andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Generated changes

pull/81/head
actions 2021-02-26 18:55:49 +00:00
parent 37d594af16
commit bb1f1d193d
76 changed files with 2349 additions and 692 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/artifactory-ha/artifactory-ha-4.7.600.tgz Normal file
View File

Binary file not shown.

31
assets/index.yaml
View File

@ -1,6 +1,35 @@
apiVersion: v1
entries:
artifactory-ha:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-ha
apiVersion: v1
appVersion: 7.12.6
created: "2021-02-26T18:55:48.762534939Z"
dependencies:
- condition: postgresql.enabled
name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 9.3.4
description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers.
digest: 6f13240e67c292e0a7229b1e0b1d8389991e10850d629fab7bac34b7f702fa3c
home: https://www.jfrog.com/artifactory/
icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png
keywords:
- artifactory
- jfrog
- devops
maintainers:
- email: installers@jfrog.com
name: Chart Maintainers at JFrog
name: artifactory-ha
sources:
- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view
- https://github.com/jfrog/charts
urls:
- assets/artifactory-ha/artifactory-ha-4.7.600.tgz
version: 4.7.600
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-ha
@ -550,4 +579,4 @@ entries:
urls:
- assets/sysdig/sysdig-1.9.200.tgz
version: 1.9.200
generated: "2021-02-25T22:46:37.810270792Z"
generated: "2021-02-26T18:55:48.743664584Z"

161
charts/artifactory-ha/CHANGELOG.md
View File

@ -1,5 +1,164 @@
# JFrog Artifactory-ha Chart Changelog
All changes to this chart will be documented in this file.
All changes to this chart will be documented in this file
## [4.7.6] - Jan 11, 2020
* Updated Artifactory version to 7.12.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.6)
## [4.7.5] - Jan 07, 2020
* Added support for optional tracker dedicated ingress `.Values.artifactory.replicator.trackerIngress.enabled` (defaults to false)
## [4.7.4] - Jan 04, 2020
* Fixed gid support for statefulset
## [4.7.3] - Dec 31, 2020
* Added gid support for statefulset
* Add setSecurityContext flag to allow securityContext block to be removed from artifactory statefulset
## [4.7.2] - Dec 29, 2020
* **Important:** Removed `.Values.metrics` and `.Values.fluentd` (Fluentd and Prometheus integrations)
* Add support for creating additional kubernetes resources - [refer here](https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-ha-values.yaml)
* Updated Artifactory version to 7.12.5
## [4.7.1] - Dec 21, 2020
* Updated Artifactory version to 7.12.3
## [4.7.0] - Dec 18, 2020
* Updated Artifactory version to 7.12.2
* Added `.Values.artifactory.openMetrics.enabled`
## [4.6.1] - Dec 11, 2020
* Added configurable `.Values.global.versions.artifactory` in values.yaml
## [4.6.0] - Dec 10, 2020
* Update postgresql tag version to `12.5.0-debian-10-r25`
* Fixed `artifactory.persistence.googleStorage.endpoint` from `storage.googleapis.com` to `commondatastorage.googleapis.com`
* Updated chart maintainers email
## [4.5.5] - Dec 4, 2020
* **Important:** Renamed `.Values.systemYaml` to `.Values.systemYamlOverride`
## [4.5.4] - Dec 1, 2020
* Improve error message returned when attempting helm upgrade command
## [4.5.3] - Nov 30, 2020
* Updated Artifactory version to 7.11.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11)
# [4.5.2] - Nov 23, 2020
* Updated Artifactory version to 7.11.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11)
* Updated port namings on services and pods to allow for istio protocol discovery
* Change semverCompare checks to support hosted Kubernetes
* Add flag to disable creation of ServiceMonitor when enabling prometheus metrics
* Prevent the PostHook command to be executed if the user did not specify a command in the values file
* Fix issue with tls file generation when nginx.https.enabled is false
## [4.5.1] - Nov 19, 2020
* Updated Artifactory version to 7.11.2
* Bugfix - access.config.import.xml override Access Federation configurations
## [4.5.0] - Nov 17, 2020
* Updated Artifactory version to 7.11.1
* Update alpine tag version to `3.12.1`
## [4.4.6] - Nov 10, 2020
* Pass system.yaml via external secret for advanced usecases
* Added support for custom ingress
* Bugfix - stateful set not picking up changes to database secrets
## [4.4.5] - Nov 9, 2020
* Updated Artifactory version to 7.10.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.6)
## [4.4.4] - Nov 2, 2020
* Add enablePathStyleAccess property for aws-s3-v3 binary provider template
## [4.4.3] - Nov 2, 2020
* Updated Artifactory version to 7.10.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.5)
## [4.4.2] - Oct 22, 2020
* Chown bug fix where Linux capability cannot chown all files causing log line warnings
* Fix Frontend timeout linting issue
## [4.4.1] - Oct 20, 2020
* Add flag to disable prepare-custom-persistent-volume init container
## [4.4.0] - Oct 19, 2020
* Updated Artifactory version to 7.10.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.2)
## [4.3.4] - Oct 19, 2020
* Add support to specify priorityClassName for nginx deployment
## [4.3.3] - Oct 15, 2020
* Fixed issue with node PodDisruptionBudget which also getting applied on the primary
* Fix mandatory masterKey check issue when upgrading from 6.x to 7.x
## [4.3.2] - Oct 14, 2020
* Add support to allow more than 1 Primary in Artifactory-ha STS
## [4.3.1] - Oct 9, 2020
* Add global support for customInitContainersBegin
## [4.3.0] - Oct 07, 2020
* Updated Artifactory version to 7.9.1
* **Breaking change:** Fix `storageClass` to correct `storageClassName` in values.yaml
## [4.2.0] - Oct 5, 2020
* Expose Prometheus metrics via a ServiceMonitor
* Parse log files for metric data with Fluentd
## [4.1.0] - Sep 30, 2020
* Updated Artifactory version to 7.9.0 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.9)
## [4.0.12] - Sep 25, 2020
* Update to use linux capability CAP_CHOWN instead of root base init container to avoid any use of root containers to pass Redhat security requirements
## [4.0.11] - Sep 28, 2020
* Setting chart coordinates in migitation yaml
## [4.0.10] - Sep 25, 2020
* Update filebeat version to `7.9.2`
## [4.0.9] - Sep 24, 2020
* Fixed broken issue - when setting `waitForDatabase:false` container startup still waits for DB
## [4.0.8] - Sep 22, 2020
* Updated readme
## [4.0.7] - Sep 22, 2020
* Fix lint issue in migitation yaml
## [4.0.6] - Sep 22, 2020
* Fix broken migitation yaml
## [4.0.5] - Sep 21, 2020
* Added mitigation yaml for Artifactory - [More info](https://github.com/jfrog/chartcenter/blob/master/docs/securitymitigationspec.md)
## [4.0.4] - Sep 17, 2020
* Added configurable session(UI) timeout in frontend microservice
## [4.0.3] - Sep 17, 2020
* Fix small typo in README and added proper required text to be shown while postgres upgrades
## [4.0.2] - Sep 14, 2020
* Updated Artifactory version to 7.7.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7.8)
## [4.0.1] - Sep 8, 2020
* Added support for artifactory pro license (single node) installation.
## [4.0.0] - Sep 2, 2020
* **Breaking change:** Changed `imagePullSecrets` value from string to list
* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images
* Added support for global values
* Updated maintainers in chart.yaml
* Update postgresql tag version to `12.3.0-debian-10-r71`
* Update postgresqlsub chart version to `9.3.4` - [9.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#900)
* **IMPORTANT**
* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**!
* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x's postgresql.image.tag and databaseUpgradeReady=true.
## [3.1.0] - Aug 13, 2020
* Updated Artifactory version to 7.7.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7)
## [3.0.15] - Aug 10, 2020
* Added enableSignedUrlRedirect for persistent storage type aws-s3-v3.
## [3.0.14] - Jul 31, 2020
* Update the README section on Nginx SSL termination to reflect the actual YAML structure.

16
charts/artifactory-ha/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: 7.6.3
appVersion: 7.12.6
description: Universal Repository Manager supporting all major packaging formats,
build tools and CI servers.
home: https://www.jfrog.com/artifactory/
@ -9,21 +9,13 @@ keywords:
- jfrog
- devops
maintainers:
- email: amithk@jfrog.com
name: amithins
- email: daniele@jfrog.com
name: danielezer
- email: eldada@jfrog.com
name: eldada
- email: ramc@jfrog.com
name: chukka
- email: rimasm@jfrog.com
name: rimusz
- email: installers@jfrog.com
name: Chart Maintainers at JFrog
name: artifactory-ha
sources:
- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view
- https://github.com/jfrog/charts
version: 3.0.1400
version: 4.7.600
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-ha

378
charts/artifactory-ha/README.md
View File

@ -1,5 +1,7 @@
# JFrog Artifactory High Availability Helm Chart
**Heads up: Our Helm Chart docs are moving to our main documentation site. For Artifactory installers, see [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory).**
## Prerequisites Details
* Kubernetes 1.12+
@ -19,7 +21,10 @@ The Artifactory HA cluster in this chart is made up of
Load balancing is done to the member nodes only.
This leaves the primary node free to handle jobs and tasks and not be interrupted by inbound traffic.
> This can be controlled by the parameter `artifactory.service.pool`.
This can be controlled by the parameter `artifactory.service.pool`.
**NOTE:**
Using artifactory pro license (which supports single node only), set `artifactory.node.replicaCount=0` in values.yaml.
To scale from single node to multiple nodes(>1), use Enterprise(+) license and then do an helm upgrade (Each node need a seperate license).
## Installing the Chart
@ -62,7 +67,7 @@ artifactory:
<YOUR_SYSTEM_YAML_CONFIGURATION>
```
### Deploying Artifactory for small/medium/large instllations
### Deploying Artifactory for small/medium/large installations
In the chart directory, we have added three values files, one for each installation type - small/medium/large. These values files are recommendations for setting resources requests and limits for your installation. The values are derived from the following [documentation](https://www.jfrog.com/confluence/display/EP/Installing+on+Kubernetes#InstallingonKubernetes-Systemrequirements). You can find them in the corresponding chart directory - values-small.yaml, values-medium.yaml and values-large.yaml
### Accessing Artifactory
@ -98,6 +103,10 @@ artifactory:
enabled: true
timeoutSeconds: 3600
```
* Note: If you are upgrading from 1.x to 4.x and above chart versions, please delete the existing statefulset of postgresql before upgrading the chart due to breaking changes in postgresql subchart.
```bash
kubectl delete statefulsets <OLD_RELEASE_NAME>-postgresql
```
### Artifactory memory and CPU resources
The Artifactory HA Helm chart comes with support for configured resource requests and limits to all pods. By default, these settings are commented out.
@ -334,6 +343,13 @@ Use this template if you want to attach an IAM role to the Artifactory pod direc
...
```
To enable [Direct Cloud Storage Download](https://www.jfrog.com/confluence/display/JFROG/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-1.ConfiguretheArtifactoryFilestore)
```bash
...
--set artifactory.persistence.awsS3V3.enableSignedUrlRedirect=true \
...
```
#### Microsoft Azure Blob Storage
To use Azure Blob Storage as the cluster's filestore. See [Azure Blob Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AzureBlobStorageClusterBinaryProvider)
- Pass Azure Blob Storage parameters to `helm install` and `helm upgrade`
@ -1217,11 +1233,11 @@ If you are running a load balancer, that is used to offload the TLS, in front of
To enable it with `helm install`
```bash
helm upgrade --install nginx-ingress --namespace nginx-ingress stable/nginx-ingress --set-string controller.config.use-forwarded-headers=true
helm upgrade --install nginx-ingress --namespace nginx-ingress center/kubernetes-ingress-nginx/ingress-nginx --set-string controller.config.use-forwarded-headers=true
```
or `helm upgrade`
```bash
helm upgrade nginx-ingress --set-string controller.config.use-forwarded-headers=true stable/nginx-ingress
helm upgrade nginx-ingress --set-string controller.config.use-forwarded-headers=true center/kubernetes-ingress-nginx/ingress-nginx
```
or create a values.yaml file with the following content:
```yaml
@ -1231,355 +1247,19 @@ controller:
```
Then install nginx-ingress with the values file you created:
```bash
helm upgrade --install nginx-ingress --namespace nginx-ingress stable/nginx-ingress -f values.yaml
helm upgrade --install nginx-ingress --namespace nginx-ingress center/kubernetes-ingress-nginx/ingress-nginx -f values.yaml
```
## Configuration
The following table lists the configurable parameters of the artifactory chart and their default values.
