[AUTOMATED] Auto-update charts on main-source (#990)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>pull/993/head
parent
a9afca1814
commit
a5820e5da9
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,7 +1,7 @@
|
|||
annotations:
|
||||
artifacthub.io/changes: |
|
||||
- kind: changed
|
||||
description: Updated Redis image tag to 7.2.4
|
||||
description: Bump argo-cd to v2.10.3
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
|
||||
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
|
||||
|
@ -11,7 +11,7 @@ annotations:
|
|||
catalog.cattle.io/kube-version: '>=1.23.0-0'
|
||||
catalog.cattle.io/release-name: argo-cd
|
||||
apiVersion: v2
|
||||
appVersion: v2.10.1
|
||||
appVersion: v2.10.3
|
||||
dependencies:
|
||||
- condition: redis-ha.enabled
|
||||
name: redis-ha
|
||||
|
@ -33,4 +33,4 @@ name: argo-cd
|
|||
sources:
|
||||
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
|
||||
- https://github.com/argoproj/argo-cd
|
||||
version: 6.2.3
|
||||
version: 6.7.2
|
||||
|
|
|
@ -278,6 +278,15 @@ For full list of changes please check ArtifactHub [changelog].
|
|||
|
||||
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
|
||||
|
||||
### 6.4.0
|
||||
|
||||
Added support for application controller dynamic cluster distribution.
|
||||
Please refer to [the docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution) for more information.
|
||||
|
||||
Added env variables to handle the non-standard names generated by the helm chart.
|
||||
Here are the [docs](https://argo-cd.readthedocs.io/en/release-2.9/user-guide/environment-variables/)
|
||||
and [code](https://github.com/argoproj/argo-cd/blob/99723143b96ceec9ef5b0a7feb7b4f4b0dce3497/common/common.go#L252)
|
||||
|
||||
### 6.1.0
|
||||
|
||||
Added support for global domain used by all components.
|
||||
|
@ -720,12 +729,15 @@ NAME: my-release
|
|||
| controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource |
|
||||
| controller.containerPorts.metrics | int | `8082` | Metrics container port |
|
||||
| controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
|
||||
| controller.deploymentAnnotations | object | `{}` | Annotations for the application controller Deployment |
|
||||
| controller.dnsConfig | object | `{}` | [DNS configuration] |
|
||||
| controller.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for application controller pods |
|
||||
| controller.dynamicClusterDistribution | bool | `false` | Enable dynamic cluster distribution (alpha) Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution |
|
||||
| controller.env | list | `[]` | Environment variables to pass to application controller |
|
||||
| controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller |
|
||||
| controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller |
|
||||
| controller.extraContainers | list | `[]` | Additional containers to be added to the application controller pod |
|
||||
| controller.heartbeatTime | int | `10` | Application controller heartbeat time Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution |
|
||||
| controller.hostNetwork | bool | `false` | Host Network for application controller pods |
|
||||
| controller.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application controller |
|
||||
| controller.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application controller |
|
||||
|
@ -940,7 +952,7 @@ NAME: my-release
|
|||
| server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server |
|
||||
| server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
|
||||
| server.ingress.annotations | object | `{}` | Additional ingress annotations |
|
||||
| server.ingress.aws.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service |
|
||||
| server.ingress.aws.backendProtocolVersion | string | `"GRPC"` | Backend protocol version for the AWS ALB gRPC service |
|
||||
| server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
|
||||
| server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` |
|
||||
| server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server |
|
||||
|
@ -1077,6 +1089,9 @@ NAME: my-release
|
|||
| dex.initImage.tag | string | `""` (defaults to global.image.tag) | Argo CD init image tag |
|
||||
| dex.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Dex >= 2.28.0 |
|
||||
| dex.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
|
||||
| dex.livenessProbe.httpPath | string | `"/healthz/live"` | Http path to use for the liveness probe |
|
||||
| dex.livenessProbe.httpPort | string | `"metrics"` | Http port to use for the liveness probe |
|
||||
| dex.livenessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) |
|
||||
| dex.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
|
||||
| dex.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
|
||||
| dex.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
|
||||
|
@ -1109,6 +1124,9 @@ NAME: my-release
|
|||
| dex.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the dex pods |
|
||||
| dex.readinessProbe.enabled | bool | `false` | Enable Kubernetes readiness probe for Dex >= 2.28.0 |
|
||||
| dex.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
|
||||
| dex.readinessProbe.httpPath | string | `"/healthz/ready"` | Http path to use for the readiness probe |
|
||||
| dex.readinessProbe.httpPort | string | `"metrics"` | Http port to use for the readiness probe |
|
||||
| dex.readinessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) |
|
||||
| dex.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
|
||||
| dex.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
|
||||
| dex.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
|
||||
|
@ -1284,6 +1302,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
|
|||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
|
||||
| applicationSet.allowAnyNamespace | bool | `false` | Enable ApplicationSet in any namespace feature |
|
||||
| applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
|
||||
| applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate |
|
||||
| applicationSet.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) |
|
||||
|
@ -1446,6 +1465,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
|
|||
| notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret |
|
||||
| notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret |
|
||||
| notifications.secret.labels | object | `{}` | key:value pairs of labels to be added to the secret |
|
||||
| notifications.secret.name | string | `"argocd-notifications-secret"` | notifications controller Secret name |
|
||||
| notifications.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
|
||||
| notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
|
||||
| notifications.serviceAccount.create | bool | `true` | Create notifications controller service account |
|
||||
|
|
|
@ -0,0 +1,357 @@
|
|||
{{- if .Values.controller.dynamicClusterDistribution }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.controller.deploymentAnnotations) }}
|
||||
annotations:
|
||||
{{- range $key, $value := . }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
name: {{ template "argo-cd.controller.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.controller.replicas }}
|
||||
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
|
||||
{{- if .Values.configs.cm.create }}
|
||||
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
|
||||
{{- range $key, $value := . }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
|
||||
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.hostAliases }}
|
||||
hostAliases:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
|
||||
containers:
|
||||
- args:
|
||||
- /usr/local/bin/argocd-application-controller
|
||||
- --metrics-port={{ .Values.controller.containerPorts.metrics }}
|
||||
{{- if .Values.controller.metrics.applicationLabels.enabled }}
|
||||
{{- range .Values.controller.metrics.applicationLabels.labels }}
|
||||
- --metrics-application-labels
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.extraArgs }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
|
||||
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
|
||||
name: {{ .Values.controller.name }}
|
||||
env:
|
||||
{{- with (concat .Values.global.env .Values.controller.env) }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
- name: ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION
|
||||
value: "true"
|
||||
- name: ARGOCD_CONTROLLER_HEARTBEAT_TIME
|
||||
value: {{ .Values.controller.heartbeatTime | quote }}
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
|
||||
value: {{ template "argo-cd.controller.fullname" . }}
|
||||
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cm
|
||||
key: timeout.reconciliation
|
||||
optional: true
|
||||
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cm
|
||||
key: timeout.hard.reconciliation
|
||||
optional: true
|
||||
- name: ARGOCD_RECONCILIATION_JITTER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: timeout.reconciliation.jitter
|
||||
name: argocd-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.repo.error.grace.period.seconds
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: repo.server
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.repo.server.timeout.seconds
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.status.processors
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.operation.processors
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.log.format
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.log.level
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.metrics.cache.expiration
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.self.heal.timeout.seconds
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.repo.server.plaintext
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.repo.server.strict.tls
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.resource.health.persist
|
||||
optional: true
|
||||
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.app.state.cache.expiration
|
||||
optional: true
|
||||
- name: REDIS_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: redis.server
|
||||
optional: true
|
||||
- name: REDIS_COMPRESSION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: redis.compression
|
||||
optional: true
|
||||
- name: REDISDB
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: redis.db
|
||||
optional: true
|
||||
- name: REDIS_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
