis&reg; Sentinel containers' Security Context capabilities to drop | `["ALL"]` |
@ -448,6 +453,7 @@ The command removes all the Kubernetes components associated with the chart and
| `sentinel.service.externalTrafficPolicy` | Redis&reg; Sentinel service external traffic policy | `Cluster` | | `sentinel.service.externalTrafficPolicy` | Redis&reg; Sentinel service external traffic policy | `Cluster` |
| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `sentinel.service.clusterIP` | Redis&reg; Sentinel service Cluster IP | `""` | | `sentinel.service.clusterIP` | Redis&reg; Sentinel service Cluster IP | `""` |
| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` |
| `sentinel.service.loadBalancerIP` | Redis&reg; Sentinel service Load Balancer IP | `""` | | `sentinel.service.loadBalancerIP` | Redis&reg; Sentinel service Load Balancer IP | `""` |
| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` |
| `sentinel.service.loadBalancerSourceRanges` | Redis&reg; Sentinel service Load Balancer sources | `[]` | | `sentinel.service.loadBalancerSourceRanges` | Redis&reg; Sentinel service Load Balancer sources | `[]` |
@ -496,7 +502,7 @@ The command removes all the Kubernetes components associated with the chart and
### Metrics Parameters ### Metrics Parameters
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis&reg; metrics | `false` | | `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis&reg; metrics | `false` |
| `metrics.image.registry` | Redis&reg; Exporter image registry | `REGISTRY_NAME` | | `metrics.image.registry` | Redis&reg; Exporter image registry | `REGISTRY_NAME` |
| `metrics.image.repository` | Redis&reg; Exporter image repository | `REPOSITORY_NAME/redis-exporter` | | `metrics.image.repository` | Redis&reg; Exporter image repository | `REPOSITORY_NAME/redis-exporter` |
@ -535,12 +541,13 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.containerSecurityContext.runAsGroup` | Set Redis&reg; exporter containers' Security Context runAsGroup | `0` | | `metrics.containerSecurityContext.runAsGroup` | Set Redis&reg; exporter containers' Security Context runAsGroup | `0` |
| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis&reg; exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Redis&reg; exporter containers' Security Context runAsNonRoot | `true` |
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis&reg; exporter containers' Security Context allowPrivilegeEscalation | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis&reg; exporter containers' Security Context allowPrivilegeEscalation | `false` |
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis&reg; exporter containers' Security Context seccompProfile | `RuntimeDefault` | | `metrics.containerSecurityContext.seccompProfile.type` | Set Redis&reg; exporter containers' Security Context seccompProfile | `RuntimeDefault` |
| `metrics.containerSecurityContext.capabilities.drop` | Set Redis&reg; exporter containers' Security Context capabilities to drop | `["ALL"]` | | `metrics.containerSecurityContext.capabilities.drop` | Set Redis&reg; exporter containers' Security Context capabilities to drop | `["ALL"]` |
| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis&reg; metrics sidecar | `[]` | | `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis&reg; metrics sidecar | `[]` |
| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis&reg; metrics sidecar | `[]` | | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis&reg; metrics sidecar | `[]` |
| `metrics.resources.limits` | The resources limits for the Redis&reg; exporter container | `{}` | | `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
| `metrics.resources.requests` | The requested resources for the Redis&reg; exporter container | `{}` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.podLabels` | Extra labels for Redis&reg; exporter pods | `{}` | | `metrics.podLabels` | Extra labels for Redis&reg; exporter pods | `{}` |
| `metrics.podAnnotations` | Annotations for Redis&reg; exporter pods | `{}` | | `metrics.podAnnotations` | Annotations for Redis&reg; exporter pods | `{}` |
| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | | `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` |
@ -587,17 +594,25 @@ The command removes all the Kubernetes components associated with the chart and
### Init Container Parameters ### Init Container Parameters
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | | `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | | `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | | `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` |
| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` |
| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` |
| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` |
| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` |
| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` |
| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` |
| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | | `sysctl.enabled` | Enable init container to modify Kernel settings | `false` |
| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | | `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | | `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
@ -606,8 +621,8 @@ The command removes all the Kubernetes components associated with the chart and
| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | | `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` |
| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | | `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
| `sysctl.resources.limits` | The resources limits for the init container | `{}` | | `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` |
| `sysctl.resources.requests` | The requested resources for the init container | `{}` | | `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
### useExternalDNS Parameters ### useExternalDNS Parameters
@ -643,6 +658,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis
## Configuration and installation details ## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) ### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

2
charts/bitnami/airflow/charts/redis/charts/common/.helmignore
View File

@ -20,3 +20,5 @@
.idea/ .idea/
*.tmproj *.tmproj
.vscode/ .vscode/
# img folder
img/

4
charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
category: Infrastructure category: Infrastructure
licenses: Apache-2.0 licenses: Apache-2.0
apiVersion: v2 apiVersion: v2
appVersion: 2.14.1 appVersion: 2.19.0
description: A Library Helm Chart for grouping common logic between bitnami charts. description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself. This chart is not deployable by itself.
home: https://bitnami.com home: https://bitnami.com
@ -20,4 +20,4 @@ name: common
sources: sources:
- https://github.com/bitnami/charts - https://github.com/bitnami/charts
type: library type: library
version: 2.14.1 version: 2.19.0

2
charts/bitnami/airflow/charts/redis/charts/common/README.md
View File

@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
## License ## License
Copyright &copy; 2023 VMware, Inc. Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

Some files were not shown because too many files have changed in this diff Show More