### Log Analytics
| Parameter | Description | Default |
|------------------------------|-----------------------------------|-------------------------------------------------------|
| `imagePullSecrets` | Docker registry pull secret | |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template |
| `serviceAccount.annotations` | Artifactory service account annotations | `` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.role.rules` | Rules to create | `[]` |
| `logger.image.repository` | repository for logger image | `busybox` |
| `logger.image.tag` | tag for logger image | `1.30` |
| `artifactory.name` | Artifactory name | `artifactory` |
| `artifactory.image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-pro` |
| `artifactory.image.version` | Container image tag | `.Chart.AppVersion` |
| `artifactory.priorityClass.create` | Create a PriorityClass object | `false` |
| `artifactory.priorityClass.value` | Priority Class value | `1000000000` |
| `artifactory.priorityClass.name` | Priority Class name | `{{ template "artifactory-ha.fullname" . }}` |
| `artifactory.priorityClass.existingPriorityClass` | Use existing priority class | `` |
| `artifactory.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` |
| `artifactory.loggersResources.requests.memory` | Artifactory loggers initial memory request | |
| `artifactory.loggersResources.requests.cpu` | Artifactory loggers initial cpu request | |
| `artifactory.loggersResources.limits.memory` | Artifactory loggers memory limit | |
| `artifactory.loggersResources.limits.cpu` | Artifactory loggers cpu limit | |
| `artifactory.catalinaLoggers` | Artifactory Tomcat loggers (see values.yaml for possible values) | `[]` |
| `artifactory.catalinaLoggersResources.requests.memory` | Artifactory Tomcat loggers initial memory request | |
| `artifactory.catalinaLoggersResources.requests.cpu` | Artifactory Tomcat loggers initial cpu request | |
| `artifactory.catalinaLoggersResources.limits.memory` | Artifactory Tomcat loggers memory limit | |
| `artifactory.catalinaLoggersResources.limits.cpu` | Artifactory Tomcat loggers cpu limit | |
| `artifactory.customInitContainersBegin`| Custom init containers to run before existing init containers | |
| `artifactory.customInitContainers`| Custom init containers to run after existing init containers | |
| `artifactory.customSidecarContainers`| Custom sidecar containers | |
| `artifactory.customVolumes` | Custom volumes | |
| `artifactory.customVolumeMounts` | Custom Artifactory volumeMounts | |
| `artifactory.customPersistentPodVolumeClaim` | Custom PVC spec to create and attach a unique PVC for each pod on startup with the volumeClaimTemplates feature in StatefulSet | |
| `artifactory.customPersistentVolumeClaim` | Custom PVC spec to be mounted to the all artifactory containers using a volume | |
| `artifactory.customSecrets` | Custom secrets | |
| `artifactory.userPluginSecrets` | Array of secret names for Artifactory user plugins | |
| `artifactory.masterKey` | Artifactory master key. A 128-Bit key size (hexadecimal encoded) string (32 hex characters). Can be generated with `openssl rand -hex 32`. NOTE: This key can be generated only once and cannot be updated once created |``|
| `artifactory.masterKeySecretName` | Artifactory Master Key secret name | |
| `artifactory.joinKey` | Join Key to connect other services to Artifactory. Can be generated with `openssl rand -hex 32` | `` |
| `artifactory.joinKeySecretName` | Artifactory join Key secret name | |
| `artifactory.admin.ip` | Artifactory admin ip to be set upon startup, can use (*) for 0.0.0.0| `127.0.0.1` |
| `artifactory.admin.username` | Artifactory admin username to be set upon startup| `admin` |
| `artifactory.admin.password` | Artifactory admin password to be set upon startup| |
| `artifactory.admin.secret` | Artifactory admin secret name | |
| `artifactory.admin.dataKey` | Artifactory admin secret data key | |
| `artifactory.preStartCommand` | Command to run before entrypoint starts | |
| `artifactory.postStartCommand` | Command to run after container starts. Supports templating with `tpl` | |
| `artifactory.license.licenseKey` | Artifactory license key. Providing the license key as a parameter will cause a secret containing the license key to be created as part of the release. Use either this setting or the license.secret and license.dataKey. If you use both, the latter will be used. | |
| `artifactory.configMaps` | configMaps to be created as volume by the name `artifactory-configmaps`. In order to use these configMaps, you will need to add `customVolumeMounts` to point to the created volume and mount it onto a container | |
| `artifactory.license.secret` | Artifactory license secret name | |
| `artifactory.license.dataKey`| Artifactory license secret data key | |
| `artifactory.service.name` | Artifactory service name to be set in Nginx configuration | `artifactory` |
| `artifactory.service.type` | Artifactory service type | `ClusterIP` |
| `artifactory.service.clusterIP`| Specific cluster IP or `None` for headless services | `nil` |
| `artifactory.service.loadBalancerSourceRanges`| Artifactory service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | |
| `artifactory.service.annotations` | Artifactory service annotations | `{}` |
| `artifactory.service.pool` | Artifactory instances to be in the load balancing pool. `members` or `all` | `members` |
| `artifactory.externalPort` | Artifactory service external port | `8082` |
| `artifactory.internalPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8082` |
| `artifactory.internalArtifactoryPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8081` |
| `artifactory.externalArtifactoryPort` | Artifactory service external port | `8081` |
| `artifactory.extraEnvironmentVariables` | Extra environment variables to pass to Artifactory. Supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function. See [documentation](https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-SupportedEnvironmentVariables) | |
| `artifactory.livenessProbe.enabled` | Enable liveness probe | `true` |
| `artifactory.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` |
| `artifactory.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 |
| `artifactory.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `artifactory.livenessProbe.timeoutSeconds` | When the probe times out | 10 |
| `artifactory.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
| `artifactory.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
| `artifactory.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
| `artifactory.readinessProbe.path` | readiness probe HTTP Get path | `/router/api/v1/system/health` |
| `artifactory.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 |
| `artifactory.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `artifactory.readinessProbe.timeoutSeconds` | When the probe times out | 10 |
| `artifactory.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
| `artifactory.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
| `artifactory.copyOnEveryStartup` | List of files to copy on startup from source (which is absolute) to target (which is relative to ARTIFACTORY_HOME | |
| `artifactory.deleteDBPropertiesOnStartup` | Whether to delete the ARTIFACTORY_HOME/etc/db.properties file on startup. Disabling this will remove the ability for the db.properties to be updated with any DB-related environment variables change (e.g. DB_HOST, DB_URL) | `true` |
| `artifactory.database.maxOpenConnections` | Maximum amount of open connections from Artifactory to the DB | `80` |
| `artifactory.haDataDir.enabled` | Enable haDataDir for eventual storage in the HA cluster | `false` |
| `artifactory.haDataDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | |
| `artifactory.haBackupDir.enabled` | Enable haBackupDir for eventual storage in the HA cluster | `false` |
| `artifactory.haBackupDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | |
| `artifactory.haBackupDir.enabled` | Enable haBackupDir for eventual storage in the HA cluster | `false` |
| `artifactory.haBackupDir.path` | Path to the directory intended for use with NFS eventual configuration for HA | |
| `artifactory.migration.timeoutSeconds` | Artifactory migration Maximum Time out in seconds| `3600` |
| `artifactory.migration.enabled` | Artifactory migration enabled or disabled | `true` |
| `artifactory.persistence.mountPath` | Artifactory persistence volume mount path | `"/var/opt/jfrog/artifactory"` |
| `artifactory.persistence.enabled` | Artifactory persistence volume enabled | `true` |
| `artifactory.persistence.accessMode` | Artifactory persistence volume access mode | `ReadWriteOnce` |
| `artifactory.persistence.size` | Artifactory persistence or local volume size | `200Gi` |
| `artifactory.persistence.binarystore.enabled` | whether you want to mount the binarystore.xml file from a secret created by the chart. If `false` you will need need to get the binarystore.xml file into the file-system from either an `initContainer` or using a `preStartCommand` | `true` |
| `artifactory.persistence.binarystoreXml` | Artifactory binarystore.xml template | See `values.yaml` |
| `artifactory.persistence.customBinarystoreXmlSecret` | A custom Secret for binarystore.xml | `` |
| `artifactory.persistence.maxCacheSize` | Artifactory cache-fs provider maxCacheSize in bytes | `50000000000` |
| `artifactory.persistence.cacheProviderDir` | the root folder of binaries for the filestore cache. If the value specified starts with a forward slash ("/") it is considered the fully qualified path to the filestore folder. Otherwise, it is considered relative to the *baseDataDir*. | `cache` |
| `artifactory.persistence.type` | Artifactory HA storage type | `file-system` |
| `artifactory.persistence.redundancy` | Artifactory HA storage redundancy | `3` |
| `artifactory.persistence.nfs.ip` | NFS server IP | |
| `artifactory.persistence.nfs.haDataMount` | NFS data directory | `/data` |
| `artifactory.persistence.nfs.haBackupMount` | NFS backup directory | `/backup` |
| `artifactory.persistence.nfs.dataDir` | HA data directory | `/var/opt/jfrog/artifactory-ha` |
| `artifactory.persistence.nfs.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` |
| `artifactory.persistence.nfs.capacity` | NFS PVC size | `200Gi` |
| `artifactory.persistence.nfs.mountOptions` | NFS mount options | `[]` |
| `artifactory.persistence.eventual.numberOfThreads` | Eventual number of threads | `10` |
| `artifactory.persistence.googleStorage.endpoint` | Google Storage API endpoint| `storage.googleapis.com` |
| `artifactory.persistence.googleStorage.httpsOnly` | Google Storage API has to be consumed https only| `false` |
| `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory-ha` |
| `artifactory.persistence.googleStorage.identity` | Google Storage service account id | |
| `artifactory.persistence.googleStorage.credential` | Google Storage service account key | |
| `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory-ha/filestore` |
| `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` |
| `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-ha` |
| `artifactory.persistence.awsS3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html |
| `artifactory.persistence.awsS3.region` | AWS S3 bucket region | |
| `artifactory.persistence.awsS3.roleName` | AWS S3 IAM role name | |
| `artifactory.persistence.awsS3.identity` | AWS S3 AWS_ACCESS_KEY_ID | |
| `artifactory.persistence.awsS3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | |
| `artifactory.persistence.awsS3.properties` | AWS S3 additional properties | |
| `artifactory.persistence.awsS3.path` | AWS S3 path in bucket | `artifactory-ha/filestore` |
| `artifactory.persistence.awsS3.refreshCredentials` | AWS S3 renew credentials on expiration | `true` (When roleName is used, this parameter will be set to true) |
| `artifactory.persistence.awsS3.httpsOnly` | AWS S3 https access to the bucket only | `true` |
| `artifactory.persistence.awsS3.testConnection` | AWS S3 test connection on start up | `false` |
| `artifactory.persistence.awsS3.s3AwsVersion` | AWS S3 signature version | `AWS4-HMAC-SHA256` |
| `artifactory.persistence.awsS3V3.testConnection` | AWS S3 test connection on start up | `false` |
| `artifactory.persistence.awsS3V3.identity` | AWS S3 AWS_ACCESS_KEY_ID | |
| `artifactory.persistence.awsS3V3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | |
| `artifactory.persistence.awsS3V3.region` | AWS S3 bucket region | |
| `artifactory.persistence.awsS3V3.bucketName` | AWS S3 bucket name | `artifactory-aws` |
| `artifactory.persistence.awsS3V3.path` | AWS S3 path in bucket | `artifactory/filestore` |
| `artifactory.persistence.awsS3V3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html |
| `artifactory.persistence.awsS3V3.maxConnections` | AWS S3 bucket maxConnections | `50` |
| `artifactory.persistence.awsS3V3.kmsServerSideEncryptionKeyId` | AWS S3 encryption key ID or alias | |
| `artifactory.persistence.awsS3V3.kmsKeyRegion` | AWS S3 KMS Key region | |
| `artifactory.persistence.awsS3V3.kmsCryptoMode` | AWS S3 KMS encryption mode | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate |
| `artifactory.persistence.awsS3V3.useInstanceCredentials` | AWS S3 Use default authentication mechanism | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-authentication |
| `artifactory.persistence.awsS3V3.usePresigning` | AWS S3 Use URL signing | `false` |
| `artifactory.persistence.awsS3V3.signatureExpirySeconds` | AWS S3 Validity period in seconds for signed URLs | `300` |
| `artifactory.persistence.awsS3V3.cloudFrontDomainName` | AWS CloudFront domain name | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)|
| `artifactory.persistence.awsS3V3.cloudFrontKeyPairId` | AWS CloudFront key pair ID | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)|
| `artifactory.persistence.awsS3V3.cloudFrontPrivateKey` | AWS CloudFront private key | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)|
| `artifactory.persistence.azureBlob.accountName` | Azure Blob Storage account name | `` |
| `artifactory.persistence.azureBlob.accountKey` | Azure Blob Storage account key | `` |
| `artifactory.persistence.azureBlob.endpoint` | Azure Blob Storage endpoint | `` |
| `artifactory.persistence.azureBlob.containerName` | Azure Blob Storage container name | `` |
| `artifactory.persistence.azureBlob.testConnection` | Azure Blob Storage test connection | `false` |
| `artifactory.persistence.fileSystem.existingSharedClaim` | Enable using an existing shared pvc | `false` |
| `artifactory.persistence.fileStorage.dataDir` | HA data directory | `/var/opt/jfrog/artifactory/artifactory-data` |
| `artifactory.persistence.fileStorage.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` |
| `artifactory.javaOpts.other` | Artifactory additional java options (for all nodes) | |
| `artifactory.replicator.enabled` | Enable the Replicator service (relevant for Enterprise+ only) | `false` |
| `artifactory.ssh.enabled` | Enable Artifactory SSH access | |
| `artifactory.ssh.internalPort` | Artifactory SSH internal port | `1339` |
| `artifactory.ssh.externalPort` | Artifactory SSH external port | `1339` |
| `artifactory.primary.preStartCommand` | Artifactory primary node preStartCommand to be run after `artifactory.preStartCommand` | |
| `artifactory.primary.labels` | Artifactory primary node labels | `{}` |
| `artifactory.primary.resources.requests.memory` | Artifactory primary node initial memory request | |
| `artifactory.primary.resources.requests.cpu` | Artifactory primary node initial cpu request | |
| `artifactory.primary.resources.limits.memory` | Artifactory primary node memory limit | |
| `artifactory.primary.resources.limits.cpu` | Artifactory primary node cpu limit | |
| `artifactory.primary.javaOpts.xms` | Artifactory primary node java Xms size | |
| `artifactory.primary.javaOpts.xmx` | Artifactory primary node java Xms size | |
| `artifactory.primary.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the primary node - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` |
| `artifactory.primary.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` |
| `artifactory.primary.javaOpts.jmx.port` | JMX Port number | `9010` |
| `artifactory.primary.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.primary.name" $ }}` |
| `artifactory.primary.javaOpts.jmx.ssl` | Enable SSL | `false` |
| `artifactory.primary.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` |
| `artifactory.primary.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | |
| `artifactory.primary.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | |
| `artifactory.primary.javaOpts.other` | Artifactory primary node additional java options | |
| `artifactory.primary.persistence.existingClaim` | Whether to use an existing pvc for the primary node | `false` |
| `artifactory.node.preStartCommand` | Artifactory member node preStartCommand to be run after `artifactory.preStartCommand` | |
| `artifactory.node.labels` | Artifactory member node labels | `{}` |
| `artifactory.node.replicaCount` | Artifactory member node replica count | `2` |
| `artifactory.node.minAvailable` | Artifactory member node min available count | `1` |
| `artifactory.node.resources.requests.memory` | Artifactory member node initial memory request | |
| `artifactory.node.resources.requests.cpu` | Artifactory member node initial cpu request | |
| `artifactory.node.resources.limits.memory` | Artifactory member node memory limit | |
| `artifactory.node.resources.limits.cpu` | Artifactory member node cpu limit | |
| `artifactory.node.javaOpts.xms` | Artifactory member node java Xms size | |
| `artifactory.node.javaOpts.xmx` | Artifactory member node java Xms size | |
| `artifactory.node.javaOpts.corePoolSize` | The number of async processes that can run in parallel in the member nodes - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `16` |
| `artifactory.node.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` |
| `artifactory.node.javaOpts.jmx.port` | JMX Port number | `9010` |
| `artifactory.node.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory-ha.fullname" $ }}` |
| `artifactory.node.javaOpts.jmx.ssl` | Enable SSL | `false` |
| `artifactory.node.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` |
| `artifactory.node.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | |
| `artifactory.node.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | |
| `artifactory.node.javaOpts.other` | Artifactory member node additional java options | |
| `artifactory.node.persistence.existingClaim` | Whether to use existing PVCs for the member nodes | `false` |
| `artifactory.terminationGracePeriodSeconds` | Termination grace period (seconds) | `30s` |
| `artifactory.node.waitForPrimaryStartup.enabled` | Whether to wait for the primary node to start before starting up the member nodes | `false` |
| `artifactory.node.waitForPrimaryStartup.time` | The amount of time to wait for the primary node to start before starting up the member nodes | `60` |
| `artifactory.tomcat.connector.maxThreads` | The max number of connections to Artifactory connector | `200` |
| `artifactory.tomcat.connector.extraConfig` | The max queue length for incoming connections to Artifactory connector | `'acceptCount="100"'` |
| `artifactory.systemYaml` | Artifactory system configuration (`system.yaml`) as described here - https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML | `see values.yaml` |
| `artifactory.primary.affinity` | Artifactory primary node affinity | `{}` |
| `artifactory.node.affinity` | Artifactory member node affinity | `{}` |
| `access.database.maxOpenConnections` | Maximum amount of open connections from Access to the DB | `80` |
| `access.tomcat.connector.maxThreads` | The max number of connections to Aceess connector | `50` |
| `access.tomcat.connector.extraConfig` | The max queue length for incoming connections to Access connector | `'acceptCount="100"'` |
| `initContainers.resources.requests.memory` | Init containers initial memory request | |
| `initContainers.resources.requests.cpu` | Init containers initial cpu request | |
| `initContainers.resources.limits.memory` | Init containers memory limit | |
| `initContainers.resources.limits.cpu` | Init containers cpu limit | |
| `ingress.enabled` | If true, Artifactory Ingress will be created | `false` |
| `ingress.annotations` | Artifactory Ingress annotations | `{}` |
| `ingress.labels` | Artifactory Ingress labels | `{}` |
| `ingress.hosts` | Artifactory Ingress hostnames | `[]` |
| `ingress.routerPath` | Router Ingress path | `/` |
| `ingress.artifactoryPath` | Artifactory Ingress path | `/artifactory` |
| `ingress.tls` | Artifactory Ingress TLS configuration (YAML) | `[]` |
| `ingress.defaultBackend.enabled` | If true, the default `backend` will be added using serviceName and servicePort | `true` |
| `ingress.annotations` | Ingress annotations, which are written out if annotations section exists in values. Everything inside of the annotations section will appear verbatim inside the resulting manifest. See `Ingress annotations` section below for examples of how to leverage the annotations, specifically for how to enable docker authentication. | |
| `ingress.additionalRules` | Ingress additional rules to be added to the Artifactory ingress. | `[]` |
| `metadata.database.maxOpenConnections` | Maximum amount of open connections from metadata to the DB | `80` |
| `nginx.enabled` | Deploy nginx server | `true` |
| `nginx.kind` | Nginx object kind, for example `DaemonSet`, `Deployment` or `StatefulSet` | `Deployment` |
| `nginx.name` | Nginx name | `nginx` |
| `nginx.replicaCount` | Nginx replica count | `1` |
| `nginx.uid` | Nginx User Id | `104` |
| `nginx.gid` | Nginx Group Id | `107` |
| `nginx.image.repository` | Container image | `docker.bintray.io/jfrog/nginx-artifactory-pro` |