|
||||
key: redis-username
|
||||
optional: true
|
||||
- name: REDIS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
|
||||
key: redis-password
|
||||
optional: true
|
||||
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.default.cache.expiration
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: otlp.address
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: otlp.insecure
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: otlp.headers
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_NAMESPACES
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: application.namespaces
|
||||
optional: true
|
||||
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.sharding.algorithm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.kubectl.parallelism.limit
|
||||
optional: true
|
||||
- name: ARGOCD_K8SCLIENT_RETRY_MAX
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.k8sclient.retry.max
|
||||
optional: true
|
||||
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.k8sclient.retry.base.backoff
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: argocd-cmd-params-cm
|
||||
key: controller.diff.server.side
|
||||
optional: true
|
||||
{{- with .Values.controller.envFrom }}
|
||||
envFrom:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.controller.containerPorts.metrics }}
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: metrics
|
||||
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
|
||||
resources:
|
||||
{{- toYaml .Values.controller.resources | nindent 10 }}
|
||||
{{- with .Values.controller.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
workingDir: /home/argocd
|
||||
volumeMounts:
|
||||
{{- with .Values.controller.volumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
- mountPath: /app/config/controller/tls
|
||||
name: argocd-repo-server-tls
|
||||
- mountPath: /home/argocd
|
||||
name: argocd-home
|
||||
{{- with .Values.controller.extraContainers }}
|
||||
{{- tpl (toYaml .) $ | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.initContainers }}
|
||||
initContainers:
|
||||
{{- tpl (toYaml .) $ | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }}
|
||||
affinity:
|
||||
{{- trim . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.tolerations | default .Values.global.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- range $constraint := . }}
|
||||
- {{ toYaml $constraint | nindent 8 | trim }}
|
||||
{{- if not $constraint.labelSelector }}
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.controller.volumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
- name: argocd-home
|
||||
emptyDir: {}
|
||||
- name: argocd-repo-server-tls
|
||||
secret:
|
||||
secretName: argocd-repo-server-tls
|
||||
optional: true
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- if .Values.controller.hostNetwork }}
|
||||
hostNetwork: {{ .Values.controller.hostNetwork }}
|
||||
{{- end }}
|
||||
{{- with .Values.controller.dnsConfig }}
|
||||
dnsConfig:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
dnsPolicy: {{ .Values.controller.dnsPolicy }}
|
||||
{{- end }}
|
|
@ -1,3 +1,4 @@
|
|||
{{- if not .Values.controller.dynamicClusterDistribution | default false }}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
|
@ -77,6 +78,8 @@ spec:
|
|||
{{- end }}
|
||||
- name: ARGOCD_CONTROLLER_REPLICAS
|
||||
value: {{ .Values.controller.replicas | quote }}
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
|
||||
value: {{ template "argo-cd.controller.fullname" . }}
|
||||
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
@ -350,3 +353,4 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
dnsPolicy: {{ .Values.controller.dnsPolicy }}
|
||||
{{- end }}
|
||||
|
|
|
@ -0,0 +1,89 @@
|
|||
{{- if .Values.applicationSet.allowAnyNamespace }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "argo-cd.applicationSet.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
- applicationsets
|
||||
- applicationsets/finalizers
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applicationsets/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- appprojects
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
- extensions
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
{{- end }}
|
|
@ -0,0 +1,17 @@
|
|||
{{- if .Values.applicationSet.allowAnyNamespace }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "argo-cd.applicationSet.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "argo-cd.applicationSet.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "argo-cd.applicationSet.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
|
@ -24,7 +24,7 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
{{- with .Values.applicationSet.ingress.extraPaths }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.applicationSet.ingress.path }}
|
||||
pathType: {{ .Values.applicationSet.ingress.pathType }}
|
||||
|
@ -46,7 +46,7 @@ spec:
|
|||
number: {{ $.Values.applicationSet.service.port }}
|
||||
{{- end }}
|
||||
{{- with .Values.applicationSet.ingress.extraRules }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }}
|
||||
tls:
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: argocd-notifications-secret
|
||||
name: {{ .Values.notifications.secret.name }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
|
||||
|
|
|
@ -38,14 +38,12 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
{{- end }}
|
||||
{{- if .Values.notifications.secret.create }}
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- argocd-notifications-secret
|
||||
- {{ .Values.notifications.secret.name }}
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -66,6 +66,7 @@ spec:
|
|||
- --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
|
||||
- --namespace={{ .Release.Namespace }}
|
||||
- --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
|
||||
- --secret-name={{ .Values.notifications.secret.name }}
|
||||
{{- range .Values.notifications.extraArgs }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
|
|
|
@ -37,7 +37,7 @@ rules:
|
|||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- argocd-notifications-secret
|
||||
- {{ .Values.notifications.secret.name }}
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
|
|
|
@ -85,6 +85,8 @@ spec:
|
|||
- name: USER_NAME
|
||||
value: argocd
|
||||
{{- end }}
|
||||
- name: ARGOCD_REPO_SERVER_NAME
|
||||
value: {{ template "argo-cd.repoServer.fullname" . }}
|
||||
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
|
@ -26,7 +26,7 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
{{- with .Values.server.ingress.extraPaths }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.server.ingress.path }}
|
||||
pathType: {{ $.Values.server.ingressGrpc.pathType }}
|
||||
|
@ -55,7 +55,7 @@ spec:
|
|||
number: {{ $servicePort }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.ingress.extraRules }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
|
||||
tls:
|
||||
|
|
|
@ -75,6 +75,8 @@ spec:
|
|||
{{- with (concat .Values.global.env .Values.server.env) }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
- name: ARGOCD_SERVER_NAME
|
||||
value: {{ template "argo-cd.server.fullname" . }}
|
||||
- name: ARGOCD_SERVER_INSECURE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
|
@ -31,7 +31,7 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
{{- with .Values.server.ingress.extraPaths }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.server.ingress.path }}
|
||||
pathType: {{ .Values.server.ingress.pathType }}
|
||||
|
@ -53,7 +53,7 @@ spec:
|
|||
number: {{ $servicePort }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.ingress.extraRules }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
|
||||
tls:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{{- if and .Values.server.ingressGrpc.enabled (eq .Values.server.ingress.controller "generic") -}}
|
||||
{{- if .Values.server.ingressGrpc.enabled -}}
|
||||
{{- $hostname := printf "grpc.%s" (.Values.server.ingress.hostname | default .Values.global.domain) -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
|
@ -25,7 +25,7 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
{{- with .Values.server.ingressGrpc.extraPaths }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.server.ingressGrpc.path }}
|
||||
pathType: {{ .Values.server.ingressGrpc.pathType }}
|
||||
|
@ -47,13 +47,13 @@ spec:
|
|||
number: {{ $.Values.server.service.servicePortHttps }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.ingressGrpc.extraRules }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }}
|
||||
tls:
|
||||
{{- if .Values.server.ingressGrpc.tls }}
|
||||
- hosts:
|
||||
- {{ $hostname }}
|
||||
- {{ .Values.server.ingressGrpc.hostname | default $hostname }}
|
||||
secretName: argocd-server-grpc-tls
|
||||
{{- end }}
|
||||
{{- with .Values.server.ingressGrpc.extraTls }}
|
||||
|
|
|
@ -26,7 +26,7 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
{{- with .Values.server.ingress.extraPaths }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.server.ingress.path }}
|
||||
pathType: {{ $.Values.server.ingress.pathType }}
|
||||
|
@ -48,7 +48,7 @@ spec:
|
|||
number: {{ $servicePort }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.ingress.extraRules }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- tpl (toYaml .) $ | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
|
||||
tls:
|
||||
|
|
|
@ -99,8 +99,9 @@ spec:
|
|||
{{- if .Values.dex.livenessProbe.enabled }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz/live
|
||||
port: metrics
|
||||
path: {{ .Values.dex.livenessProbe.httpPath }}
|
||||
port: {{ .Values.dex.livenessProbe.httpPort }}
|
||||
scheme: {{ .Values.dex.livenessProbe.httpScheme }}
|
||||
initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }}
|
||||
|
@ -110,8 +111,9 @@ spec:
|
|||
{{- if .Values.dex.readinessProbe.enabled }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: metrics
|
||||
path: {{ .Values.dex.readinessProbe.httpPath }}
|
||||
port: {{ .Values.dex.readinessProbe.httpPort }}
|
||||
scheme: {{ .Values.dex.readinessProbe.httpScheme }}
|
||||
initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }}
|
||||
|
|
|
@ -193,7 +193,7 @@ spec:
|
|||
- name: health
|
||||
configMap:
|
||||
name: {{ include "argo-cd.redis.fullname" . }}-health-configmap
|
||||
defaultMode: 0755
|
||||
defaultMode: 493
|
||||
{{- with .Values.redis.volumes }}
|
||||
{{- toYaml . | nindent 8}}
|
||||
{{- end }}
|
||||
|
|
|
@ -577,8 +577,22 @@ controller:
|
|||
|
||||
# -- The number of application controller pods to run.
|
||||
# Additional replicas will cause sharding of managed clusters across number of replicas.
|
||||
## With dynamic cluster distribution turned on, sharding of the clusters will gracefully
|
||||
## rebalance if the number of replica's changes or one becomes unhealthy. (alpha)
|
||||
replicas: 1
|
||||
|
||||
# -- Enable dynamic cluster distribution (alpha)
|
||||
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution
|
||||
## This is done using a deployment instead of a statefulSet
|
||||
## When replicas are added or removed, the sharding algorithm is re-run to ensure that the
|
||||
## clusters are distributed according to the algorithm. If the algorithm is well-balanced,
|
||||
## like round-robin, then the shards will be well-balanced.
|
||||
dynamicClusterDistribution: false
|
||||
|
||||
# -- Application controller heartbeat time
|
||||
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution
|
||||
heartbeatTime: 10
|
||||
|
||||
# -- Maximum number of controller revisions that will be maintained in StatefulSet history
|
||||
revisionHistoryLimit: 5
|
||||
|
||||
|
@ -662,6 +676,9 @@ controller:
|
|||
# -- Annotations for the application controller StatefulSet
|
||||
statefulsetAnnotations: {}
|
||||
|
||||
# -- Annotations for the application controller Deployment
|
||||
deploymentAnnotations: {}
|
||||
|
||||
# -- Annotations to be added to application controller pods
|
||||
podAnnotations: {}
|
||||
|
||||
|
@ -1039,6 +1056,12 @@ dex:
|
|||
livenessProbe:
|
||||
# -- Enable Kubernetes liveness probe for Dex >= 2.28.0
|
||||
enabled: false
|
||||
# -- Http path to use for the liveness probe
|
||||
httpPath: /healthz/live
|
||||
# -- Http port to use for the liveness probe
|
||||
httpPort: metrics
|
||||
# -- Scheme to use for for the liveness probe (can be HTTP or HTTPS)
|
||||
httpScheme: HTTP
|
||||
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
||||
failureThreshold: 3
|
||||
# -- Number of seconds after the container has started before [probe] is initiated
|
||||
|
@ -1053,6 +1076,12 @@ dex:
|
|||
readinessProbe:
|
||||
# -- Enable Kubernetes readiness probe for Dex >= 2.28.0
|
||||
enabled: false
|
||||
# -- Http path to use for the readiness probe
|
||||
httpPath: /healthz/ready
|
||||
# -- Http port to use for the readiness probe
|
||||
httpPort: metrics
|
||||
# -- Scheme to use for for the liveness probe (can be HTTP or HTTPS)
|
||||
httpScheme: HTTP
|
||||
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
||||
failureThreshold: 3
|
||||
# -- Number of seconds after the container has started before [probe] is initiated
|
||||
|
@ -2009,6 +2038,7 @@ server:
|
|||
|
||||
# -- Additional ingress paths
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
## Note: Supports use of custom Helm templates
|
||||
extraPaths: []
|
||||
# - path: /*
|
||||
# pathType: Prefix
|
||||
|
@ -2020,15 +2050,17 @@ server:
|
|||
|
||||
# -- Additional ingress rules
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
## Note: Supports use of custom Helm templates
|
||||
extraRules: []
|
||||
# - host: example.example.com
|
||||
# http:
|
||||
# path: /
|
||||
# - http:
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: Prefix
|
||||
# backend:
|
||||
# service:
|
||||
# name: example-svc
|
||||
# name: '{{ include "argo-cd.server.fullname" . }}'
|
||||
# port:
|
||||
# name: http
|
||||
# name: '{{ .Values.server.service.servicePortHttpsName }}'
|
||||
|
||||
# -- Additional TLS configuration
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
|
@ -2042,8 +2074,9 @@ server:
|
|||
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode
|
||||
aws:
|
||||
# -- Backend protocol version for the AWS ALB gRPC service
|
||||
## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features
|
||||
backendProtocolVersion: HTTP2
|
||||
## This tells AWS to send traffic from the ALB using gRPC.
|
||||
## For more information: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html#health-check-settings
|
||||
backendProtocolVersion: GRPC
|
||||
# -- Service type for the AWS ALB gRPC service
|
||||
## Can be of type NodePort or ClusterIP depending on which mode you are running.
|
||||
## Instance mode needs type NodePort, IP mode needs type ClusterIP
|
||||
|
@ -2114,6 +2147,7 @@ server:
|
|||
|
||||
# -- Additional ingress paths for dedicated [gRPC-ingress]
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
## Note: Supports use of custom Helm templates
|
||||
extraPaths: []
|
||||
# - path: /*
|
||||
# pathType: Prefix
|
||||
|
@ -2125,15 +2159,17 @@ server:
|
|||
|
||||
# -- Additional ingress rules
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
## Note: Supports use of custom Helm templates
|
||||
extraRules: []
|
||||
# - host: example.example.com
|
||||
# http:
|
||||
# path: /
|
||||
# - http:
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: Prefix
|
||||
# backend:
|
||||
# service:
|
||||
# name: example-svc
|
||||
# name: '{{ include "argo-cd.server.fullname" . }}'
|
||||
# port:
|
||||
# name: http
|
||||
# name: '{{ .Values.server.service.servicePortHttpName }}'
|
||||
|
||||
# -- Additional TLS configuration for dedicated [gRPC-ingress]
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
|
@ -2874,15 +2910,17 @@ applicationSet:
|
|||
|
||||
# -- Additional ingress rules
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
## Note: Supports use of custom Helm templates
|
||||
extraRules: []
|
||||
# - host: example.example.com
|
||||
# http:
|
||||
# path: /
|
||||
# - http:
|
||||
# paths:
|
||||
# - path: /api/webhook
|
||||
# pathType: Prefix
|
||||
# backend:
|
||||
# service:
|
||||
# name: example-svc
|
||||
# name: '{{ include "argo-cd.applicationSet.fullname" . }}'
|
||||
# port:
|
||||
# name: http
|
||||
# name: '{{ .Values.applicationSet.service.portName }}'
|
||||
|
||||
# -- Additional ingress TLS configuration
|
||||
# @default -- `[]` (See [values.yaml])
|
||||
|
@ -2890,7 +2928,8 @@ applicationSet:
|
|||
# - secretName: argocd-applicationset-tls
|
||||
# hosts:
|
||||
# - argocd-applicationset.example.com
|
||||
|
||||
# -- Enable ApplicationSet in any namespace feature
|
||||
allowAnyNamespace: false
|
||||
## Notifications controller
|
||||
notifications:
|
||||
# -- Enable notifications controller
|
||||
|
@ -2978,8 +3017,12 @@ notifications:
|
|||
|
||||
secret:
|
||||
# -- Whether helm chart creates notifications controller secret
|
||||
## If true, will create a secret with the name below. Otherwise, will assume existence of a secret with that name.
|
||||
create: true
|
||||
|
||||
# -- notifications controller Secret name
|
||||
name: "argocd-notifications-secret"
|
||||
|
||||
# -- key:value pairs of annotations to be added to the secret
|
||||
annotations: {}
|
||||
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
dependencies:
|
||||
- name: redis
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 18.13.0
|
||||
version: 18.19.2
|
||||
- name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 13.4.4
|
||||
version: 14.3.3
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.15.3
|
||||
digest: sha256:dd4296369ab03a8c9f1940b4fc34ba57020a63afa6f761220f4f1249ab9e9e08
|
||||
generated: "2024-02-14T12:34:36.945245545+01:00"
|
||||
version: 2.19.0
|
||||
digest: sha256:ef8c5318de55f20f28fd5f98a2201bf883baab63e2faf37ef4b4d05ec14a0635
|
||||
generated: "2024-03-13T11:46:34.191714+01:00"
|
||||
|
|
|
@ -5,21 +5,21 @@ annotations:
|
|||
catalog.cattle.io/release-name: airflow
|
||||
category: WorkFlow
|
||||
images: |
|
||||
- name: airflow-exporter
|
||||
image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r448
|
||||
- name: airflow-scheduler
|
||||
image: docker.io/bitnami/airflow-scheduler:2.8.1-debian-11-r4
|
||||
- name: airflow-worker
|
||||
image: docker.io/bitnami/airflow-worker:2.8.1-debian-11-r4
|
||||
- name: airflow
|
||||
image: docker.io/bitnami/airflow:2.8.1-debian-11-r4
|
||||
image: docker.io/bitnami/airflow:2.8.3-debian-12-r0
|
||||
- name: airflow-exporter
|
||||
image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-12-r27
|
||||
- name: airflow-scheduler
|
||||
image: docker.io/bitnami/airflow-scheduler:2.8.3-debian-12-r0
|
||||
- name: airflow-worker
|
||||
image: docker.io/bitnami/airflow-worker:2.8.3-debian-12-r0
|
||||
- name: git
|
||||
image: docker.io/bitnami/git:2.43.0-debian-11-r9
|
||||
image: docker.io/bitnami/git:2.44.0-debian-12-r0
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:11-debian-11-r96
|
||||
image: docker.io/bitnami/os-shell:12-debian-12-r16
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.8.1
|
||||
appVersion: 2.8.3
|
||||
dependencies:
|
||||
- condition: redis.enabled
|
||||
name: redis
|
||||
|
@ -28,7 +28,7 @@ dependencies:
|
|||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: file://./charts/postgresql
|
||||
version: 13.x.x
|
||||
version: 14.x.x
|
||||
- name: common
|
||||
repository: file://./charts/common
|
||||
tags:
|
||||
|
@ -50,4 +50,4 @@ maintainers:
|
|||
name: airflow
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/airflow
|
||||
version: 16.7.0
|
||||
version: 17.2.4
|
||||
|
|
|
@ -56,10 +56,11 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
### Global parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------- | ----------------------------------------------- | ----- |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
|
||||
### Common parameters
|
||||
|
||||
|
@ -155,9 +156,11 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` |
|
||||
| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` |
|
||||
| `web.containerSecurityContext.runAsGroup` | Set Airflow web containers' Security Context runAsGroup | `0` |
|
||||
| `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` |
|
||||
| `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` |
|
||||
| `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `web.containerSecurityContext.readOnlyRootFilesystem` | Set web container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `web.lifecycleHooks` | for the Airflow web container(s) to automate configuration before or after startup | `{}` |
|
||||
|
@ -236,9 +239,11 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` |
|
||||
| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` |
|
||||
| `scheduler.containerSecurityContext.runAsGroup` | Set Airflow scheduler containers' Security Context runAsGroup | `0` |
|
||||
| `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` |
|
||||
| `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` |
|
||||
| `scheduler.containerSecurityContext.allowPrivilegeEscalation` | Set scheduler container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `scheduler.containerSecurityContext.readOnlyRootFilesystem` | Set scheduler container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `scheduler.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `scheduler.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `scheduler.lifecycleHooks` | for the Airflow scheduler container(s) to automate configuration before or after startup | `{}` |
|
||||
|
@ -324,9 +329,11 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` |
|
||||
| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` |
|
||||
| `worker.containerSecurityContext.runAsGroup` | Set Airflow worker containers' Security Context runAsGroup | `0` |
|
||||
| `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` |
|
||||
| `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` |
|
||||
| `worker.containerSecurityContext.allowPrivilegeEscalation` | Set worker container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set worker container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `worker.lifecycleHooks` | for the Airflow worker container(s) to automate configuration before or after startup | `{}` |
|
||||
|
@ -486,9 +493,11 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Set Airflow exporter containers' Security Context runAsGroup | `0` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` |
|
||||
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set metrics container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `metrics.lifecycleHooks` | for the Airflow exporter container(s) to automate configuration before or after startup | `{}` |
|
||||
|
@ -765,6 +774,10 @@ Find more information about how to deal with common errors related to Bitnami's
|
|||
|
||||
## Upgrading
|
||||
|
||||
### To 17.0.0
|
||||
|
||||
This major release bumps the PostgreSQL chart version to [14.x.x](https://github.com/bitnami/charts/pull/22750); no major issues are expected during the upgrade.
|
||||
|
||||
### To 16.0.0
|
||||
|
||||
This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version.
|
||||
|
|
|
@ -2,7 +2,7 @@ annotations:
|
|||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.14.1
|
||||
appVersion: 2.19.0
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://bitnami.com
|
||||
|
@ -20,4 +20,4 @@ name: common
|
|||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
type: library
|
||||
version: 2.15.3
|
||||
version: 2.19.0
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Return true if the detected platform is Openshift
|
||||
Usage:
|
||||
{{- include "common.compatibility.isOpenshift" . -}}
|
||||
*/}}
|
||||
{{- define "common.compatibility.isOpenshift" -}}
|
||||
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
|
||||
Usage:
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
|
||||
*/}}
|
||||
{{- define "common.compatibility.renderSecurityContext" -}}
|
||||
{{- $adaptedContext := .secContext -}}
|
||||
{{- if .context.Values.global.compatibility -}}
|
||||
{{- if .context.Values.global.compatibility.openshift -}}
|
||||
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
|
||||
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
|
||||
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
|
||||
{{- if not .secContext.seLinuxOptions -}}
|
||||
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
|
||||
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- omit $adaptedContext "enabled" | toYaml -}}
|
||||
{{- end -}}
|
|
@ -11,35 +11,35 @@ These presets are for basic testing and not meant to be used in production
|
|||
{{ include "common.resources.preset" (dict "type" "nano") -}}
|
||||
*/}}
|
||||
{{- define "common.resources.preset" -}}
|
||||
{{/* The limits are the requests increased by 50% */}}
|
||||
{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
|
||||
{{- $presets := dict
|
||||
"nano" (dict
|
||||
"requests" (dict "cpu" "100m" "memory" "128Mi")
|
||||
"limits" (dict "cpu" "150m" "memory" "192Mi")
|
||||
"requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"micro" (dict
|
||||
"requests" (dict "cpu" "250m" "memory" "256Mi")
|
||||
"limits" (dict "cpu" "375m" "memory" "384Mi")
|
||||
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"small" (dict
|
||||
"requests" (dict "cpu" "500m" "memory" "512Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "768Mi")
|
||||
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"medium" (dict
|
||||
"requests" (dict "cpu" "500m" "memory" "1024Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "1536Mi")
|
||||
"requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"large" (dict
|
||||
"requests" (dict "cpu" "1.0" "memory" "2048Mi")
|
||||
"limits" (dict "cpu" "1.5" "memory" "3072Mi")
|
||||
"requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"xlarge" (dict
|
||||
"requests" (dict "cpu" "2.0" "memory" "4096Mi")
|
||||
"limits" (dict "cpu" "3.0" "memory" "6144Mi")
|
||||
"requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"2xlarge" (dict
|
||||
"requests" (dict "cpu" "4.0" "memory" "8192Mi")
|
||||
"limits" (dict "cpu" "6.0" "memory" "12288Mi")
|
||||
"requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
}}
|
||||
{{- if hasKey $presets .type -}}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.14.1
|
||||
digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3
|
||||
generated: "2023-12-20T20:39:13.141839286Z"
|
||||
version: 2.19.0
|
||||
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
|
||||
generated: "2024-03-11T20:27:44.112846437Z"
|
||||
|
|
|
@ -2,14 +2,14 @@ annotations:
|
|||
category: Database
|
||||
images: |
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:11-debian-11-r95
|
||||
image: docker.io/bitnami/os-shell:12-debian-12-r16
|
||||
- name: postgres-exporter
|
||||
image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r7
|
||||
image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
|
||||
- name: postgresql
|
||||
image: docker.io/bitnami/postgresql:16.1.0-debian-11-r25
|
||||
image: docker.io/bitnami/postgresql:16.2.0-debian-12-r8
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 16.1.0
|
||||
appVersion: 16.2.0
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
|
@ -34,4 +34,4 @@ maintainers:
|
|||
name: postgresql
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
|
||||
version: 13.4.4
|
||||
version: 14.3.3
|
||||
|
|
|
@ -67,7 +67,7 @@ kubectl delete pvc -l release=my-release
|
|||
### Global parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
|
||||
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
|
||||
|
@ -80,6 +80,7 @@ kubectl delete pvc -l release=my-release
|
|||
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
|
||||
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
|
||||
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
|
||||
### Common parameters
|
||||
|
||||
|
@ -160,7 +161,7 @@ kubectl delete pvc -l release=my-release
|
|||
### PostgreSQL Primary parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
|
||||
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
|
||||
| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
|
||||
| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
|
||||
|
@ -204,9 +205,8 @@ kubectl delete pvc -l release=my-release
|
|||
| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
|
||||
| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` |
|
||||
| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` |
|
||||
| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
|
||||
| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` |
|
||||
| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `primary.podSecurityContext.enabled` | Enable security context | `true` |
|
||||
| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
|
@ -215,6 +215,7 @@ kubectl delete pvc -l release=my-release
|
|||
| `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
@ -248,6 +249,13 @@ kubectl delete pvc -l release=my-release
|
|||
| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
|
||||
| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
|
||||
| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
|
||||
| `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
|
||||
| `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `primary.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `primary.service.type` | Kubernetes Service type | `ClusterIP` |
|
||||
| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
|
||||
| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
|
||||
|
@ -278,7 +286,7 @@ kubectl delete pvc -l release=my-release
|
|||
### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
|
||||
| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------- |
|
||||
| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
|
||||
| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
|
||||
| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
|
||||
|
@ -309,9 +317,8 @@ kubectl delete pvc -l release=my-release
|
|||
| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
|
||||
| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` |
|
||||
| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` |
|
||||
| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
|
||||
| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `none` |
|
||||
| `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
|
||||
| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
|
@ -320,6 +327,7 @@ kubectl delete pvc -l release=my-release
|
|||
| `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
@ -353,6 +361,13 @@ kubectl delete pvc -l release=my-release
|
|||
| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
|
||||
| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
|
||||
| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
|
||||
| `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
|
||||
| `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `readReplicas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
|
||||
| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
|
||||
| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
|
||||
|
@ -383,7 +398,7 @@ kubectl delete pvc -l release=my-release
|
|||
### Backup parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` |
|
||||
| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` |
|
||||
| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` |
|
||||
|
@ -401,6 +416,7 @@ kubectl delete pvc -l release=my-release
|
|||
| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
@ -411,6 +427,8 @@ kubectl delete pvc -l release=my-release
|
|||
| `backup.cronjob.labels` | Set the cronjob labels | `{}` |
|
||||
| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` |
|
||||
| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` |
|
||||
| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `none` |
|
||||
| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` |
|
||||
| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` |
|
||||
| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` |
|
||||
| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` |
|
||||
|
@ -421,37 +439,18 @@ kubectl delete pvc -l release=my-release
|
|||
| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` |
|
||||
| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` |
|
||||
|
||||
### NetworkPolicy parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
|
||||
| `networkPolicy.enabled` | Enable network policies | `false` |
|
||||
| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
|
||||
| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
|
||||
| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
|
||||
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
|
||||
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
|
||||
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
|
||||
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` |
|
||||
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
|
||||
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
|
||||
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
|
||||
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` |
|
||||
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
|
||||
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` |
|
||||
|
||||
### Volume Permissions parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
|
||||
| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
|
||||
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
|
||||
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
|
||||
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
|
||||
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
|
||||
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
|
||||
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
|
||||
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
|
||||
| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` |
|
||||
|
@ -474,7 +473,7 @@ kubectl delete pvc -l release=my-release
|
|||
### Metrics Parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------------------- |
|
||||
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
|
||||
| `metrics.enabled` | Start a prometheus exporter | `false` |
|
||||
| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` |
|
||||
| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` |
|
||||
|
@ -487,6 +486,7 @@ kubectl delete pvc -l release=my-release
|
|||
| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
@ -515,8 +515,8 @@ kubectl delete pvc -l release=my-release
|
|||
| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
|
||||
| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` |
|
||||
| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` |
|
||||
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
|
||||
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
|
||||
| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
|
||||
| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
|
||||
|
@ -562,6 +562,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg
|
|||
|
||||
## Configuration and installation details
|
||||
|
||||
### Resource requests and limits
|
||||
|
||||
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
|
||||
|
||||
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
|
||||
|
||||
### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
|
||||
|
||||
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
|
||||
|
@ -787,6 +793,12 @@ Find more information about how to deal with common errors related to Bitnami's
|
|||
|
||||
## Upgrading
|
||||
|
||||
### To 14.0.0
|
||||
|
||||
This major version adapts the NetworkPolicy objects to the most recent Bitnami standards. Now there is a separate object for `primary` and for `readReplicas`, being located in their corresponding sections. It is also enabled by default in other to comply with the best security standards.
|
||||
|
||||
Check the parameter section for the new value structure.
|
||||
|
||||
### To 13.0.0
|
||||
|
||||
This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x.
|
||||
|
|
|
@ -20,3 +20,5 @@
|
|||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# img folder
|
||||
img/
|
||||
|
|
|
@ -2,7 +2,7 @@ annotations:
|
|||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.14.1
|
||||
appVersion: 2.19.0
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://bitnami.com
|
||||
|
@ -20,4 +20,4 @@ name: common
|
|||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
type: library
|
||||
version: 2.14.1
|
||||
version: 2.19.0
|
||||
|
|
|
@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
|
|||
|
||||
## License
|
||||
|
||||
Copyright © 2023 VMware, Inc.
|
||||
Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Return true if the detected platform is Openshift
|
||||
Usage:
|
||||
{{- include "common.compatibility.isOpenshift" . -}}
|
||||
*/}}
|
||||
{{- define "common.compatibility.isOpenshift" -}}
|
||||
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
|
||||
Usage:
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
|
||||
*/}}
|
||||
{{- define "common.compatibility.renderSecurityContext" -}}
|
||||
{{- $adaptedContext := .secContext -}}
|
||||
{{- if .context.Values.global.compatibility -}}
|
||||
{{- if .context.Values.global.compatibility.openshift -}}
|
||||
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
|
||||
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
|
||||
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
|
||||
{{- if not .secContext.seLinuxOptions -}}
|
||||
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
|
||||
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- omit $adaptedContext "enabled" | toYaml -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,50 @@
|
|||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Return a resource request/limit object based on a given preset.