| `nginx.image.version` | Container version | `.Chart.AppVersion` |
| `nginx.image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `nginx.labels` | Nginx deployment labels | `{}` |
| `nginx.minAvailable` | Nginx node min available count | `0` |
| `nginx.loggers` | Nginx loggers (see values.yaml for possible values) | `[]` |
| `nginx.loggersResources.requests.memory` | Nginx logger initial memory request | |
| `nginx.loggersResources.requests.cpu` | Nginx logger initial cpu request | |
| `nginx.loggersResources.limits.memory` | Nginx logger memory limit | |
| `nginx.loggersResources.limits.cpu` | Nginx logger cpu limit | |
| `nginx.logs.stderr` | Send nginx logs to stderr | false |
| `nginx.logs.level` | Nginx log level: debug, info, notice, warn, error, crit, alert, or emerg | warn |
| `nginx.mainConf` | Content of the Artifactory nginx main nginx.conf config file | `see values.yaml` |
| `nginx.artifactoryConf` | Content of Artifactory nginx artifactory.conf config file | `see values.yaml` |
| `nginx.service.type` | Nginx service type | `LoadBalancer` |
| `nginx.service.clusterIP` | Specific cluster IP or `None` for headless services | `nil` |
| `nginx.service.loadBalancerSourceRanges`| Nginx service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | |
| `nginx.service.labels` | Nginx service labels | `{}` |
| `nginx.service.annotations` | Nginx service annotations | `{}` |
| `nginx.service.ssloffload` | Nginx service SSL offload | false |
| `nginx.service.externalTrafficPolicy`| Nginx service desires to route external traffic to node-local or cluster-wide endpoints. | `Cluster` |
| `nginx.loadBalancerIP`| Provide Static IP to configure with Nginx | |
| `nginx.http.enabled` | Nginx http service enabled/disabled | true |
| `nginx.http.externalPort` | Nginx service external port | `80` |
| `nginx.http.internalPort` | Nginx service internal port | `80` |
| `nginx.https.enabled` | Nginx http service enabled/disabled | true |
| `nginx.https.externalPort` | Nginx service external port | `443` |
| `nginx.https.internalPort` | Nginx service internal port | `443` |
| `nginx.ssh.internalPort` | Nginx SSH internal port | `22` |
| `nginx.ssh.externalPort` | Nginx SSH external port | `22` |
| `nginx.externalPortHttp` | DEPRECATED: Nginx service external port | `80` |
| `nginx.internalPortHttp` | DEPRECATED: Nginx service internal port | `80` |
| `nginx.externalPortHttps` | DEPRECATED: Nginx service external port | `443` |
| `nginx.internalPortHttps` | DEPRECATED: Nginx service internal port | `443` |
| `nginx.livenessProbe.enabled` | would you like a liveness Probe to be enabled | `true` |
| `nginx.livenessProbe.path` | liveness probe HTTP Get path | `/router/api/v1/system/health` |
| `nginx.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 100 |
| `nginx.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `nginx.livenessProbe.timeoutSeconds` | When the probe times out | 10 |
| `nginx.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
| `nginx.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
| `nginx.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
| `nginx.readinessProbe.path` | Readiness probe HTTP Get path | `/router/api/v1/system/health` |
| `nginx.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 |
| `nginx.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `nginx.readinessProbe.timeoutSeconds` | When the probe times out | 10 |
| `nginx.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
| `nginx.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
| `nginx.tlsSecretName` | SSL secret that will be used by the Nginx pod | |
| `nginx.customConfigMap` | Nginx CustomeConfigMap name for `nginx.conf` | ` ` |
| `nginx.customArtifactoryConfigMap`| Nginx CustomeConfigMap name for `artifactory-ha.conf` | ` ` |
| `nginx.resources.requests.memory` | Nginx initial memory request | `250Mi` |
| `nginx.resources.requests.cpu` | Nginx initial cpu request | `100m` |
| `nginx.resources.limits.memory` | Nginx memory limit | `250Mi` |
| `nginx.resources.limits.cpu` | Nginx cpu limit | `500m` |
| `nginx.persistence.mountPath` | Nginx persistence volume mount path | `"/var/opt/jfrog/nginx"` |
| `nginx.persistence.enabled` | Nginx persistence volume enabled. This is only available when the nginx.replicaCount is set to 1 | `false` |
| `nginx.persistence.accessMode` | Nginx persistence volume access mode | `ReadWriteOnce` |
| `nginx.persistence.size` | Nginx persistence volume size | `5Gi` |
| `waitForDatabase` | Wait for database (using wait-for-db init container) | `true` |
| `postgresql.enabled` | Use enclosed PostgreSQL as database | `true` |
| `postgresql.image.registry` | PostgreSQL image registry | `docker.bintray.io` |
| `postgresql.image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
| `postgresql.image.tag` | PostgreSQL image tag | `9.6.18-debian-10-r7` |
| `postgresql.postgresqlDatabase` | PostgreSQL database name | `artifactory` |
| `postgresql.postgresqlUsername` | PostgreSQL database user | `artifactory` |
| `postgresql.postgresqlPassword` | PostgreSQL database password | |
| `postgresql.postgresqlExtendedConf.listenAddresses` | PostgreSQL listen address | `"'*'"` |
| `postgresql.postgresqlExtendedConf.maxConnections` | PostgreSQL max_connections parameter | `1500` |
| `postgresql.persistence.enabled` | PostgreSQL use persistent storage | `true` |
| `postgresql.persistence.size` | PostgreSQL persistent storage size | `50Gi` |
| `postgresql.service.port` | PostgreSQL database port | `5432` |
| `postgresql.resources.requests.memory` | PostgreSQL initial memory request | |
| `postgresql.resources.requests.cpu` | PostgreSQL initial cpu request | |
| `postgresql.resources.limits.memory` | PostgreSQL memory limit | |
| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | |
| `postgresql.master.nodeSelector` | PostgreSQL master node selector | `{}` |
| `postgresql.master.affinity` | PostgreSQL master node affinity | `{}` |
| `postgresql.master.tolerations` | PostgreSQL master node tolerations | `[]` |
| `postgresql.slave.nodeSelector` | PostgreSQL slave node selector | `{}` |
| `postgresql.slave.affinity` | PostgreSQL slave node affinity | `{}` |
| `postgresql.slave.tolerations` | PostgreSQL slave node tolerations | `[]` |
| `database.type` | External database type (`postgresql`, `mysql`, `oracle` or `mssql`) | |
| `database.driver` | External database driver e.g. `org.postgresql.Driver` | |
| `database.url` | External database connection URL | |
| `database.user` | External database username | |
| `database.password` | External database password | |
| `database.secrets.user.name` | External database username `Secret` name | |
| `database.secrets.user.key` | External database username `Secret` key | |
| `database.secrets.password.name` | External database password `Secret` name | |
| `database.secrets.password.key` | External database password `Secret` key | |
| `database.secrets.url.name ` | External database url `Secret` name | |
| `database.secrets.url.key` | External database url `Secret` key | |
| `networkpolicy.name` | Becomes part of the NetworkPolicy object name | `artifactory` |
| `networkpolicy.podselector` | Contains the YAML that specifies how to match pods. Usually using matchLabels. | |
| `networkpolicy.ingress` | YAML snippet containing to & from rules applied to incoming traffic | `- {}` (open to all inbound traffic) |
| `networkpolicy.egress` | YAML snippet containing to & from rules applied to outgoing traffic | `- {}` (open to all outbound traffic) |
| `filebeat.enabled` | Enable a filebeat container to send your logs to a log management solution like ELK | `false` |
| `filebeat.name` | filebeat container name | `artifactory-filebeat` |
| `filebeat.image.repository` | filebeat Docker image repository | `docker.elastic.co/beats/filebeat` |
| `filebeat.image.version` | filebeat Docker image version | `7.5.1` |
| `filebeat.logstashUrl` | The URL to the central Logstash service, if you have one | `logstash:5044` |
| `filebeat.livenessProbe.exec.command` | liveness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) |
| `filebeat.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
| `filebeat.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 |
| `filebeat.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `filebeat.readinessProbe.exec.command` | readiness probe exec command | see [values.yaml](stable/artifactory-ha/values.yaml) |
| `filebeat.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
| `filebeat.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 |
| `filebeat.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `filebeat.resources.requests.memory` | Filebeat initial memory request | |
| `filebeat.resources.requests.cpu` | Filebeat initial cpu request | |
| `filebeat.resources.limits.memory` | Filebeat memory limit | |
| `filebeat.resources.limits.cpu` | Filebeat cpu limit | |
| `filebeat.filebeatYml` | Filebeat yaml configuration file | see [values.yaml](stable/artifactory-ha/values.yaml) |
#### FluentD, Prometheus and Grafana
To configure Prometheus and Grafana to gather metrics from Artifactory through the use of FluentD, please refer to the log analytics repo:
https://github.com/jfrog/log-analytics-prometheus
That repo contains a file `artifactory-ha-values.yaml` that can be used to deploy Prometheus, Service Monitor, and Grafana with this chart.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
## Useful links
- https://www.jfrog.com/confluence/display/EP/Getting+Started

6
charts/artifactory-ha/UPGRADE_NOTES.md
View File

@ -1,10 +1,14 @@
# JFrog Artifactory Chart Upgrade Notes
This file describes special upgrade notes needed at specific versions
## Upgrade from 1.X to 2.X (Chart Versions)
## Upgrade from 1.X to 2.X and above (Chart Versions)
* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you!**
* To upgrade from a version prior to 1.x, you first need to upgrade to latest version of 1.x as described in https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/CHANGELOG.md.
* Note: If you are upgrading from 1.x to 4.x and above chart versions, please delete the existing statefulset of postgresql before upgrading the chart due to breaking changes in postgresql subchart.
```bash
kubectl delete statefulsets <OLD_RELEASE_NAME>-postgresql
```
## Upgrade from 0.X to 1.X (Chart Versions)
**DOWNTIME IS REQUIRED FOR AN UPGRADE!**

6
charts/artifactory-ha/charts/postgresql/Chart.yaml
View File

@ -1,5 +1,7 @@
annotations:
category: Database
apiVersion: v1
appVersion: 11.7.0
appVersion: 11.9.0
description: Chart for PostgreSQL, an object-relational database management system
(ORDBMS) with an emphasis on extensibility and on standards-compliance.
engine: gotpl
@ -20,4 +22,4 @@ maintainers:
name: postgresql
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
version: 8.7.3
version: 9.3.4

136
charts/artifactory-ha/charts/postgresql/README.md
View File

@ -4,7 +4,7 @@
For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha)
## TL;DR;
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
@ -20,7 +20,7 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment
## Prerequisites
- Kubernetes 1.12+
- Helm 2.11+ or Helm 3.0-beta3+
- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
@ -42,7 +42,15 @@ To uninstall/delete the `my-release` deployment:
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
To delete the PVC's associated with `my-release`:
```console
$ kubectl delete pvc -l release=my-release
```
> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
## Parameters
@ -95,10 +103,10 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` |
| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` |
| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) | _random 10 character alphanumeric string_ |
| `postgresqlUsername` | PostgreSQL admin user | `postgres` |
| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ |
| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` |
| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ |
| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` |
| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ |
| `postgresqlDatabase` | PostgreSQL database | `nil` |
| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) |
| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` |
@ -112,7 +120,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` |
| `initdbScripts` | Dictionary of initdb scripts | `nil` |
| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` |
| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` |
| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` |
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` |
| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
@ -132,6 +140,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` |
| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` |
| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` |
| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` |
| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` |
@ -139,7 +148,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` |
| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` |
| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` |
| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
| `master.extraInitContainers` | Additional init containers to add to the pods (postgresql master) | `[]` |
| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` |
| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` |
@ -154,7 +163,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` |
| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` |
| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` |
| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
| `slave.extraInitContainers` | Additional init containers to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` |
@ -162,13 +171,14 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `slave.service.type` | Allows using a different service type for Slave | `nil` |
| `slave.service.nodePort` | Allows using a different nodePort for Slave | `nil` |
| `slave.service.clusterIP` | Allows using a different clusterIP for Slave | `nil` |
| `slave.persistence.enabled` | Whether to enable slave replicas persistence | `true` |
| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` |
| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
| `securityContext.enabled` | Enable security context | `true` |
| `securityContext.fsGroup` | Group ID for the container | `1001` |
| `securityContext.runAsUser` | User ID for the container | `1001` |
| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` |
| `serviceAcccount.name` | Name of existing service account | `nil` |
| `serviceAccount.name` | Name of existing service account | `nil` |
| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
@ -184,6 +194,13 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `readinessProbe.timeoutSeconds` | When the probe times out | 5 |
| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `tls.enabled` | Enable TLS traffic support | `false` |
| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. |`nil` |
| `tls.crlFilename` | File containing a Certificate Revocation List |`nil` |
| `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
@ -198,12 +215,13 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql |
| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` |
| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` |
| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` |
| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` |
| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` |
| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` |
| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` |
| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `metrics.customMetrics` | Additional custom metrics | `nil` |
| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) |
| `metrics.securityContext.enabled` | Enable security context for metrics | `false` |
| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` |
| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
@ -218,6 +236,9 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` |
| `psp.create` | Create Pod Security Policy | `false` |
| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
@ -287,7 +308,7 @@ At the top level, there is a service object which defines the services for both
### Change PostgreSQL version
To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0`
To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
### postgresql.conf / pg_hba.conf files as configMap
@ -316,6 +337,35 @@ In addition to these options, you can also set an external ConfigMap with all th
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
### Securing traffic using TLS
TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
- `tls.enabled`: Enable TLS support. Defaults to `false`
- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
- `tls.certFilename`: Certificate filename. No defaults.
- `tls.certKeyFilename`: Certificate key filename. No defaults.
For example:
* First, create the secret with the cetificates files:
```console
kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
```
* Then, use the following parameters:
```console
volumePermissions.enabled=true
tls.enabled=true
tls.certificatesSecret="certificates-tls-secret"
tls.certFilename="cert.crt"
tls.certKeyFilename="cert.key"
```
> Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `securityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
### Sidecars
If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
@ -443,6 +493,60 @@ $ helm upgrade my-release stable/postgresql \
> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes.
## 9.0.0
In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version.
As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow:
- Deploy an old version (8.X.X)
```console
$ helm install postgresql bitnami/postgresql --version 8.10.14
```
- Old version is up and running
```console
$ helm ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
postgresql-postgresql-0 1/1 Running 0 76s
```
- The upgrade to the latest one (9.X.X) is going to fail
```console
$ helm upgrade postgresql bitnami/postgresql
Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden
```
- Delete the statefulset
```console
$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql
statefulset.apps "postgresql-postgresql" deleted
```
- Now the upgrade works
```cosnole
$ helm upgrade postgresql bitnami/postgresql
$ helm ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0
```
- We can kill the existing pod and the new statefulset is going to create a new one:
```console
$ kubectl delete pod postgresql-postgresql-0
pod "postgresql-postgresql-0" deleted
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
postgresql-postgresql-0 1/1 Running 0 19s
```
Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command
## 8.0.0
Prefixes the port names with their protocols to comply with Istio conventions.

22
charts/artifactory-ha/charts/postgresql/charts/common/.helmignore Executable file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

22
charts/artifactory-ha/charts/postgresql/charts/common/Chart.yaml Executable file
View File

@ -0,0 +1,22 @@
annotations:
category: Infrastructure
apiVersion: v1
appVersion: 0.6.2
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
engine: gotpl
home: http://www.bitnami.com/
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: common
sources:
- https://github.com/bitnami/charts
version: 0.6.2

274
charts/artifactory-ha/charts/postgresql/charts/common/README.md Executable file
View File

@ -0,0 +1,274 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 0.x.x
repository: https://charts.bitnami.com/bitnami
```
```bash
$ helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
**Names**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
**Images**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
**Labels**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context |
**Storage**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
**TplValues**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` |
**Capabilities**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
**Validations**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | When a chart is using `bitnami/mariadb` as subchart you should use this to validate required password are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "context" $` |
| `common.validations.values.postgresql.passwords` | This helper will ensure required password are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
**Warnings**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
**Errors**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
**Utils**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
**Secrets**
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets.
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
**Example of use**
When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
### ValidateValue
**NOTES.txt**
```
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
```
If we force those values to be empty we will see some alerts
```console
$ helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode)
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode)
```
## Notable changes
N/A

22
charts/artifactory-ha/charts/postgresql/charts/common/templates/_capabilities.tpl Executable file
View File

@ -0,0 +1,22 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- end -}}
{{- end -}}

20
charts/artifactory-ha/charts/postgresql/charts/common/templates/_errors.tpl Executable file
View File

@ -0,0 +1,20 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
Required password params:
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
- context - Context - Required. Parent context.