|
||||
These presets are for basic testing and not meant to be used in production
|
||||
{{ include "common.resources.preset" (dict "type" "nano") -}}
|
||||
*/}}
|
||||
{{- define "common.resources.preset" -}}
|
||||
{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
|
||||
{{- $presets := dict
|
||||
"nano" (dict
|
||||
"requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"micro" (dict
|
||||
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"small" (dict
|
||||
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"medium" (dict
|
||||
"requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"large" (dict
|
||||
"requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"xlarge" (dict
|
||||
"requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"2xlarge" (dict
|
||||
"requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
}}
|
||||
{{- if hasKey $presets .type -}}
|
||||
{{- index $presets .type | toYaml -}}
|
||||
{{- else -}}
|
||||
{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -13,7 +13,70 @@ Usage:
|
|||
|
||||
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
|
||||
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
|
||||
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
|
||||
+info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
|
||||
{{- end }}
|
||||
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Warning about not setting the resource object in all deployments.
|
||||
Usage:
|
||||
{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
|
||||
Example:
|
||||
{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
|
||||
The list in the example assumes that the following values exist:
|
||||
- csiProvider.provider.resources
|
||||
- server.resources
|
||||
- volumePermissions.resources
|
||||
- resources
|
||||
*/}}
|
||||
{{- define "common.warnings.resources" -}}
|
||||
{{- $values := .context.Values -}}
|
||||
{{- $printMessage := false -}}
|
||||
{{ $affectedSections := list -}}
|
||||
{{- range .sections -}}
|
||||
{{- if eq . "" -}}
|
||||
{{/* Case where the resources section is at the root (one main deployment in the chart) */}}
|
||||
{{- if not (index $values "resources") -}}
|
||||
{{- $affectedSections = append $affectedSections "resources" -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
|
||||
{{- $keys := split "." . -}}
|
||||
{{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
|
||||
{{- $section := $values -}}
|
||||
{{- range $keys -}}
|
||||
{{- $section = index $section . -}}
|
||||
{{- end -}}
|
||||
{{- if not (index $section "resources") -}}
|
||||
{{/* If the section has enabled=false or replicaCount=0, do not include it */}}
|
||||
{{- if and (hasKey $section "enabled") -}}
|
||||
{{- if index $section "enabled" -}}
|
||||
{{/* enabled=true */}}
|
||||
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- else if and (hasKey $section "replicaCount") -}}
|
||||
{{/* We need a casting to int because number 0 is not treated as an int by default */}}
|
||||
{{- if (gt (index $section "replicaCount" | int) 0) -}}
|
||||
{{/* replicaCount > 0 */}}
|
||||
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{/* Default case, add it to the affected sections */}}
|
||||
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if $printMessage }}
|
||||
|
||||
WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
|
||||
{{- range $affectedSections }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
@ -113,3 +113,4 @@ WARNING: The configured password will be ignored on new installation in case whe
|
|||
{{- include "postgresql.v1.validateValues" . -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.image -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
|
||||
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }}
|
||||
|
|
|
@ -77,7 +77,7 @@ spec:
|
|||
{{- if .Values.tls.autoGenerated }}
|
||||
value: /tmp/certs/ca.crt
|
||||
{{- else }}
|
||||
value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}}
|
||||
value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
|
||||
|
@ -89,8 +89,16 @@ spec:
|
|||
- name: datadir
|
||||
mountPath: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||
subPath: {{ .Values.backup.cronjob.storage.subPath }}
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 14 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.resources }}
|
||||
resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }}
|
||||
{{- else if ne .Values.backup.cronjob.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }}
|
||||
{{- end }}
|
||||
restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
|
||||
{{- if .Values.backup.cronjob.podSecurityContext.enabled }}
|
||||
|
@ -111,4 +119,6 @@ spec:
|
|||
persistentVolumeClaim:
|
||||
claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
{{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- to:
|
||||
- namespaceSelector: {}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.egressRules.customRules }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -3,59 +3,76 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }}
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
{{- if .Values.primary.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ printf "%s-ingress" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: primary
|
||||
ingress:
|
||||
{{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
|
||||
- from:
|
||||
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
|
||||
- namespaceSelector:
|
||||
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.metrics.podSelector }}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.primary.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to read-replicas
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.primary.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }}
|
||||
- from:
|
||||
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }}
|
||||
{{- if not .Values.primary.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "postgresql.v1.primary.fullname" . }}-client: "true"
|
||||
{{- if .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }}
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
|
||||
{{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }}
|
||||
- from:
|
||||
{{- $readPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $readPodLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: read
|
||||
ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -80,7 +80,7 @@ spec:
|
|||
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.primary.hostNetwork }}
|
||||
hostIPC: {{ .Values.primary.hostIPC }}
|
||||
|
@ -92,10 +92,12 @@ spec:
|
|||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
# We don't require a privileged container in this case
|
||||
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
|
@ -104,6 +106,9 @@ spec:
|
|||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
|
@ -114,6 +119,8 @@ spec:
|
|||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
|
@ -152,13 +159,14 @@ spec:
|
|||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if .Values.primary.persistence.enabled }}
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: data
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||
{{- if .Values.primary.persistence.subPath }}
|
||||
subPath: {{ .Values.primary.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
|
@ -179,7 +187,7 @@ spec:
|
|||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
|
@ -442,11 +450,25 @@ spec:
|
|||
{{- end }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||
- name: custom-init-scripts
|
||||
mountPath: /docker-entrypoint-initdb.d/
|
||||
|
@ -491,7 +513,7 @@ spec:
|
|||
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
|
@ -555,6 +577,9 @@ spec:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
|
@ -566,12 +591,16 @@ spec:
|
|||
{{- end }}
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||
- name: postgresql-config
|
||||
configMap:
|
||||
|
|
|
@ -3,12 +3,13 @@ Copyright VMware, Inc.
|
|||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }}
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- if .Values.readReplicas.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ printf "%s-ingress" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
|
@ -19,21 +20,61 @@ spec:
|
|||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: read
|
||||
ingress:
|
||||
{{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }}
|
||||
- from:
|
||||
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }}
|
||||
- namespaceSelector:
|
||||
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }}
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.readReplicas.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to primary
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.readReplicas.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if not .Values.readReplicas.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "postgresql.v1.readReplica.fullname" . }}-client: "true"
|
||||
{{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -78,7 +78,7 @@ spec:
|
|||
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.readReplicas.hostNetwork }}
|
||||
hostIPC: {{ .Values.readReplicas.hostIPC }}
|
||||
|
@ -90,10 +90,12 @@ spec:
|
|||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
# We don't require a privileged container in this case
|
||||
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
|
@ -102,6 +104,9 @@ spec:
|
|||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
|
@ -112,6 +117,8 @@ spec:
|
|||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
|
@ -150,13 +157,14 @@ spec:
|
|||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{ if .Values.readReplicas.persistence.enabled }}
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: data
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- if .Values.readReplicas.persistence.subPath }}
|
||||
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
|
@ -177,7 +185,7 @@ spec:
|
|||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
|
@ -369,11 +377,25 @@ spec:
|
|||
{{- end }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
|
@ -406,7 +428,7 @@ spec:
|
|||
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
|
@ -462,6 +484,9 @@ spec:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
|
@ -473,6 +498,8 @@ spec:
|
|||
{{- end }}
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.sidecars }}
|
||||
|
@ -509,6 +536,8 @@ spec:
|
|||
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if .Values.readReplicas.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
|
@ -526,7 +555,9 @@ spec:
|
|||
whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||
{{- end }}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: data
|
||||
{{- if .Values.readReplicas.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
|
||||
|
|
|
@ -42,7 +42,15 @@ global:
|
|||
service:
|
||||
ports:
|
||||
postgresql: ""
|
||||
|
||||
## Compatibility adaptations for Kubernetes platforms
|
||||
##
|
||||
compatibility:
|
||||
## Compatibility adaptations for Openshift
|
||||
##
|
||||
openshift:
|
||||
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
##
|
||||
adaptSecurityContext: disabled
|
||||
## @section Common parameters
|
||||
##
|
||||
|
||||
|
@ -81,7 +89,6 @@ diagnosticMode:
|
|||
##
|
||||
args:
|
||||
- infinity
|
||||
|
||||
## @section PostgreSQL common parameters
|
||||
##
|
||||
|
||||
|
@ -98,7 +105,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/postgresql
|
||||
tag: 16.1.0-debian-11-r25
|
||||
tag: 16.2.0-debian-12-r8
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
@ -286,7 +293,6 @@ tls:
|
|||
## @param tls.crlFilename File containing a Certificate Revocation List
|
||||
##
|
||||
crlFilename: ""
|
||||
|
||||
## @section PostgreSQL Primary parameters
|
||||
##
|
||||
primary:
|
||||
|
@ -439,15 +445,21 @@ primary:
|
|||
lifecycleHooks: {}
|
||||
## PostgreSQL Primary resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers
|
||||
## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers
|
||||
## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers
|
||||
## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resources:
|
||||
limits: {}
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: 250m
|
||||
resourcesPreset: "none"
|
||||
## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 2
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 3
|
||||
## memory: 1024Mi
|
||||
##
|
||||
resources: {}
|
||||
## Pod Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
## @param primary.podSecurityContext.enabled Enable security context
|
||||
|
@ -467,6 +479,7 @@ primary:
|
|||
## @param primary.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param primary.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
|
@ -478,6 +491,7 @@ primary:
|
|||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
@ -602,6 +616,61 @@ primary:
|
|||
## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s)
|
||||
##
|
||||
extraPodSpec: {}
|
||||
## Network Policies
|
||||
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
##
|
||||
networkPolicy:
|
||||
## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
|
||||
##
|
||||
enabled: true
|
||||
## @param primary.networkPolicy.allowExternal Don't require server label for connections
|
||||
## The Policy model to apply. When set to false, only pods with the correct
|
||||
## server label will have network access to the ports server is listening
|
||||
## on. When true, server will accept connections from any source
|
||||
## (with the correct destination port).
|
||||
##
|
||||
allowExternal: true
|
||||
## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
|
||||
##
|
||||
allowExternalEgress: true
|
||||
## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
|
||||
## e.g:
|
||||
## extraIngress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## from:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
extraIngress: []
|
||||
## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
|
||||
## e.g:
|
||||
## extraEgress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## to:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
##
|
||||
extraEgress: []
|
||||
## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
|
||||
## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
|
||||
##
|
||||
ingressNSMatchLabels: {}
|
||||
ingressNSPodMatchLabels: {}
|
||||
## PostgreSQL Primary service configuration
|
||||
##
|
||||
service:
|
||||
|
@ -723,7 +792,6 @@ primary:
|
|||
## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
|
||||
##
|
||||
whenDeleted: Retain
|
||||
|
||||
## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
|
||||
##
|
||||
readReplicas:
|
||||
|
@ -814,15 +882,21 @@ readReplicas:
|
|||
lifecycleHooks: {}
|
||||
## PostgreSQL read only resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers
|
||||
## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers
|
||||
## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers
|
||||
## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resources:
|
||||
limits: {}
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: 250m
|
||||
resourcesPreset: "none"
|
||||
## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 2
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 3
|
||||
## memory: 1024Mi
|
||||
##
|
||||
resources: {}
|
||||
## Pod Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
## @param readReplicas.podSecurityContext.enabled Enable security context
|
||||
|
@ -842,6 +916,7 @@ readReplicas:
|
|||
## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
|
@ -853,6 +928,7 @@ readReplicas:
|
|||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
@ -977,6 +1053,61 @@ readReplicas:
|
|||
## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s)
|
||||
##
|
||||
extraPodSpec: {}
|
||||
## Network Policies
|
||||
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
##
|
||||
networkPolicy:
|
||||
## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
|
||||
##
|
||||
enabled: true
|
||||
## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections
|
||||
## The Policy model to apply. When set to false, only pods with the correct
|
||||
## server label will have network access to the ports server is listening
|
||||
## on. When true, server will accept connections from any source
|
||||
## (with the correct destination port).
|
||||
##
|
||||
allowExternal: true
|
||||
## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
|
||||
##
|
||||
allowExternalEgress: true
|
||||
## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
|
||||
## e.g:
|
||||
## extraIngress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## from:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
extraIngress: []
|
||||
## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
|
||||
## e.g:
|
||||
## extraEgress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## to:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
##
|
||||
extraEgress: []
|
||||
## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
|
||||
## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
|
||||
##
|
||||
ingressNSMatchLabels: {}
|
||||
ingressNSPodMatchLabels: {}
|
||||
## PostgreSQL read only service configuration
|
||||
##
|
||||
service:
|
||||
|
@ -1098,8 +1229,6 @@ readReplicas:
|
|||
## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
|
||||
##
|
||||
whenDeleted: Retain
|
||||
|
||||
|
||||
## @section Backup parameters
|
||||
## This section implements a trivial logical dump cronjob of the database.
|
||||
## This only comes with the consistency guarantees of the dump program.
|
||||
|
@ -1141,6 +1270,7 @@ backup:
|
|||
## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
|
@ -1151,6 +1281,7 @@ backup:
|
|||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
@ -1164,7 +1295,6 @@ backup:
|
|||
- /bin/sh
|
||||
- -c
|
||||
- "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"
|
||||
|
||||
## @param backup.cronjob.labels Set the cronjob labels
|
||||
labels: {}
|
||||
## @param backup.cronjob.annotations Set the cronjob annotations
|
||||
|
@ -1173,6 +1303,22 @@ backup:
|
|||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
|
||||
##
|
||||
nodeSelector: {}
|
||||
## backup cronjob container resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory
|
||||
## Example:
|
||||
resources: {}
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 1
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 2
|
||||
## memory: 1024Mi
|
||||
storage:
|
||||
## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)
|
||||
## If defined, PVC must be created manually before volume will be bound
|
||||
|
@ -1213,103 +1359,6 @@ backup:
|
|||
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details
|
||||
##
|
||||
selector: {}
|
||||
|
||||
## @section NetworkPolicy parameters
|
||||
##
|
||||
|
||||
## Add networkpolicies
|
||||
##
|
||||
networkPolicy:
|
||||
## @param networkPolicy.enabled Enable network policies
|
||||
##
|
||||
enabled: false
|
||||
## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus)
|
||||
## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
|
||||
## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
|
||||
##
|
||||
metrics:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: monitoring
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: monitoring
|
||||
##
|
||||
podSelector: {}
|
||||
## Ingress Rules
|
||||
##
|
||||
ingressRules:
|
||||
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin.
|
||||
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s).
|
||||
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s).
|
||||
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node.
|
||||
##
|
||||
primaryAccessOnlyFrom:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: ingress
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: access
|
||||
##
|
||||
podSelector: {}
|
||||
## custom ingress rules
|
||||
## e.g:
|
||||
## customRules:
|
||||
## - from:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: []
|
||||
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin.
|
||||
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s).
|
||||
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s).
|
||||
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes.