*/}}
{{- define "common.errors.upgrade.passwords.empty" -}}
{{- $validationErrors := join "" .validationErrors -}}
{{- if and $validationErrors .context.Release.IsUpgrade -}}
{{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}}
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}

43
charts/artifactory-ha/charts/postgresql/charts/common/templates/_images.tpl Executable file
View File

@ -0,0 +1,43 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $tag := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

18
charts/artifactory-ha/charts/postgresql/charts/common/templates/_labels.tpl Executable file
View File

@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

32
charts/artifactory-ha/charts/postgresql/charts/common/templates/_names.tpl Executable file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

49
charts/artifactory-ha/charts/postgresql/charts/common/templates/_secrets.tpl Executable file
View File

@ -0,0 +1,49 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = cat $name .defaultNameSuffix -}}
{{- end -}}
{{- with .existingSecret -}}
{{- $name = .name -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}

23
charts/artifactory-ha/charts/postgresql/charts/common/templates/_storage.tpl Executable file
View File

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

13
charts/artifactory-ha/charts/postgresql/charts/common/templates/_tplvalues.tpl Executable file
View File

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

26
charts/artifactory-ha/charts/postgresql/charts/common/templates/_utils.tpl Executable file
View File

@ -0,0 +1,26 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
Usage:
{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
*/}}
{{- define "common.utils.secret.getvalue" -}}
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode)
{{- end -}}
{{/*
Build env var name given a field
Usage:
{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
*/}}
{{- define "common.utils.fieldToEnvVar" -}}
{{- $fieldNameSplit := splitList "-" .field -}}
{{- $upperCaseFieldNameSplit := list -}}
{{- range $fieldNameSplit -}}
{{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
{{- end -}}
{{ join "_" $upperCaseFieldNameSplit }}
{{- end -}}

219
charts/artifactory-ha/charts/postgresql/charts/common/templates/_validations.tpl Executable file
View File

@ -0,0 +1,219 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
Usage:
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.multiple.empty" -}}
{{- range .required -}}
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
{{- end -}}
{{- end -}}
{{/*
Validate a value must not be empty.
Usage:
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.single.empty" -}}
{{- $valueKeyArray := splitList "." .valueKey -}}
{{- $value := "" -}}
{{- $latestObj := $.context.Values -}}
{{- range $valueKeyArray -}}
{{- if not $latestObj -}}
{{- printf "please review the entire path of '%s' exists in values" $.valueKey | fail -}}
{{- end -}}
{{- $value = ( index $latestObj . ) -}}
{{- $latestObj = $value -}}
{{- end -}}
{{- if not $value -}}
{{- $varname := "my-value" -}}
{{- $getCurrentValue := "" -}}
{{- if and .secret .field -}}
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
{{- end -}}
{{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}}
{{- end -}}
{{- end -}}
{{/*
Validate a mariadb required password must not be empty.
Usage:
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "context" $) }}
Validate value params:
- secret - String - Required. Name of the secret where mysql values are stored, e.g: "mysql-passwords-secret"
*/}}
{{- define "common.validations.values.mariadb.passwords" -}}
{{- if and (not .context.Values.mariadb.existingSecret) .context.Values.mariadb.enabled -}}
{{- $requiredPasswords := list -}}
{{- if .context.Values.mariadb.secret.requirePasswords -}}
{{- $requiredRootMariadbPassword := dict "valueKey" "mariadb.rootUser.password" "secret" .secretName "field" "mariadb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootMariadbPassword -}}
{{- if not (empty .context.Values.mariadb.db.user) -}}
{{- $requiredMariadbPassword := dict "valueKey" "mariadb.db.password" "secret" .secretName "field" "mariadb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredMariadbPassword -}}
{{- end -}}
{{- if .context.Values.mariadb.replication.enabled -}}
{{- $requiredReplicationPassword := dict "valueKey" "mariadb.replication.password" "secret" .secretName "field" "mariadb-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Validate a postgresql required password must not be empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (not $existingSecret) $enabled -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- if $enabledReplication -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to decide whether evaluate global values.
Usage:
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
Params:
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
*/}}
{{- define "common.postgresql.values.use.global" -}}
{{- if .context.Values.global -}}
{{- if .context.Values.global.postgresql -}}
{{- index .context.Values.global.postgresql .key | quote -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.existingSecret" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
{{- if .subchart -}}
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
{{- else -}}
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled postgresql.
Usage:
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.enabled" -}}
{{- if .subchart -}}
{{- .context.Values.postgresql.enabled | quote -}}
{{- else -}}
true
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key postgressPassword.
Usage:
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.postgressPassword" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
{{- if not $globalValue -}}
{{- if .subchart -}}
postgresql.postgresqlPassword
{{- else -}}
postgresqlPassword
{{- end -}}
{{- else -}}
global.postgresql.postgresqlPassword
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled.replication.
Usage:
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.enabled.replication" -}}
{{- if .subchart -}}
{{- .context.Values.postgresql.replication.enabled | quote -}}
{{- else -}}
{{- .context.Values.replication.enabled | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key replication.password.
Usage:
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.replicationPassword" -}}
{{- if .subchart -}}
postgresql.replication.password
{{- else -}}
replication.password
{{- end -}}
{{- end -}}

14
charts/artifactory-ha/charts/postgresql/charts/common/templates/_warnings.tpl Executable file
View File

@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

3
charts/artifactory-ha/charts/postgresql/charts/common/values.yaml Executable file
View File

@ -0,0 +1,3 @@
## bitnami/common
## It is required by CI/CD tools and processes.
exampleValue: common-chart

3
charts/artifactory-ha/charts/postgresql/ci/commonAnnotations.yaml Executable file
View File

@ -0,0 +1,3 @@
commonAnnotations:
helm.sh/hook: 'pre-install, pre-upgrade'
helm.sh/hook-weight: '-1'

6
charts/artifactory-ha/charts/postgresql/requirements.lock Executable file
View File

@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 0.6.2
digest: sha256:740783295d301fdd168fafdbaa760de27ab54b0ff36b513589a5a2515072b885
generated: "2020-09-01T17:40:02.795096189Z"

4
charts/artifactory-ha/charts/postgresql/requirements.yaml Executable file
View File

@ -0,0 +1,4 @@
dependencies:
- name: common
version: 0.x.x
repository: https://charts.bitnami.com/bitnami

9
charts/artifactory-ha/charts/postgresql/templates/NOTES.txt
View File

@ -7,7 +7,7 @@ PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the fo
{{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
{{- end }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
{{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }}
To get the password for "postgres" run:
@ -52,9 +52,8 @@ To connect to your database from outside the cluster execute the following comma
{{- include "postgresql.validateValues" . -}}
{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
{{- include "common.warnings.rollingTag" .Values.image -}}
WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- $passwordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" (include "postgresql.fullname" .) "context" $) -}}
{{- end }}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}

91
charts/artifactory-ha/charts/postgresql/templates/_helpers.tpl
View File

@ -220,13 +220,20 @@ Get the password secret.
{{- end -}}
{{- end -}}
{{/*
Return true if we should use an existingSecret.
*/}}
{{- define "postgresql.useExistingSecret" -}}
{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created
*/}}
{{- define "postgresql.createSecret" -}}
{{- if .Values.global.postgresql.existingSecret }}
{{- else if .Values.existingSecret -}}
{{- else -}}
{{- if not (include "postgresql.useExistingSecret" .) -}}
{{- true -}}
{{- end -}}
{{- end -}}
@ -253,6 +260,15 @@ Get the extended configuration ConfigMap name.
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap should be mounted with PostgreSQL configuration
*/}}
{{- define "postgresql.mountConfigurationCM" -}}
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get the initialization scripts ConfigMap name.
*/}}
@ -325,9 +341,9 @@ Get the readiness probe command
{{- define "postgresql.readinessProbeCommand" -}}
- |
{{- if (include "postgresql.database" .) }}
exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
{{- if contains "bitnami/" .Values.image.repository }}
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
@ -399,6 +415,8 @@ Compile all warnings into a single message, and call fail.
{{- define "postgresql.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
@ -418,3 +436,66 @@ postgresql: ldap.url, ldap.server
More info at https://www.postgresql.org/docs/current/auth-ldap.html
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
*/}}
{{- define "postgresql.validateValues.psp" -}}
{{- if and .Values.psp.create (not .Values.rbac.create) }}
postgresql: psp.create, rbac.create
RBAC should be enabled if PSP is enabled in order for PSP to work.
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for podsecuritypolicy.
*/}}
{{- define "podsecuritypolicy.apiVersion" -}}
{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "policy/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions
*/}}
{{- define "postgresql.validateValues.tls" -}}
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
postgresql: tls.enabled, volumePermissions.enabled
When TLS is enabled you must enable volumePermissions as well to ensure certificates files have
the right permissions.
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert file.
*/}}
{{- define "postgresql.tlsCert" -}}
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the cert key file.
*/}}
{{- define "postgresql.tlsCertKey" -}}
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "postgresql.tlsCACert" -}}
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
{{- end -}}
{{/*
Return the path to the CRL file.
*/}}
{{- define "postgresql.tlsCRL" -}}
{{- if .Values.tls.crlFilename -}}
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
{{- end -}}
{{- end -}}

8
charts/artifactory-ha/charts/postgresql/templates/configmap.yaml
View File

@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-configuration
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- if (.Files.Glob "files/postgresql.conf") }}
{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }}

8
charts/artifactory-ha/charts/postgresql/templates/extended-config-configmap.yaml
View File

@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-extended-configuration
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- with .Files.Glob "files/conf.d/*.conf" }}
{{ .AsConfig | indent 2 }}

8
charts/artifactory-ha/charts/postgresql/templates/initialization-configmap.yaml
View File

@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-init-scripts
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }}
binaryData:
{{- range $path, $bytes := . }}

8
charts/artifactory-ha/charts/postgresql/templates/metrics-configmap.yaml
View File

@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.metricsCM" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
{{- end }}

13
charts/artifactory-ha/charts/postgresql/templates/metrics-svc.yaml
View File

@ -4,12 +4,12 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-metrics
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
{{ toYaml .Values.metrics.service.annotations | indent 4 }}
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- toYaml .Values.metrics.service.annotations | nindent 4 }}
spec:
type: {{ .Values.metrics.service.type }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
@ -20,7 +20,6 @@ spec:
port: 9187
targetPort: http-metrics
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name }}
{{- include "common.labels.matchLabels" . | nindent 4 }}
role: master
{{- end }}

14
charts/artifactory-ha/charts/postgresql/templates/networkpolicy.yaml
View File

@ -4,15 +4,14 @@ apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 6 }}
ingress:
# Allow inbound connections
- ports:
@ -28,8 +27,7 @@ spec:
{{- end }}
- podSelector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 14 }}
role: slave
{{- end }}
# Allow prometheus scrapes

37
charts/artifactory-ha/charts/postgresql/templates/podsecuritypolicy.yaml Executable file
View File

@ -0,0 +1,37 @@
{{- if .Values.psp.create }}
apiVersion: {{ include "podsecuritypolicy.apiVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
privileged: false
volumes:
- 'configMap'
- 'secret'
- 'persistentVolumeClaim'
- 'emptyDir'
- 'projected'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

14
charts/artifactory-ha/charts/postgresql/templates/prometheusrule.yaml
View File

@ -7,13 +7,13 @@ metadata:
namespace: {{ . }}
{{- end }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- with .Values.metrics.prometheusRule.additionalLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- with .Values.metrics.prometheusRule.rules }}
groups:

19
charts/artifactory-ha/charts/postgresql/templates/role.yaml Executable file
View File

@ -0,0 +1,19 @@
{{- if .Values.rbac.create }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
{{- if .Values.psp.create }}
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ template "postgresql.fullname" . }}
{{- end }}
{{- end }}

19
charts/artifactory-ha/charts/postgresql/templates/rolebinding.yaml Executable file
View File

@ -0,0 +1,19 @@
{{- if .Values.rbac.create }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
kind: Role
name: {{ template "postgresql.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
{{- end }}

8
charts/artifactory-ha/charts/postgresql/templates/secrets.yaml
View File

@ -4,10 +4,10 @@ kind: Secret
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}

10
charts/artifactory-ha/charts/postgresql/templates/serviceaccount.yaml
View File

@ -3,9 +3,9 @@ apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
name: {{ template "postgresql.fullname" . }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

14
charts/artifactory-ha/charts/postgresql/templates/servicemonitor.yaml
View File

@ -7,13 +7,14 @@ metadata:
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
{{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: http-metrics
@ -28,6 +29,5 @@ spec:
- {{ .Release.Namespace }}
selector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name }}
{{- include "common.labels.matchLabels" . | nindent 6 }}
{{- end }}

92
charts/artifactory-ha/charts/postgresql/templates/statefulset-slaves.yaml
View File

@ -4,33 +4,29 @@ kind: StatefulSet
metadata:
name: "{{ template "postgresql.fullname" . }}-slave"
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.slave.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.slave.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Values.slave.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: {{ .Values.replication.slaveReplicas }}
selector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 6 }}
role: slave
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 8 }}
role: slave
{{- with .Values.slave.podLabels }}
{{ toYaml . | indent 8 }}
@ -68,7 +64,7 @@ spec:
{{- end }}
{{- if or .Values.slave.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@ -79,10 +75,15 @@ spec:
- /bin/sh
- -cx
- |
{{ if .Values.persistence.enabled }}
mkdir -p {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
chmod 700 {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
{{- if .Values.persistence.enabled }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }}
{{- else }}
chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}
{{- end }}
mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
@ -92,6 +93,15 @@ spec:
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
{{- else }}
chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
{{- end }}
chmod 600 {{ template "postgresql.tlsCertKey" . }}
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
@ -108,6 +118,12 @@ spec:
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- end }}
{{- end }}
{{- if .Values.slave.extraInitContainers }}
{{ tpl .Values.slave.extraInitContainers . | indent 8 }}
@ -158,7 +174,7 @@ spec:
value: {{ template "postgresql.fullname" . }}
- name: POSTGRES_MASTER_PORT_NUMBER
value: {{ include "postgresql.port" . | quote }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
{{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
@ -180,6 +196,24 @@ spec:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
- name: POSTGRESQL_ENABLE_TLS
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
- name: POSTGRESQL_TLS_CERT_FILE
value: {{ template "postgresql.tlsCert" . }}
- name: POSTGRESQL_TLS_KEY_FILE
value: {{ template "postgresql.tlsCertKey" . }}
{{- if .Values.tls.certCAFilename }}
- name: POSTGRESQL_TLS_CA_FILE
value: {{ template "postgresql.tlsCACert" . }}
{{- end }}
{{- if .Values.tls.crlFilename }}
- name: POSTGRESQL_TLS_CRL_FILE
value: {{ template "postgresql.tlsCRL" . }}
{{- end }}
{{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ template "postgresql.port" . }}
@ -190,9 +224,9 @@ spec:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
@ -236,6 +270,11 @@ spec:
- name: postgresql-config
mountPath: /bitnami/postgresql/conf
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.slave.extraVolumeMounts }}
{{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }}
{{- end }}
@ -258,13 +297,20 @@ spec:
configMap:
name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
- name: postgresql-certificates
emptyDir: {}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
{{- end }}
{{- if not .Values.persistence.enabled }}
{{- if or (not .Values.persistence.enabled) (not .Values.slave.persistence.enabled) }}
- name: data
emptyDir: {}
{{- end }}
@ -276,7 +322,7 @@ spec:
{{- if (eq "Recreate" .Values.updateStrategy.type) }}
rollingUpdate: null
{{- end }}
{{- if .Values.persistence.enabled }}
{{- if and .Values.persistence.enabled .Values.slave.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data

103
charts/artifactory-ha/charts/postgresql/templates/statefulset.yaml
View File

@ -3,15 +3,16 @@ kind: StatefulSet
metadata:
name: {{ template "postgresql.master.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.master.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Values.master.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
@ -23,20 +24,16 @@ spec:
{{- end }}
selector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 6 }}
role: master
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 8 }}
role: master
{{- with .Values.master.podLabels }}
{{- toYaml . | indent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.master.podAnnotations }}
annotations: {{- toYaml . | nindent 8 }}
@ -67,7 +64,7 @@ spec:
{{- end }}
{{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@ -79,9 +76,14 @@ spec:
- -cx
- |
{{- if .Values.persistence.enabled }}
mkdir -p {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
chmod 700 {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }}
{{- else }}
chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}
{{- end }}
mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
@ -91,6 +93,15 @@ spec:
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
{{- else }}
chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
{{- end }}
chmod 600 {{ template "postgresql.tlsCertKey" . }}
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
@ -107,9 +118,15 @@ spec:
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- end }}
{{- end }}
{{- if .Values.master.extraInitContainers }}
{{- tpl .Values.master.extraInitContainers . | nindent 8 }}
{{- include "postgresql.tplValue" ( dict "value" .Values.master.extraInitContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.master.priorityClassName }}
@ -177,7 +194,7 @@ spec:
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
{{- end }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
{{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
@ -243,6 +260,24 @@ spec:
- name: POSTGRESQL_LDAP_URL
value: {{ .Values.ldap.url }}
{{- end}}
- name: POSTGRESQL_ENABLE_TLS
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
- name: POSTGRESQL_TLS_CERT_FILE
value: {{ template "postgresql.tlsCert" . }}
- name: POSTGRESQL_TLS_KEY_FILE
value: {{ template "postgresql.tlsCertKey" . }}
{{- if .Values.tls.certCAFilename }}
- name: POSTGRESQL_TLS_CA_FILE
value: {{ template "postgresql.tlsCACert" . }}
{{- end }}
{{- if .Values.tls.crlFilename }}
- name: POSTGRESQL_TLS_CRL_FILE
value: {{ template "postgresql.tlsCRL" . }}
{{- end }}
{{- end }}
{{- if .Values.extraEnvVarsCM }}
envFrom:
- configMapRef:
@ -258,9 +293,9 @@ spec:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
@ -299,6 +334,11 @@ spec:
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
@ -328,8 +368,14 @@ spec:
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }}
{{- $sslmode := ternary "require" "disable" .Values.tls.enabled }}
{{- if and .Values.tls.enabled .Values.tls.certCAFilename }}
- name: DATA_SOURCE_NAME
value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }}
{{- else }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }}
value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }}
{{- end }}
{{- if .Values.usePasswordFile }}
- name: DATA_SOURCE_PASS_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
@ -342,6 +388,9 @@ spec:
{{- end }}
- name: DATA_SOURCE_USER
value: {{ template "postgresql.username" . }}
{{- if .Values.metrics.extraEnvVars }}
{{- include "postgresql.tplValue" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
@ -369,6 +418,11 @@ spec:
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.metrics.customMetrics }}
- name: custom-metrics
mountPath: /conf
@ -408,6 +462,13 @@ spec:
secret:
secretName: {{ template "postgresql.initdbScriptsSecret" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
- name: postgresql-certificates
emptyDir: {}
{{- end }}
{{- if .Values.master.extraVolumes }}
{{- toYaml .Values.master.extraVolumes | nindent 8 }}
{{- end }}

11
charts/artifactory-ha/charts/postgresql/templates/svc-headless.yaml
View File

@ -3,10 +3,10 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-headless
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
@ -15,5 +15,4 @@ spec:
port: {{ template "postgresql.port" . }}
targetPort: tcp-postgresql
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 4 }}

14
charts/artifactory-ha/charts/postgresql/templates/svc-read.yaml
View File

@ -10,12 +10,13 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-read
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if $serviceAnnotations }}
annotations: {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ $serviceType }}
@ -36,7 +37,6 @@ spec:
nodePort: {{ $serviceNodePort }}
{{- end }}
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 4 }}
role: slave
{{- end }}

14
charts/artifactory-ha/charts/postgresql/templates/svc.yaml
View File

@ -9,12 +9,13 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if $serviceAnnotations }}
annotations: {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ $serviceType }}
@ -35,6 +36,5 @@ spec:
nodePort: {{ $serviceNodePort }}
{{- end }}
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
{{- include "common.labels.matchLabels" . | nindent 4 }}
role: master

96
charts/artifactory-ha/charts/postgresql/values-production.yaml
View File

@ -15,7 +15,7 @@ global:
image:
registry: docker.io
repository: bitnami/postgresql
tag: 11.7.0-debian-10-r65
tag: 11.9.0-debian-10-r1
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@ -94,6 +94,16 @@ serviceAccount:
## Name of an already existing service account. Setting this value disables the automatic service account creation.
# name:
## Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
psp:
create: false
## Creates role for ServiceAccount
## Required for PSP
rbac:
create: false
replication:
enabled: true
user: repl_user
@ -101,7 +111,7 @@ replication:
slaveReplicas: 2
## Set synchronous commit mode: on, off, remote_apply, remote_write and local
## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
synchronousCommit: "on"
synchronousCommit: 'on'
## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
## NOTE: It cannot be > slaveReplicas
numSynchronousReplicas: 1
@ -221,17 +231,17 @@ extraEnv: []
##
ldap:
enabled: false
url: ""
server: ""
port: ""
prefix: ""
suffix: ""
baseDN: ""
bindDN: ""
url: ''
server: ''
port: ''
prefix: ''
suffix: ''
baseDN: ''
bindDN: ''
bind_password:
search_attr: ""
search_filter: ""
scheme: ""
search_attr: ''
search_filter: ''
scheme: ''
tls: false
## PostgreSQL service configuration
@ -253,7 +263,6 @@ service:
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources. Evaluated as a template.
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
@ -301,7 +310,7 @@ persistence:
## The subdirectory of the volume to mount to, useful in dev environments
## and one PV for multiple services.
##
subPath: ""
subPath: ''
# storageClass: "-"
accessModes:
@ -330,7 +339,7 @@ master:
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
priorityClassName: ''
## Additional PostgreSQL Master Volume mounts
##
extraVolumeMounts: []
@ -372,14 +381,14 @@ slave:
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
priorityClassName: ''
## Extra init containers
## Example
##
##
## extraInitContainers:
## - name: do-something
## image: busybox
## command: ['do', 'something']
## command: ['do', 'something']
extraInitContainers: []
## Additional PostgreSQL Slave Volume mounts
##
@ -405,6 +414,10 @@ slave:
# type:
# nodePort:
# clusterIP:
## Whether to enable PostgreSQL slave replicas data Persistent
##
persistence:
enabled: true
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@ -414,6 +427,10 @@ resources:
memory: 256Mi
cpu: 250m
## Add annotations to all the deployed resources
##
commonAnnotations: {}
networkPolicy:
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
@ -457,6 +474,33 @@ readinessProbe:
failureThreshold: 6
successThreshold: 1
##
## TLS configuration
##
tls:
# Enable TLS traffic
enabled: false
#
# Whether to use the server's TLS cipher preferences rather than the client's.
preferServerCiphers: true
#
# Name of the Secret that contains the certificates
certificatesSecret: ''
#
# Certificate filename
certFilename: ''
#
# Certificate Key filename
certKeyFilename: ''
#
# CA Certificate filename
# If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
# ref: https://www.postgresql.org/docs/9.6/auth-methods.html
certCAFilename:
#
# File containing a Certificate Revocation List
crlFilename:
## Configure metrics exporter
##
metrics:
@ -465,8 +509,8 @@ metrics:
service:
type: ClusterIP
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
prometheus.io/scrape: 'true'
prometheus.io/port: '9187'
loadBalancerIP:
serviceMonitor:
enabled: false
@ -480,7 +524,7 @@ metrics:
prometheusRule:
enabled: false
additionalLabels: {}
namespace: ""
namespace: ''
## These are just examples rules, please adapt them to your needs.
## Make sure to constraint the rules to the current postgresql service.
## rules:
@ -497,7 +541,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/postgres-exporter
tag: 0.8.0-debian-10-r72
tag: 0.8.0-debian-10-r188
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
@ -517,6 +561,14 @@ metrics:
# - size_bytes:
# usage: "GAUGE"
# description: "Size of the database in bytes"
## An array to add extra env vars to configure postgres-exporter
## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
## For example:
# extraEnvVars:
# - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
# value: "true"
extraEnvVars: {}
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##

4
charts/artifactory-ha/charts/postgresql/values.schema.json
View File

@ -72,8 +72,8 @@
"title": "Slave Replicas",
"form": true,
"hidden": {
"condition": false,
"value": "replication.enabled"
"value": false,
"path": "replication/enabled"
}
}
}

100
charts/artifactory-ha/charts/postgresql/values.yaml
View File

@ -15,7 +15,7 @@ global:
image:
registry: docker.io
repository: bitnami/postgresql
tag: 11.7.0-debian-10-r65
tag: 11.9.0-debian-10-r1
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@ -79,7 +79,6 @@ volumePermissions:
##
# schedulerName:
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
@ -95,6 +94,16 @@ serviceAccount:
## Name of an already existing service account. Setting this value disables the automatic service account creation.
# name:
## Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
psp:
create: false
## Creates role for ServiceAccount
## Required for PSP
rbac:
create: false
replication:
enabled: false
user: repl_user
@ -102,7 +111,7 @@ replication:
slaveReplicas: 1
## Set synchronous commit mode: on, off, remote_apply, remote_write and local
## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
synchronousCommit: "off"
synchronousCommit: 'off'
## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
## NOTE: It cannot be > slaveReplicas
numSynchronousReplicas: 0
@ -222,17 +231,17 @@ extraEnv: []
##
ldap:
enabled: false
url: ""
server: ""
port: ""
prefix: ""
suffix: ""
baseDN: ""
bindDN: ""
url: ''
server: ''
port: ''
prefix: ''
suffix: ''
baseDN: ''
bindDN: ''
bind_password:
search_attr: ""
search_filter: ""
scheme: ""
search_attr: ''
search_filter: ''
scheme: ''
tls: false
## PostgreSQL service configuration
@ -254,7 +263,6 @@ service:
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources. Evaluated as a template.
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
@ -302,7 +310,7 @@ persistence:
## The subdirectory of the volume to mount to, useful in dev environments
## and one PV for multiple services.
##
subPath: ""
subPath: ''
# storageClass: "-"
accessModes:
@ -331,14 +339,14 @@ master:
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
priorityClassName: ''
## Extra init containers
## Example
##
##
## extraInitContainers:
## - name: do-something
## image: busybox
## command: ['do', 'something']
## command: ['do', 'something']
extraInitContainers: []
## Additional PostgreSQL Master Volume mounts
@ -382,7 +390,7 @@ slave:
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
priorityClassName: ''
extraInitContainers: |
# - name: do-something
# image: busybox
@ -411,6 +419,10 @@ slave:
# type:
# nodePort:
# clusterIP:
## Whether to enable PostgreSQL slave replicas data Persistent
##
persistence:
enabled: true
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@ -420,6 +432,10 @@ resources:
memory: 256Mi
cpu: 250m
## Add annotations to all the deployed resources
##
commonAnnotations: {}
networkPolicy:
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
@ -463,6 +479,33 @@ readinessProbe:
failureThreshold: 6
successThreshold: 1
##
## TLS configuration
##
tls:
# Enable TLS traffic
enabled: false
#
# Whether to use the server's TLS cipher preferences rather than the client's.
preferServerCiphers: true
#
# Name of the Secret that contains the certificates
certificatesSecret: ''
#
# Certificate filename
certFilename: ''
#
# Certificate Key filename
certKeyFilename: ''
#
# CA Certificate filename
# If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
# ref: https://www.postgresql.org/docs/9.6/auth-methods.html
certCAFilename:
#
# File containing a Certificate Revocation List
crlFilename:
## Configure metrics exporter
##
metrics:
@ -471,8 +514,8 @@ metrics:
service:
type: ClusterIP
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
prometheus.io/scrape: 'true'
prometheus.io/port: '9187'
loadBalancerIP:
serviceMonitor:
enabled: false
@ -486,7 +529,7 @@ metrics:
prometheusRule:
enabled: false
additionalLabels: {}
namespace: ""
namespace: ''
## These are just examples rules, please adapt them to your needs.
## Make sure to constraint the rules to the current postgresql service.
## rules:
@ -503,7 +546,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/postgres-exporter
tag: 0.8.0-debian-10-r72
tag: 0.8.0-debian-10-r188
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
@ -515,7 +558,7 @@ metrics:
## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
# customMetrics:
# pg_database:
# query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
# query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
# metrics:
# - name:
# usage: "LABEL"
@ -523,6 +566,15 @@ metrics:
# - size_bytes:
# usage: "GAUGE"
# description: "Size of the database in bytes"
#
## An array to add extra env vars to configure postgres-exporter
## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
## For example:
# extraEnvVars:
# - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
# value: "true"
extraEnvVars: {}
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##

6
charts/artifactory-ha/ci/access-tls-values.yaml
View File

@ -1,7 +1,11 @@
databaseUpgradeReady: true
artifactory:
masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
postgresql:
image:
tag: 12.3.0-debian-10-r71
postgresqlPassword: password
access:
accessConfig:
security:

3
charts/artifactory-ha/ci/default-values.yaml
View File

@ -4,3 +4,6 @@ databaseUpgradeReady: true
## Please refer https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/README.md#special-upgrade-notes-1
artifactory:
masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
postgresql:
postgresqlPassword: password

47
charts/artifactory-ha/ci/global-values.yaml Normal file
View File

@ -0,0 +1,47 @@
databaseUpgradeReady: true
# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
postgresql:
postgresqlPassword: password
global:
versions:
artifactory: 7.11.2
masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
customInitContainers: |
- name: "custom-setup"
image: "{{ .Values.initContainerImage }}"
imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
command:
- 'sh'
- '-c'
- 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup'
volumeMounts:
- mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
name: volume
# Add custom volumes
customVolumes: |
- name: custom-script
emptyDir:
sizeLimit: 100Mi
# Add custom volumesMounts
customVolumeMounts: |
- name: custom-script
mountPath: "/scripts"
# Add custom sidecar containers
customSidecarContainers: |
- name: "sidecar-list-etc"
image: "{{ .Values.initContainerImage }}"
imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
securityContext:
allowPrivilegeEscalation: false
command: ["sh","-c","echo 'Sidecar is running' >> /scripts/sidecar.txt; cat /scripts/sidecar.txt; while true; do sleep 30; done"]
volumeMounts:
- mountPath: "/scripts"
name: custom-script
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "100m"

3
charts/artifactory-ha/ci/migration-disabled-values.yaml
View File

@ -1,4 +1,7 @@
databaseUpgradeReady: true
# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
postgresql:
postgresqlPassword: password
artifactory:
masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
migration:

2
charts/artifactory-ha/questions.yml
View File

@ -419,6 +419,6 @@ questions:
# Internal Settings
- variable: installerInfo
default: '\{\"productId\": \"RancherHelm_artifactory-ha/7.6.3\", \"features\": \[\{\"featureId\": \"Partner/ACC-007246\"\}\]\}'
default: '\{\"productId\": \"RancherHelm_artifactory-ha/7.12.6\", \"features\": \[\{\"featureId\": \"Partner/ACC-007246\"\}\]\}'
type: string
group: "Internal Settings (Do not modify)"

6
charts/artifactory-ha/requirements.lock
View File

@ -1,6 +1,6 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 8.7.3
digest: sha256:7c0ecc958c9d90f0b5c3843621674788b414ea0497ea6053e8c46531545a47d3
generated: "2020-08-03T02:21:09.654710336Z"
version: 9.3.4
digest: sha256:6c6c7ebc7f0c35a6df917879cd7c51e226f31a4d320e053b3620c5476287e9b8
generated: "2020-09-02T09:49:07.304103+05:30"

2
charts/artifactory-ha/requirements.yaml
View File

@ -1,5 +1,5 @@
dependencies:
- name: postgresql
version: 8.7.3
version: 9.3.4
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled

20
charts/artifactory-ha/security-mitigation.yaml Normal file
View File

@ -0,0 +1,20 @@
## Apache License Version 2.0
## http://www.apache.org/licenses/LICENSE-2.0.txt
## Schema version of this YAML file
schemaVersion: v1
## Overall mitigation summary
summary: Security mitigation information for this application is tracked by the security-mitigation.yaml file that's part of this helm chart.
## Mitigation notes for individual CVEs
mitigations:
- cves:
- CVE-2017-8399
## Indicates package Uri for which the security mitigation is provided. helm://… || docker://…
affectedPackageUri: helm://jfrog/artifactory-ha
## Which chart versions this cve note belongs to
affectedVersions: ">= 3.1.0"
## Description / note
description: This CVE needs to be fixed in the alpine base image of nginx container.

165
charts/artifactory-ha/templates/_helpers.tpl
View File

@ -68,6 +68,19 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified replicator tracker ingress name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "artifactory-ha.replicator.tracker.fullname" -}}
{{- if .Values.artifactory.replicator.trackerIngress.name -}}
{{- .Values.artifactory.replicator.trackerIngress.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-replication-tracker" .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@ -125,3 +138,155 @@ Scheme (http/https) based on Access TLS enabled/disabled
{{- printf "%s" "http" -}}
{{- end -}}
{{- end -}}
{{/*
Resolve joinKey value
*/}}
{{- define "artifactory-ha.joinKey" -}}
{{- if .Values.global.joinKey -}}
{{- .Values.global.joinKey -}}
{{- else if .Values.artifactory.joinKey -}}
{{- .Values.artifactory.joinKey -}}
{{- end -}}
{{- end -}}
{{/*
Resolve masterKey value
*/}}
{{- define "artifactory-ha.masterKey" -}}
{{- if .Values.global.masterKey -}}
{{- .Values.global.masterKey -}}
{{- else if .Values.artifactory.masterKey -}}
{{- .Values.artifactory.masterKey -}}
{{- end -}}
{{- end -}}
{{/*
Resolve joinKeySecretName value
*/}}
{{- define "artifactory-ha.joinKeySecretName" -}}
{{- if .Values.global.joinKeySecretName -}}
{{- .Values.global.joinKeySecretName -}}
{{- else if .Values.artifactory.joinKeySecretName -}}
{{- .Values.artifactory.joinKeySecretName -}}
{{- else -}}
{{ include "artifactory-ha.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Resolve masterKeySecretName value
*/}}
{{- define "artifactory-ha.masterKeySecretName" -}}
{{- if .Values.global.masterKeySecretName -}}
{{- .Values.global.masterKeySecretName -}}
{{- else if .Values.artifactory.masterKeySecretName -}}
{{- .Values.artifactory.masterKeySecretName -}}
{{- else -}}
{{ include "artifactory-ha.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Resolve imagePullSecrets value
*/}}
{{- define "artifactory-ha.imagePullSecrets" -}}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Resolve customInitContainersBegin value
*/}}
{{- define "artifactory-ha.customInitContainersBegin" -}}
{{- if .Values.global.customInitContainersBegin -}}
{{- .Values.global.customInitContainersBegin -}}
{{- else if .Values.artifactory.customInitContainersBegin -}}
{{- .Values.artifactory.customInitContainersBegin -}}
{{- end -}}
{{- end -}}
{{/*
Resolve customInitContainers value
*/}}
{{- define "artifactory-ha.customInitContainers" -}}
{{- if .Values.global.customInitContainers -}}
{{- .Values.global.customInitContainers -}}
{{- else if .Values.artifactory.customInitContainers -}}
{{- .Values.artifactory.customInitContainers -}}
{{- end -}}
{{- end -}}
{{/*
Resolve customVolumes value
*/}}
{{- define "artifactory-ha.customVolumes" -}}
{{- if .Values.global.customVolumes -}}
{{- .Values.global.customVolumes -}}
{{- else if .Values.artifactory.customVolumes -}}
{{- .Values.artifactory.customVolumes -}}
{{- end -}}
{{- end -}}
{{/*
Resolve customVolumeMounts value
*/}}
{{- define "artifactory-ha.customVolumeMounts" -}}
{{- if .Values.global.customVolumeMounts -}}
{{- .Values.global.customVolumeMounts -}}
{{- else if .Values.artifactory.customVolumeMounts -}}
{{- .Values.artifactory.customVolumeMounts -}}
{{- end -}}
{{- end -}}
{{/*
Resolve customSidecarContainers value
*/}}
{{- define "artifactory-ha.customSidecarContainers" -}}
{{- if .Values.global.customSidecarContainers -}}
{{- .Values.global.customSidecarContainers -}}
{{- else if .Values.artifactory.customSidecarContainers -}}
{{- .Values.artifactory.customSidecarContainers -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper artifactory chart image names
*/}}
{{- define "artifactory-ha.getImageInfoByValue" -}}
{{- $dot := index . 0 }}
{{- $indexReference := index . 1 }}
{{- $registryName := index $dot.Values $indexReference "image" "registry" -}}
{{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}}
{{- $tag := default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}}
{{- if $dot.Values.global }}
{{- if and $dot.Values.global.versions.artifactory (or (eq $indexReference "artifactory") (eq $indexReference "nginx") ) }}
{{- $tag = $dot.Values.global.versions.artifactory | toString -}}
{{- end -}}
{{- if $dot.Values.global.imageRegistry }}
{{- printf "%s/%s:%s" $dot.Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper artifactory app version
*/}}
{{- define "artifactory-ha.app.version" -}}
{{- $image := split ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory")) | toString) -}}
{{- $tag := $image._1 -}}
{{- printf "%s" $tag -}}
{{- end -}}

3
charts/artifactory-ha/templates/additional-resources.yaml Normal file
View File

@ -0,0 +1,3 @@
{{ if .Values.additionalResources }}
{{ tpl .Values.additionalResources . }}
{{- end -}}

2
charts/artifactory-ha/templates/artifactory-access-config.yaml
View File

@ -10,6 +10,6 @@ metadata:
release: {{ .Release.Name }}
type: Opaque
stringData:
access.config.import.yml: |
access.config.patch.yml: |
{{ tpl (toYaml .Values.access.accessConfig) . | indent 4 }}
{{- end }}

2
charts/artifactory-ha/templates/artifactory-custom-secrets.yaml
View File

@ -4,7 +4,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
name: {{ template "artifactory-ha.fullname" $ }}-{{ .name }}
labels:
app: "{{ template "artifactory-ha.name" $ }}"
chart: "{{ template "artifactory-ha.chart" $ }}"

4
charts/artifactory-ha/templates/artifactory-node-pdb.yaml
View File

@ -1,3 +1,4 @@
{{- if .Values.artifactory.node.minAvailable -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
@ -13,8 +14,7 @@ spec:
matchLabels:
component: {{ .Values.artifactory.name }}
app: {{ template "artifactory-ha.name" . }}
{{- if eq .Values.artifactory.service.pool "members" }}
role: {{ template "artifactory-ha.node.name" . }}
{{- end }}
release: {{ .Release.Name }}
minAvailable: {{ .Values.artifactory.node.minAvailable }}
{{- end }}

89
charts/artifactory-ha/templates/artifactory-node-statefulset.yaml
View File

@ -34,6 +34,7 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
annotations:
checksum/database-secrets: {{ include (print $.Template.BasePath "/artifactory-database-secrets.yaml") . | sha256sum }}
checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }}
checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }}
{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
@ -52,16 +53,17 @@ spec:
{{- end }}
serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
{{- include "artifactory-ha.imagePullSecrets" . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.setSecurityContext }}
securityContext:
runAsUser: {{ .Values.artifactory.uid }}
fsGroup: {{ .Values.artifactory.uid }}
fsGroup: {{ .Values.artifactory.gid }}
{{- end }}
initContainers:
{{- if .Values.artifactory.customInitContainersBegin }}
{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }}
{{- if or .Values.artifactory.customInitContainersBegin .Values.global.customInitContainersBegin }}
{{ tpl (include "artifactory-ha.customInitContainersBegin" .) . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.persistence.enabled }}
{{- if eq .Values.artifactory.persistence.type "file-system" }}
@ -126,7 +128,11 @@ spec:
echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc;
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted;
{{- if .Values.systemYamlOverride.existingSecret }}
cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml;
{{- else }}
cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml;
{{- end }}
echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists";
rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found;
echo "Removing join.key file";
@ -137,7 +143,7 @@ spec:
{{- if .Values.access.customCertificatesSecretName }}
echo "Load custom certificates from database";
{{- end }}
{{- if or .Values.artifactory.masterKey .Values.artifactory.masterKeySecretName }}
{{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }}
echo "Copy masterKey to {{ .Values.artifactory.persistence.mountPath }}/etc/security";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security;
echo -n ${ARTIFACTORY_MASTER_KEY} > {{ .Values.artifactory.persistence.mountPath }}/etc/security/master.key;
@ -145,7 +151,7 @@ spec:
- name: ARTIFACTORY_MASTER_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.artifactory.masterKeySecretName | default (include "artifactory-ha.fullname" .) }}"
name: {{ include "artifactory-ha.masterKeySecretName" . }}
key: master-key
{{- end }}
resources:
@ -153,17 +159,24 @@ spec:
volumeMounts:
- name: volume
mountPath: {{ .Values.artifactory.persistence.mountPath | quote }}
{{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }}
- name: systemyaml
{{- if .Values.systemYamlOverride.existingSecret }}
mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}"
subPath: {{ .Values.systemYamlOverride.dataKey }}
{{- else if .Values.artifactory.systemYaml }}
mountPath: "/tmp/etc/system.yaml"
subPath: system.yaml
{{- if .Values.artifactory.customPersistentPodVolumeClaim }}
{{- end }}
{{- end }}
{{- if and .Values.artifactory.customPersistentPodVolumeClaim (not .Values.artifactory.customPersistentPodVolumeClaim.skipPrepareContainer) }}
- name: "prepare-custom-persistent-volume"
image: "{{ .Values.initContainerImage }}"
command:
- 'sh'
- '-c'
- >
chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.gid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
securityContext:
runAsUser: 0
resources:
@ -187,12 +200,12 @@ spec:
{{ toYaml .Values.initContainers.resources | indent 10 }}
{{- end }}
{{- end }}
{{- if .Values.artifactory.customInitContainers }}
{{ tpl .Values.artifactory.customInitContainers . | indent 6 }}
{{- if or .Values.artifactory.customInitContainers .Values.global.customInitContainers }}
{{ tpl (include "artifactory-ha.customInitContainers" .) . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.migration.enabled }}
- name: 'migration-artifactory-ha'
image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }}
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
@ -211,10 +224,14 @@ spec:
cp -fv /tmp/migrationHelmInfo.yaml $scriptsPath/migrationHelmInfo.yaml;
cp -fv /tmp/migrationStatus.sh $scriptsPath/migrationStatus.sh;
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/log;
bash $scriptsPath/migrationStatus.sh {{ default .Chart.AppVersion .Values.artifactory.image.version }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1;
bash $scriptsPath/migrationStatus.sh {{ include "artifactory-ha.app.version" . }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1;
resources:
{{ toYaml .Values.artifactory.node.resources | indent 10 }}
env:
{{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }}
- name: SKIP_WAIT_FOR_EXTERNAL_DB
value: "true"
{{- end }}
{{- if or .Values.database.secrets.user .Values.database.user }}
- name: JF_SHARED_DATABASE_USERNAME
valueFrom:
@ -283,8 +300,8 @@ spec:
mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}"
{{- end }}
{{- end }}
{{- if .Values.artifactory.customVolumeMounts }}
{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
{{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }}
{{- end }}
{{- if eq .Values.artifactory.persistence.type "nfs" }}
- name: artifactory-ha-data
@ -306,7 +323,7 @@ spec:
{{- end }}
containers:
- name: {{ .Values.artifactory.name }}
image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }}
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
@ -324,6 +341,7 @@ spec:
{{ tpl . $ }};
{{- end }}
exec /entrypoint-artifactory.sh
{{- with .Values.artifactory.postStartCommand }}
lifecycle:
postStart:
exec:
@ -331,11 +349,14 @@ spec:
- '/bin/bash'
- '-c'
- >
echo;
{{- with .Values.artifactory.postStartCommand }}
echo "Running custom postStartCommand command";
{{ tpl . $ }}
{{- end }}
{{- end }}
env:
{{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }}
- name: SKIP_WAIT_FOR_EXTERNAL_DB
value: "true"
{{- end }}
{{- if or .Values.database.secrets.user .Values.database.user }}
- name: JF_SHARED_DATABASE_USERNAME
valueFrom:
@ -384,12 +405,16 @@ spec:
{{- end }}
ports:
- containerPort: {{ .Values.artifactory.internalPort }}
name: http
- containerPort: {{ .Values.artifactory.internalArtifactoryPort }}
name: http-internal
{{- if .Values.artifactory.node.javaOpts.jmx.enabled }}
- containerPort: {{ .Values.artifactory.node.javaOpts.jmx.port }}
name: tcp-jmx
{{- end }}
{{- if .Values.artifactory.ssh.enabled }}
- containerPort: {{ .Values.artifactory.ssh.internalPort }}
name: tcp-ssh
{{- end }}
volumeMounts:
{{- if .Values.artifactory.customPersistentVolumeClaim }}
@ -445,8 +470,8 @@ spec:
- name: installer-info
mountPath: "/artifactory_bootstrap/info/installer-info.json"
subPath: installer-info.json
{{- if .Values.artifactory.customVolumeMounts }}
{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
{{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }}
{{- end }}
resources:
{{ toYaml .Values.artifactory.node.resources | indent 10 }}
@ -474,12 +499,10 @@ spec:
failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }}
successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }}
{{- end }}
{{- $image := .Values.logger.image.repository }}
{{- $tag := .Values.logger.image.tag }}
{{- $mountPath := .Values.artifactory.persistence.mountPath }}
{{- range .Values.artifactory.loggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
image: '{{ $image }}:{{ $tag }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "logger") }}
command:
- 'sh'
- '-c'
@ -496,7 +519,7 @@ spec:
{{ if .Values.artifactory.catalinaLoggers }}
{{- range .Values.artifactory.catalinaLoggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
image: '{{ $image }}:{{ $tag }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "logger") }}
command:
- 'sh'
- '-c'
@ -536,8 +559,8 @@ spec:
{{ toYaml .Values.filebeat.resources | indent 10 }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
{{- end }}
{{- if .Values.artifactory.customSidecarContainers }}
{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }}
{{- if or .Values.artifactory.customSidecarContainers .Values.global.customSidecarContainers }}
{{ tpl (include "artifactory-ha.customSidecarContainers" .) . | indent 6 }}
{{- end }}
{{- with .Values.artifactory.node.nodeSelector }}
nodeSelector:
@ -619,7 +642,7 @@ spec:
- name: bootstrap-config
configMap:
name: {{ .Values.artifactory.configMapName }}
{{- end}}
{{- end}}
{{- if or .Values.artifactory.loggers .Values.artifactory.catalinaLoggers }}
- name: tail-logger-script
configMap:
@ -650,9 +673,11 @@ spec:
persistentVolumeClaim:
claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc
{{- end }}
{{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }}
- name: systemyaml
secret:
secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml
secretName: {{ default (printf "%s-%s" (include "artifactory-ha.primary.name" .) "system-yaml") .Values.systemYamlOverride.existingSecret }}
{{- end }}
{{- if .Values.artifactory.customPersistentVolumeClaim }}
- name: {{ .Values.artifactory.customPersistentVolumeClaim.name }}
persistentVolumeClaim:
@ -663,8 +688,8 @@ spec:
configMap:
name: {{ template "artifactory-ha.fullname" . }}-filebeat-config
{{- end }}
{{- if .Values.artifactory.customVolumes }}
{{ tpl .Values.artifactory.customVolumes . | indent 6 }}
{{- if or .Values.artifactory.customVolumes .Values.global.customVolumes }}
{{ tpl (include "artifactory-ha.customVolumes" .) . | indent 6 }}
{{- end }}
{{- if not .Values.artifactory.persistence.enabled }}
- name: volume

20
charts/artifactory-ha/templates/artifactory-primary-pdb.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.artifactory.primary.minAvailable -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "artifactory-ha.fullname" . }}-primary
labels:
app: {{ template "artifactory-ha.name" . }}
chart: {{ template "artifactory-ha.chart" . }}
component: {{ .Values.artifactory.name }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
component: {{ .Values.artifactory.name }}
app: {{ template "artifactory-ha.name" . }}
role: {{ template "artifactory-ha.primary.name" . }}
release: {{ .Release.Name }}
minAvailable: {{ .Values.artifactory.primary.minAvailable }}
{{- end }}

115
charts/artifactory-ha/templates/artifactory-primary-statefulset.yaml
View File

@ -6,18 +6,18 @@ metadata:
app: {{ template "artifactory-ha.name" . }}
chart: {{ template "artifactory-ha.chart" . }}
component: {{ .Values.artifactory.name }}
version: {{ default .Chart.AppVersion .Values.artifactory.image.version }}
version: {{ include "artifactory-ha.app.version" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- with .Values.artifactory.primary.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- if and .Release.IsUpgrade .Values.postgresql.enabled }}
databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory/CHANGELOG.md), pass postgresql.image.tag=9.6.18-debian-10-r7 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x." .Values.databaseUpgradeReady | quote }}
databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version (< 4.x) that has postgresql.image.tag of 9.x or 10.x, make sure to pass the current postgresql.image.tag and set databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 4.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }}
{{- end }}
spec:
serviceName: {{ template "artifactory-ha.primary.name" . }}
replicas: 1
replicas: {{ .Values.artifactory.primary.replicaCount }}
updateStrategy:
type: RollingUpdate
selector:
@ -38,6 +38,7 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
annotations:
checksum/database-secrets: {{ include (print $.Template.BasePath "/artifactory-database-secrets.yaml") . | sha256sum }}
checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }}
checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }}
{{- if .Values.access.accessConfig }}
@ -62,16 +63,17 @@ spec:
{{- end }}
serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
{{- include "artifactory-ha.imagePullSecrets" . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.setSecurityContext }}
securityContext:
runAsUser: {{ .Values.artifactory.uid }}
fsGroup: {{ .Values.artifactory.uid }}
fsGroup: {{ .Values.artifactory.gid }}
{{- end }}
initContainers:
{{- if .Values.artifactory.customInitContainersBegin }}
{{ tpl .Values.artifactory.customInitContainersBegin . | indent 6 }}
{{- if or .Values.artifactory.customInitContainersBegin .Values.global.customInitContainersBegin }}
{{ tpl (include "artifactory-ha.customInitContainersBegin" .) . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.persistence.enabled }}
{{- if eq .Values.artifactory.persistence.type "file-system" }}
@ -167,13 +169,17 @@ spec:
echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc;
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted;
{{- if .Values.systemYamlOverride.existingSecret }}
cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml;
{{- else }}
cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml;
{{- end }}
echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists";
rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found;
{{- if .Values.access.accessConfig }}
echo "Copy access.config.latest.yml to {{ .Values.artifactory.persistence.mountPath }}/etc";
echo "Copy access.config.patch.yml to {{ .Values.artifactory.persistence.mountPath }}/etc/access";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access;
cp -fv /tmp/etc/access.config.import.yml {{ .Values.artifactory.persistence.mountPath }}/etc/access/access.config.import.yml;
cp -fv /tmp/etc/access.config.patch.yml {{ .Values.artifactory.persistence.mountPath }}/etc/access/access.config.patch.yml;
{{- end }}
{{- if .Values.access.resetAccessCAKeys }}
echo "Resetting Access CA Keys";
@ -186,41 +192,48 @@ spec:
cp -fv /tmp/etc/tls.crt {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.crt;
cp -fv /tmp/etc/tls.key {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.private.key;
{{- end }}
{{- if or .Values.artifactory.joinKey .Values.artifactory.joinKeySecretName }}
{{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }}
echo "Copy joinKey to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security;
echo -n ${ARTIFACTORY_JOIN_KEY} > {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security/join.key;
{{- end }}
{{- if or .Values.artifactory.masterKey .Values.artifactory.masterKeySecretName }}
{{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }}
echo "Copy masterKey to {{ .Values.artifactory.persistence.mountPath }}/etc/security";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security;
echo -n ${ARTIFACTORY_MASTER_KEY} > {{ .Values.artifactory.persistence.mountPath }}/etc/security/master.key;
{{- end }}
env:
{{- if or .Values.artifactory.joinKey .Values.artifactory.joinKeySecretName}}
{{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }}
- name: ARTIFACTORY_JOIN_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.artifactory.joinKeySecretName | default (include "artifactory-ha.fullname" .) }}"
name: {{ include "artifactory-ha.joinKeySecretName" . }}
key: join-key
{{- end }}
{{- if or .Values.artifactory.masterKey .Values.artifactory.masterKeySecretName }}
{{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }}
- name: ARTIFACTORY_MASTER_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.artifactory.masterKeySecretName | default (include "artifactory-ha.fullname" .) }}"
name: {{ include "artifactory-ha.masterKeySecretName" . }}
key: master-key
{{- end }}
volumeMounts:
- name: volume
mountPath: {{ .Values.artifactory.persistence.mountPath | quote }}
{{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }}
- name: systemyaml
{{- if .Values.systemYamlOverride.existingSecret }}
mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}"
subPath: {{ .Values.systemYamlOverride.dataKey }}
{{- else if .Values.artifactory.systemYaml }}
mountPath: "/tmp/etc/system.yaml"
subPath: system.yaml
{{- end }}
{{- end }}
{{- if .Values.access.accessConfig }}
- name: access-config
mountPath: "/tmp/etc/access.config.import.yml"
subPath: access.config.import.yml
mountPath: "/tmp/etc/access.config.patch.yml"
subPath: access.config.patch.yml
{{- end }}
{{- if .Values.access.customCertificatesSecretName }}
- name: access-certs
@ -230,7 +243,7 @@ spec:
mountPath: "/tmp/etc/tls.key"
subPath: tls.key
{{- end }}
{{- if .Values.artifactory.customPersistentPodVolumeClaim }}
{{- if and .Values.artifactory.customPersistentPodVolumeClaim (not .Values.artifactory.customPersistentPodVolumeClaim.skipPrepareContainer) }}
- name: "prepare-custom-persistent-volume"
image: "{{ .Values.initContainerImage }}"
resources:
@ -239,9 +252,11 @@ spec:
- 'sh'
- '-c'
- >
chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.gid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
securityContext:
runAsUser: 0
capabilities:
add:
- CHOWN
resources:
{{ toYaml .Values.initContainers.resources | indent 10 }}
volumeMounts:
@ -263,12 +278,12 @@ spec:
{{ toYaml .Values.initContainers.resources | indent 10 }}
{{- end }}
{{- end }}
{{- if .Values.artifactory.customInitContainers }}
{{ tpl .Values.artifactory.customInitContainers . | indent 6 }}
{{- if or .Values.artifactory.customInitContainers .Values.global.customInitContainers }}
{{ tpl (include "artifactory-ha.customInitContainers" .) . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.migration.enabled }}
- name: 'migration-artifactory-ha'
image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }}
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
resources:
{{ toYaml .Values.artifactory.primary.resources | indent 10 }}
@ -289,8 +304,12 @@ spec:
cp -fv /tmp/migrationHelmInfo.yaml $scriptsPath/migrationHelmInfo.yaml;
cp -fv /tmp/migrationStatus.sh $scriptsPath/migrationStatus.sh;
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/log;
bash $scriptsPath/migrationStatus.sh {{ default .Chart.AppVersion .Values.artifactory.image.version }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1;
bash $scriptsPath/migrationStatus.sh {{ include "artifactory-ha.app.version" . }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1;
env:
{{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }}
- name: SKIP_WAIT_FOR_EXTERNAL_DB
value: "true"
{{- end }}
{{- if or .Values.database.secrets.user .Values.database.user }}
- name: JF_SHARED_DATABASE_USERNAME
valueFrom:
@ -359,8 +378,8 @@ spec:
mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}"
{{- end }}
{{- end }}
{{- if .Values.artifactory.customVolumeMounts }}
{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
{{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }}
{{- end }}
{{- if eq .Values.artifactory.persistence.type "nfs" }}
- name: artifactory-ha-data
@ -382,7 +401,7 @@ spec:
{{- end }}
containers:
- name: {{ .Values.artifactory.name }}
image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }}
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
@ -418,6 +437,7 @@ spec:
{{ tpl . $ }};
{{- end }}
exec /entrypoint-artifactory.sh
{{- with .Values.artifactory.postStartCommand }}
lifecycle:
postStart:
exec:
@ -425,11 +445,14 @@ spec:
- '/bin/bash'
- '-c'
- >
echo;
{{- with .Values.artifactory.postStartCommand }}
{{ tpl . $ }}
{{- end }}
echo "Running custom postStartCommand command";
{{ tpl . $ }};
{{- end }}
env:
{{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }}
- name: SKIP_WAIT_FOR_EXTERNAL_DB
value: "true"
{{- end }}
{{- if or .Values.database.secrets.user .Values.database.user }}
- name: JF_SHARED_DATABASE_USERNAME
valueFrom:
@ -478,12 +501,16 @@ spec:
{{- end }}
ports:
- containerPort: {{ .Values.artifactory.internalPort }}
name: http
- containerPort: {{ .Values.artifactory.internalArtifactoryPort }}
name: http-internal
{{- if .Values.artifactory.primary.javaOpts.jmx.enabled }}
- containerPort: {{ .Values.artifactory.primary.javaOpts.jmx.port }}
name: tcp-jmx
{{- end }}
{{- if .Values.artifactory.ssh.enabled }}
- containerPort: {{ .Values.artifactory.ssh.internalPort }}
name: tcp-ssh
{{- end }}
volumeMounts:
{{- if .Values.artifactory.customPersistentVolumeClaim }}
@ -547,8 +574,8 @@ spec:
- name: installer-info
mountPath: "/artifactory_bootstrap/info/installer-info.json"
subPath: installer-info.json
{{- if .Values.artifactory.customVolumeMounts }}
{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
{{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }}
{{- end }}
resources:
{{ toYaml .Values.artifactory.primary.resources | indent 10 }}
@ -576,12 +603,10 @@ spec:
failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }}
successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }}
{{- end }}
{{- $image := .Values.logger.image.repository }}
{{- $tag := .Values.logger.image.tag }}
{{- $mountPath := .Values.artifactory.persistence.mountPath }}
{{- range .Values.artifactory.loggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
image: '{{ $image }}:{{ $tag }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "logger") }}
command:
- 'sh'
- '-c'
@ -598,7 +623,7 @@ spec:
{{ if .Values.artifactory.catalinaLoggers }}
{{- range .Values.artifactory.catalinaLoggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
image: '{{ $image }}:{{ $tag }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "logger") }}
command:
- 'sh'
- '-c'
@ -638,8 +663,8 @@ spec:
{{ toYaml .Values.filebeat.resources | indent 10 }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
{{- end }}
{{- if .Values.artifactory.customSidecarContainers }}
{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }}
{{- if or .Values.artifactory.customSidecarContainers .Values.global.customSidecarContainers }}
{{ tpl (include "artifactory-ha.customSidecarContainers" .) . | indent 6 }}
{{- end }}
{{- with .Values.artifactory.primary.nodeSelector }}
nodeSelector:
@ -764,9 +789,11 @@ spec:
persistentVolumeClaim:
claimName: {{ template "artifactory-ha.fullname" . }}-backup-pvc
{{- end }}
{{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }}
- name: systemyaml
secret:
secretName: {{ template "artifactory-ha.primary.name" . }}-system-yaml
secretName: {{ default (printf "%s-%s" (include "artifactory-ha.primary.name" .) "system-yaml") .Values.systemYamlOverride.existingSecret }}
{{- end }}
{{- if .Values.access.accessConfig }}
- name: access-config
secret:
@ -787,8 +814,8 @@ spec:
configMap:
name: {{ template "artifactory-ha.fullname" . }}-filebeat-config
{{- end }}
{{- if .Values.artifactory.customVolumes }}
{{ tpl .Values.artifactory.customVolumes . | indent 6 }}
{{- if or .Values.artifactory.customVolumes .Values.global.customVolumes }}
{{ tpl (include "artifactory-ha.customVolumes" .) . | indent 6 }}
{{- end }}
{{- if not .Values.artifactory.persistence.enabled }}
- name: volume

16
charts/artifactory-ha/templates/artifactory-secrets.yaml
View File

@ -9,9 +9,13 @@ metadata:
release: {{ .Release.Name }}
type: Opaque
data:
{{- if and .Values.artifactory.masterKey (not .Values.artifactory.masterKeySecretName) }}
master-key: {{ .Values.artifactory.masterKey | b64enc | quote }}
{{- end }}
{{- if and .Values.artifactory.joinKey (not .Values.artifactory.joinKeySecretName) }}
join-key: {{ .Values.artifactory.joinKey | b64enc | quote }}
{{- end }}
{{- if or .Values.artifactory.masterKey .Values.global.masterKey }}
{{- if not (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) }}
master-key: {{ include "artifactory-ha.masterKey" . | b64enc | quote }}
{{- end }}
{{- end }}
{{- if or .Values.artifactory.joinKey .Values.global.joinKey }}
{{- if not (or .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName) }}
join-key: {{ include "artifactory-ha.joinKey" . | b64enc | quote }}
{{- end }}
{{- end }}

20
charts/artifactory-ha/templates/artifactory-service.yaml
View File

@ -29,27 +29,29 @@ spec:
- port: {{ .Values.artifactory.externalPort }}
targetPort: {{ .Values.artifactory.internalPort }}
protocol: TCP
name: router
name: http-router
{{- if .Values.artifactory.ssh.enabled }}
- port: {{ .Values.artifactory.ssh.externalPort }}
targetPort: {{ .Values.artifactory.ssh.internalPort }}
protocol: TCP
name: ssh
name: tcp-ssh
{{- end }}
- port: {{ .Values.artifactory.externalArtifactoryPort }}
targetPort: {{ .Values.artifactory.internalArtifactoryPort }}
protocol: TCP
name: artifactory
name: http-artifactory
{{- with .Values.artifactory.node.javaOpts.jmx }}
{{- if .enabled }}
- port: {{ .port }}
targetPort: {{ .port }}
protocol: TCP
name: jmx
name: tcp-jmx
{{- end }}
{{- end }}
selector:
{{- if eq .Values.artifactory.service.pool "members" }}
{{- if eq (int .Values.artifactory.node.replicaCount) 0 }}
role: {{ template "artifactory-ha.primary.name" . }}
{{- else if eq .Values.artifactory.service.pool "members" }}
role: {{ template "artifactory-ha.node.name" . }}
{{- end }}
app: {{ template "artifactory-ha.name" . }}
@ -81,23 +83,23 @@ spec:
- port: {{ .Values.artifactory.externalPort }}
targetPort: {{ .Values.artifactory.internalPort }}
protocol: TCP
name: router
name: http-router
- port: {{ .Values.artifactory.externalArtifactoryPort }}
targetPort: {{ .Values.artifactory.internalArtifactoryPort }}
protocol: TCP
name: artifactory
name: http-artifactory
{{- if .Values.artifactory.ssh.enabled }}
- port: {{ .Values.artifactory.ssh.externalPort }}
targetPort: {{ .Values.artifactory.ssh.internalPort }}
protocol: TCP
name: ssh
name: tcp-ssh
{{- end }}
{{- with .Values.artifactory.primary.javaOpts.jmx }}
{{- if .enabled }}
- port: {{ .port }}
targetPort: {{ .port }}
protocol: TCP
name: jmx
name: tcp-jmx
{{- end }}
{{- end }}
selector:

2
charts/artifactory-ha/templates/artifactory-system-yaml.yaml
View File

@ -1,3 +1,4 @@
{{- if not .Values.systemYamlOverride.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
@ -12,3 +13,4 @@ type: Opaque
stringData:
system.yaml: |
{{ tpl .Values.artifactory.systemYaml . | indent 4 }}
{{- end }}

51
charts/artifactory-ha/templates/ingress.yaml
View File

@ -3,7 +3,7 @@
{{- $servicePort := .Values.artifactory.externalPort -}}
{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}}
{{- $ingressName := default ( include "artifactory-ha.fullname" . ) .Values.ingress.name -}}
{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }}
{{- if semverCompare ">=v1.14.0-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
@ -55,7 +55,7 @@ spec:
{{- if .Values.artifactory.replicator.enabled }}
---
{{- $replicationIngressName := default ( include "artifactory-ha.replicator.fullname" . ) .Values.artifactory.replicator.ingress.name -}}
{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }}
{{- if semverCompare ">=v1.14.0-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
@ -99,4 +99,51 @@ spec:
{{ toYaml .Values.artifactory.replicator.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
{{- if and .Values.artifactory.replicator.enabled .Values.artifactory.replicator.trackerIngress.enabled }}
---
{{- $replicatorTrackerIngressName := default ( include "artifactory-ha.replicator.tracker.fullname" . ) .Values.artifactory.replicator.trackerIngress.name -}}
{{- if semverCompare ">=v1.14.0-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $replicatorTrackerIngressName }}
labels:
app: "{{ template "artifactory-ha.name" $ }}"
chart: "{{ template "artifactory-ha.chart" $ }}"
release: {{ $.Release.Name | quote }}
heritage: {{ $.Release.Service | quote }}
{{- if .Values.artifactory.replicator.trackerIngress.annotations }}
annotations:
{{ .Values.artifactory.replicator.trackerIngress.annotations | toYaml | trimSuffix "\n" | indent 4 -}}
{{- end }}
spec:
{{- if .Values.ingress.defaultBackend.enabled }}
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end }}
rules:
{{- if .Values.artifactory.replicator.trackerIngress.hosts }}
{{- range $host := .Values.artifactory.replicator.trackerIngress.hosts }}
- host: {{ $host | quote }}
http:
paths:
- path: /
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- end -}}
{{- if .Values.artifactory.replicator.trackerIngress.tls }}
tls:
{{ toYaml .Values.artifactory.replicator.trackerIngress.tls | indent 4 }}
{{- end -}}
{{- end -}}
{{- if .Values.customIngress }}
---
{{ .Values.customIngress | toYaml | trimSuffix "\n" }}
{{- end -}}
{{- end -}}

2
charts/artifactory-ha/templates/nginx-certificate-secret.yaml
View File

@ -1,4 +1,4 @@
{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled }}
{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.https.enabled }}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls

23
charts/artifactory-ha/templates/nginx-deployment.yaml
View File

@ -36,10 +36,12 @@ spec:
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
{{- include "artifactory-ha.imagePullSecrets" . | indent 6 }}
{{- end }}
{{- if .Values.nginx.priorityClassName }}
priorityClassName: {{ .Values.nginx.priorityClassName | quote }}
{{- end }}
initContainers:
- name: "setup"
image: "{{ .Values.initContainerImage }}"
@ -58,7 +60,7 @@ spec:
fsGroup: {{ .Values.nginx.gid }}
containers:
- name: {{ .Values.nginx.name }}
image: '{{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.version }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "nginx") }}
imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
command:
- 'nginx'
@ -70,19 +72,24 @@ spec:
{{- if .Values.nginx.http }}
{{- if .Values.nginx.http.enabled }}
- containerPort: {{ .Values.nginx.http.internalPort }}
name: http
{{- end }}
{{- else }} # DEPRECATED
- containerPort: {{ .Values.nginx.internalPortHttp }}
name: http-internal
{{- end }}
{{- if .Values.nginx.https }}
{{- if .Values.nginx.https.enabled }}
- containerPort: {{ .Values.nginx.https.internalPort }}
name: https
{{- end }}
{{- else }} # DEPRECATED
- containerPort: {{ .Values.nginx.internalPortHttps }}
name: https-internal
{{- end }}
{{- if .Values.artifactory.ssh.enabled }}
- containerPort: {{ .Values.nginx.ssh.internalPort }}
name: tcp-ssh
{{- end }}
volumeMounts:
- name: nginx-conf
@ -92,8 +99,10 @@ spec:
mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/"
- name: nginx-volume
mountPath: {{ .Values.nginx.persistence.mountPath | quote }}
{{- if .Values.nginx.https.enabled }}
- name: ssl-certificates
mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl"
{{- end }}
resources:
{{ toYaml .Values.nginx.resources | indent 10 }}
{{- if .Values.nginx.readinessProbe.enabled }}
@ -130,12 +139,10 @@ spec:
failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }}
successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }}
{{- end }}
{{- $image := .Values.logger.image.repository }}
{{- $tag := .Values.logger.image.tag }}
{{- $mountPath := .Values.nginx.persistence.mountPath }}
{{- range .Values.nginx.loggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
image: '{{ $image }}:{{ $tag }}'
image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "logger") }}
command:
- tail
args:
@ -182,6 +189,7 @@ spec:
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.nginx.https.enabled }}
- name: ssl-certificates
secret:
{{- if .Values.nginx.tlsSecretName }}
@ -189,4 +197,5 @@ spec:
{{- else }}
secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate
{{- end }}
{{- end }}
{{- end }}

6
charts/artifactory-ha/templates/nginx-pvc.yaml
View File

@ -15,11 +15,11 @@ spec:
resources:
requests:
storage: {{ .Values.nginx.persistence.size | quote }}
{{- if .Values.nginx.persistence.storageClass }}
{{- if (eq "-" .Values.nginx.persistence.storageClass) }}
{{- if .Values.nginx.persistence.storageClassName }}
{{- if (eq "-" .Values.nginx.persistence.storageClassName) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.nginx.persistence.storageClass }}"
storageClassName: "{{ .Values.nginx.persistence.storageClassName }}"
{{- end }}
{{- end }}
{{- end }}

2
charts/artifactory-ha/templates/nginx-service.yaml
View File

@ -70,7 +70,7 @@ spec:
- port: {{ .Values.nginx.ssh.externalPort }}
targetPort: {{ .Values.nginx.ssh.internalPort }}
protocol: TCP
name: ssh
name: tcp-ssh
{{- end }}
selector:
app: {{ template "artifactory-ha.name" . }}

132
charts/artifactory-ha/values.yaml
View File

@ -3,8 +3,30 @@
# Beware when changing values here. You should know what you are doing!
# Access the values with {{ .Values.key.subkey }}
# Common
initContainerImage: docker.bintray.io/alpine:3.12
global:
# imageRegistry: docker.bintray.io
# imagePullSecrets:
# - myRegistryKeySecretName
## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag
## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion
## This applies also for nginx images (.Values.nginx.image.tag)
versions: {}
# artifactory:
# joinKey:
# masterKey:
# joinKeySecretName:
# masterKeySecretName:
# customInitContainersBegin: |
# customInitContainers: |
# customVolumes: |
# customVolumeMounts: |
# customSidecarContainers: |
initContainerImage: docker.bintray.io/alpine:3.12.1
installer:
type:
@ -13,7 +35,20 @@ installer:
installerInfo: '{"productId": "Helm_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}'
# For supporting pulling from private registries
imagePullSecrets:
# imagePullSecrets:
# - myRegistryKeySecretName
## Artifactory systemYaml override
## This is for advanced usecases where users wants to provide their own systemYaml for configuring artifactory
## Refer: https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML
## Note: This will override existing (default) .Values.artifactory.systemYaml in values.yaml
## Alternatively, systemYaml can be overidden via customInitContainers using external sources like vaults, external repositories etc. Please refer customInitContainer section below for an example.
## Note: Order of preference is 1) customInitContainers 2) systemYamlOverride existingSecret 3) default systemYaml in values.yaml
systemYamlOverride:
## You can use a pre-existing secret by specifying existingSecret
existingSecret:
## The dataKey should be the name of the secret data key created.
dataKey:
## Role Based Access Control
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
@ -67,6 +102,8 @@ ingress:
# Additional ingress rules
additionalRules: []
## Allows to add custom ingress
customIngress: |
networkpolicy:
# Allows all ingress and egress
@ -102,7 +139,7 @@ postgresql:
image:
registry: docker.bintray.io
repository: bitnami/postgresql
tag: 10.13.0-debian-10-r38
tag: 12.5.0-debian-10-r25
postgresqlUsername: artifactory
postgresqlPassword: ""
postgresqlDatabase: artifactory
@ -156,7 +193,8 @@ database:
logger:
image:
repository: docker.bintray.io/busybox
registry: docker.bintray.io
repository: busybox
tag: 1.31.1
# Artifactory
@ -164,8 +202,9 @@ artifactory:
name: artifactory-ha
# Note that by default we use appVersion to get image tag/version
image:
repository: docker.bintray.io/jfrog/artifactory-pro
# version:
registry: docker.bintray.io
repository: jfrog/artifactory-pro
# tag:
pullPolicy: IfNotPresent
# Create a priority class for the Artifactory pods or use an existing one
@ -187,6 +226,12 @@ artifactory:
maxThreads: 200
extraConfig: 'acceptCount="100"'
# Support for open metrics is only available for Artifactory 7.7.x (appVersions) and above.
# To enable set `.Values.artifactory.openMetrics.enabled` to `true`
# Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics
openMetrics:
enabled: false
# This directory is intended for use with NFS eventual configuration for HA
haDataDir:
enabled: false
@ -273,13 +318,13 @@ artifactory:
## Add custom init containers execution after predefined init containers
customInitContainers: |
# - name: "custom-setup"
# - name: "custom-systemyaml-setup"
# image: "{{ .Values.initContainerImage }}"
# imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
# command:
# - 'sh'
# - '-c'
# - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup'
# - 'wget -O {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https://<repo-url>/systemyaml'
# volumeMounts:
# - mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
# name: volume
@ -292,8 +337,7 @@ artifactory:
# image: "{{ .Values.initContainerImage }}"
# imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
# securityContext:
# runAsUser: 0
# fsGroup: 0
# allowPrivilegeEscalation: false
# command:
# - 'sh'
# - '-c'
@ -331,6 +375,7 @@ artifactory:
# subPath: prehook-start.sh
# Add custom persistent volume mounts - Available for the pod
# If skipPrepareContainer is set to true , this will skip the prepare-custom-persistent-volume init container
customPersistentPodVolumeClaim: {}
# name:
# mountPath:
@ -338,6 +383,7 @@ artifactory:
# - "-"
# size:
# storageClassName:
# skipPrepareContainer: false
# Add custom persistent volume mounts - Available to the entire namespace
customPersistentVolumeClaim: {}
@ -500,6 +546,10 @@ artifactory:
driver: "{{ .Values.database.driver }}"
{{- end }}
artifactory:
{{- if .Values.artifactory.openMetrics }}
metrics:
enabled: {{ .Values.artifactory.openMetrics.enabled }}
{{- end }}
{{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }}
node:
{{- if .Values.artifactory.haDataDir.path }}
@ -515,6 +565,9 @@ artifactory:
connector:
maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }}
extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }}
frontend:
session:
timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }}
access:
database:
maxOpenConnections: {{ .Values.access.database.maxOpenConnections }}
@ -544,7 +597,13 @@ artifactory:
externalArtifactoryPort: 8081
internalArtifactoryPort: 8081
uid: 1030
gid: 1030
terminationGracePeriodSeconds: 30
## By default, the Artifactory StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `artifactory.uid` value.
## If you want to disable the securityContext for the Artifactory StatefulSet, set this tag to false
setSecurityContext: true
## The following settings are to configure the frequency of the liveness and readiness probes
livenessProbe:
enabled: true
@ -807,6 +866,12 @@ artifactory:
{{- with .cloudFrontPrivateKey }}
<cloudFrontPrivateKey>{{ . }}</cloudFrontPrivateKey>
{{- end }}
{{- with .enableSignedUrlRedirect }}
<enableSignedUrlRedirect>{{ . }}</enableSignedUrlRedirect>
{{- end }}
{{- with .enablePathStyleAccess }}
<enablePathStyleAccess>{{ . }}</enablePathStyleAccess>
{{- end }}
</provider>
{{- end }}
</config>
@ -983,7 +1048,7 @@ artifactory:
# "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
# "client_x509_cert_url": "https://www.googleapis.com/robot/v1....."
# }
endpoint: storage.googleapis.com
endpoint: commondatastorage.googleapis.com
httpsOnly: false
# Set a unique bucket name
bucketName: "artifactory-ha-gcp"
@ -1011,6 +1076,8 @@ artifactory:
cloudFrontDomainName:
cloudFrontKeyPairId:
cloudFrontPrivateKey:
enableSignedUrlRedirect: false
enablePathStyleAccess: false
## For artifactory.persistence.type aws-s3
## IMPORTANT: Make sure S3 `endpoint` and `region` match! See https://docs.aws.amazon.com/general/latest/gr/rande.html
@ -1075,6 +1142,22 @@ artifactory:
# - hosts:
# - artifactory.domain.example
# secretName: chart-example-tls-secret
## When replicator is enabled and want to use tracker feature, trackerIngress.enabled flag should be set to true
## Please refer - https://www.jfrog.com/confluence/display/JFROG/JFrog+Peer-to-Peer+%28P2P%29+Downloads
trackerIngress:
enabled: false
name:
hosts: []
annotations: {}
# kubernetes.io/ingress.class: nginx
# nginx.ingress.kubernetes.io/proxy-buffering: "off"
# nginx.ingress.kubernetes.io/configuration-snippet: |
# chunked_transfer_encoding on;
tls: []
# Secrets must be manually created in the namespace.
# - hosts:
# - artifactory.domain.example
# secretName: chart-example-tls-secret
ssh:
enabled: false
@ -1095,6 +1178,11 @@ artifactory:
## Set existingClaim to true or false
## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0`
existingClaim: false
## IMPORTANT: This value should remain at 1!
replicaCount: 1
# minAvailable: 1
## Resources for the primary node
resources: {}
# requests:
@ -1189,6 +1277,12 @@ artifactory:
type: ""
topologyKey: "kubernetes.io/hostname"
frontend:
## Session settings
session:
## Time in minutes after which the frontend token will need to be refreshed
timeoutMinutes: '30'
access:
## Enable TLS by changing the tls entry (under the security section) in the access.config.yaml file.
## ref: https://www.jfrog.com/confluence/display/JFROG/Managing+TLS+Certificates#ManagingTLSCertificates
@ -1238,10 +1332,13 @@ nginx:
gid: 107
# Note that by default we use appVersion to get image tag/version
image:
repository: docker.bintray.io/jfrog/nginx-artifactory-pro
# version:
registry: docker.bintray.io
repository: jfrog/nginx-artifactory-pro
# tag:
pullPolicy: IfNotPresent
# Priority Class name to be used in deployment if provided
priorityClassName:
# Sidecar containers for tailing Nginx logs
loggers: []
@ -1493,7 +1590,7 @@ filebeat:
name: artifactory-filebeat
image:
repository: "docker.elastic.co/beats/filebeat"
version: 7.5.1
version: 7.9.2
logstashUrl: "logstash:5044"
terminationGracePeriod: 10
@ -1549,3 +1646,8 @@ filebeat:
output:
logstash:
hosts: ["{{ .Values.filebeat.logstashUrl }}"]
## Allows to add additional kubernetes resources
## Use --- as a separator between multiple resources
## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-ha-values.yaml
additionalResources: |

31
index.yaml
View File

@ -1,6 +1,35 @@
apiVersion: v1
entries:
artifactory-ha:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-ha
apiVersion: v1
appVersion: 7.12.6
created: "2021-02-26T18:55:48.762534939Z"
dependencies:
- condition: postgresql.enabled
name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 9.3.4
description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers.
digest: 6f13240e67c292e0a7229b1e0b1d8389991e10850d629fab7bac34b7f702fa3c
home: https://www.jfrog.com/artifactory/
icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-ha/logo/artifactory-logo.png
keywords:
- artifactory
- jfrog
- devops
maintainers:
- email: installers@jfrog.com
name: Chart Maintainers at JFrog
name: artifactory-ha
sources:
- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view
- https://github.com/jfrog/charts
urls:
- assets/artifactory-ha/artifactory-ha-4.7.600.tgz
version: 4.7.600
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-ha
@ -550,4 +579,4 @@ entries:
urls:
- assets/sysdig/sysdig-1.9.200.tgz
version: 1.9.200
generated: "2021-02-25T22:46:37.810270792Z"
generated: "2021-02-26T18:55:48.743664584Z"

6
sha256sum/artifactory-ha/artifactory-ha.sum
View File

@ -1,4 +1,4 @@
c9d48693a4167c6d483d5b8ff25b52e574d39bb288be470f750e6a8cc832472f packages/artifactory-ha/artifactory-ha.patch
09e6066802fa1d420df13ca6af1c4fd6c90e1497d977c97762175ca3a7ba9226 packages/artifactory-ha/artifactory-ha.patch
d12365c0a850cb3a405e105ed2b7858644f27831a46b8dde64ede4eb25bba9c4 packages/artifactory-ha/overlay/app-readme.md
b3242886b886a6273dba8b838dc8f9c52d0fe6a86d195d5291dd13e0e95baf9d packages/artifactory-ha/overlay/questions.yml
df94fbf838108e4178bc3f51be85745dda4c4f577ad842fef65e5b7d78989a0e packages/artifactory-ha/package.yaml
3c42752639460fe63c0b288d2ab8f6cdf87ded1b269ff307028b6c675635e67b packages/artifactory-ha/overlay/questions.yml
65882a62266f8948889c99279658ffcf01fb215a6d303dff9852364d0a3a3d4a packages/artifactory-ha/package.yaml