|
||||
##
|
||||
readReplicasAccessOnlyFrom:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: ingress
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: access
|
||||
##
|
||||
podSelector: {}
|
||||
## custom ingress rules
|
||||
## e.g:
|
||||
## CustomRules:
|
||||
## - from:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: []
|
||||
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
|
||||
## @param networkPolicy.egressRules.customRules Custom network policy rule
|
||||
##
|
||||
egressRules:
|
||||
# Deny connections to external. This is not compatible with an external database.
|
||||
denyConnectionsToExternal: false
|
||||
## Additional custom egress rules
|
||||
## e.g:
|
||||
## customRules:
|
||||
## - to:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: []
|
||||
|
||||
## @section Volume Permissions parameters
|
||||
##
|
||||
|
||||
|
@ -1330,7 +1379,7 @@ volumePermissions:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/os-shell
|
||||
tag: 11-debian-11-r95
|
||||
tag: 12-debian-12-r16
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
|
@ -1343,12 +1392,21 @@ volumePermissions:
|
|||
pullSecrets: []
|
||||
## Init container resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param volumePermissions.resources.limits Init container volume-permissions resource limits
|
||||
## @param volumePermissions.resources.requests Init container volume-permissions resource requests
|
||||
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resources:
|
||||
limits: {}
|
||||
requests: {}
|
||||
resourcesPreset: "none"
|
||||
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 2
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 3
|
||||
## memory: 1024Mi
|
||||
##
|
||||
resources: {}
|
||||
## Init container' Security Context
|
||||
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
|
||||
## and not the below volumePermissions.containerSecurityContext.runAsUser
|
||||
|
@ -1373,7 +1431,6 @@ volumePermissions:
|
|||
##
|
||||
serviceBindings:
|
||||
enabled: false
|
||||
|
||||
## Service account for PostgreSQL to use.
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
|
||||
##
|
||||
|
@ -1415,10 +1472,8 @@ rbac:
|
|||
##
|
||||
psp:
|
||||
create: false
|
||||
|
||||
## @section Metrics Parameters
|
||||
##
|
||||
|
||||
metrics:
|
||||
## @param metrics.enabled Start a prometheus exporter
|
||||
##
|
||||
|
@ -1433,7 +1488,7 @@ metrics:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/postgres-exporter
|
||||
tag: 0.15.0-debian-11-r7
|
||||
tag: 0.15.0-debian-12-r14
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
|
@ -1477,6 +1532,7 @@ metrics:
|
|||
## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
|
@ -1488,6 +1544,7 @@ metrics:
|
|||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
@ -1555,12 +1612,21 @@ metrics:
|
|||
metrics: 9187
|
||||
## PostgreSQL Prometheus exporter resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container
|
||||
## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container
|
||||
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resources:
|
||||
limits: {}
|
||||
requests: {}
|
||||
resourcesPreset: "none"
|
||||
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 2
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 3
|
||||
## memory: 1024Mi
|
||||
##
|
||||
resources: {}
|
||||
## Service configuration
|
||||
##
|
||||
service:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.14.1
|
||||
digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3
|
||||
generated: "2023-12-19T19:11:00.40217662Z"
|
||||
version: 2.19.0
|
||||
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
|
||||
generated: "2024-03-08T15:56:40.04210215Z"
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
annotations:
|
||||
category: Database
|
||||
images: |
|
||||
- name: kubectl
|
||||
image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:11-debian-11-r96
|
||||
- name: redis-exporter
|
||||
image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2
|
||||
- name: redis-sentinel
|
||||
image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6
|
||||
image: docker.io/bitnami/os-shell:12-debian-12-r16
|
||||
- name: redis
|
||||
image: docker.io/bitnami/redis:7.2.4-debian-11-r5
|
||||
image: docker.io/bitnami/redis:7.2.4-debian-12-r9
|
||||
- name: redis-exporter
|
||||
image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4
|
||||
- name: redis-sentinel
|
||||
image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 7.2.4
|
||||
|
@ -33,4 +35,4 @@ maintainers:
|
|||
name: redis
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/redis
|
||||
version: 18.13.0
|
||||
version: 18.19.2
|
||||
|
|
|
@ -72,11 +72,12 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
### Global parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------- | ------------------------------------------------------ | ----- |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
|
||||
| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
|
||||
### Common parameters
|
||||
|
||||
|
@ -120,13 +121,14 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` |
|
||||
| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` |
|
||||
| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` |
|
||||
| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` |
|
||||
| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` |
|
||||
| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` |
|
||||
|
||||
### Redis® master configuration parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------ |
|
||||
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
|
||||
| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` |
|
||||
| `master.configuration` | Configuration for Redis® master nodes | `""` |
|
||||
| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` |
|
||||
|
@ -160,8 +162,8 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `master.resources.limits` | The resources limits for the Redis® master containers | `{}` |
|
||||
| `master.resources.requests` | The requested resources for the Redis® master containers | `{}` |
|
||||
| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` |
|
||||
| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` |
|
||||
| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
|
@ -173,6 +175,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` |
|
||||
| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` |
|
||||
| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` |
|
||||
| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
|
||||
| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` |
|
||||
| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` |
|
||||
| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` |
|
||||
|
@ -241,7 +244,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
### Redis® replicas configuration parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------ |
|
||||
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
|
||||
| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` |
|
||||
| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` |
|
||||
| `replica.configuration` | Configuration for Redis® replicas nodes | `""` |
|
||||
|
@ -279,8 +282,8 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `replica.resources.limits` | The resources limits for the Redis® replicas containers | `{}` |
|
||||
| `replica.resources.requests` | The requested resources for the Redis® replicas containers | `{}` |
|
||||
| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `none` |
|
||||
| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` |
|
||||
| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
|
@ -292,6 +295,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` |
|
||||
| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` |
|
||||
| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
|
||||
| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` |
|
||||
| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` |
|
||||
| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` |
|
||||
|
@ -364,7 +368,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
### Redis® Sentinel configuration parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
|
||||
| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
|
||||
| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` |
|
||||
| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` |
|
||||
| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` |
|
||||
|
@ -427,13 +431,14 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` |
|
||||
| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` |
|
||||
| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` |
|
||||
| `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` |
|
||||
| `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` |
|
||||
| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `none` |
|
||||
| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` |
|
||||
| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` |
|
||||
| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` |
|
||||
| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` |
|
||||
| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
|
||||
| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` |
|
||||
| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` |
|
||||
| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` |
|
||||
|
@ -448,6 +453,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` |
|
||||
| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
|
||||
| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` |
|
||||
| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` |
|
||||
| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` |
|
||||
| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` |
|
||||
| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` |
|
||||
|
@ -496,7 +502,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
### Metrics Parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
|
||||
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
|
||||
| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` |
|
||||
| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` |
|
||||
| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` |
|
||||
|
@ -535,12 +541,13 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` |
|
||||
| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` |
|
||||
| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` |
|
||||
| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` |
|
||||
| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` |
|
||||
| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` |
|
||||
| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` |
|
||||
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
|
||||
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` |
|
||||
| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` |
|
||||
| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` |
|
||||
|
@ -587,17 +594,25 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
### Init Container Parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- |
|
||||
| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
|
||||
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
|
||||
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
|
||||
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
|
||||
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
|
||||
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
|
||||
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
|
||||
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
|
||||
| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` |
|
||||
| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` |
|
||||
| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` |
|
||||
| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` |
|
||||
| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` |
|
||||
| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` |
|
||||
| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` |
|
||||
| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` |
|
||||
| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
|
||||
| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
|
||||
|
@ -606,8 +621,8 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
|
||||
| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` |
|
||||
| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
|
||||
| `sysctl.resources.limits` | The resources limits for the init container | `{}` |
|
||||
| `sysctl.resources.requests` | The requested resources for the init container | `{}` |
|
||||
| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` |
|
||||
| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
|
||||
### useExternalDNS Parameters
|
||||
|
||||
|
@ -643,6 +658,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis
|
|||
|
||||
## Configuration and installation details
|
||||
|
||||
### Resource requests and limits
|
||||
|
||||
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
|
||||
|
||||
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
|
||||
|
||||
### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
|
||||
|
||||
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
|
||||
|
|
|
@ -20,3 +20,5 @@
|
|||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# img folder
|
||||
img/
|
||||
|
|
|
@ -2,7 +2,7 @@ annotations:
|
|||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.14.1
|
||||
appVersion: 2.19.0
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://bitnami.com
|
||||
|
@ -20,4 +20,4 @@ name: common
|
|||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
type: library
|
||||
version: 2.14.1
|
||||
version: 2.19.0
|
||||
|
|
|
@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
|
|||
|
||||
## License
|
||||
|
||||
Copyright © 2023 VMware, Inc.
|
||||
Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue