Merge pull request #873 from nflondo/main-source

Charts CI
pull/875/head
alex-isv 2023-09-01 09:14:47 -06:00 committed by GitHub
commit e97c3f1212
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 842 additions and 505 deletions

Binary file not shown.

Binary file not shown.

Binary file not shown.

BIN
assets/kong/kong-2.26.5.tgz Normal file

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -35,4 +35,4 @@ sources:
- https://github.com/aquarist-labs/s3gw-cosi-driver
- https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar
type: application
version: 0.19.0
version: 0.20.0

View File

@ -45,4 +45,4 @@ maintainers:
name: kafka
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/kafka
version: 25.1.4
version: 25.1.5

View File

@ -187,6 +187,10 @@ data:
cp "/mounted-certs/kafka.crt" /certs/tls.crt
# Copy the PEM key ensuring the key used PEM format with PKCS#8
openssl pkcs8 -topk8 -nocrypt -in "/mounted-certs/kafka.key" > /certs/tls.key
elif [[ -f /mounted-certs/tls.crt && -f /mounted-certs/tls.key ]]; then
cp "/mounted-certs/tls.crt" /certs/tls.crt
# Copy the PEM key ensuring the key used PEM format with PKCS#8
openssl pkcs8 -topk8 -nocrypt -in "/mounted-certs/tls.key" > /certs/tls.key
else
error "PEM key and cert files not found"
fi
@ -195,6 +199,8 @@ data:
# Copy CA certificate
if [[ -f /mounted-certs/kafka-ca.crt ]]; then
cp /mounted-certs/kafka-ca.crt /certs/ca.crt
elif [[ -f /mounted-certs/ca.crt ]]; then
cp /mounted-certs/ca.crt /certs/ca.crt
else
error "CA certificate file not found"
fi

View File

@ -268,6 +268,7 @@ tls:
## --from-file=kafka-broker-0.crt=./kafka-broker-0.crt --from-file=kafka-broker-0.key=./kafka-broker-0.key ...
##
## NOTE: Alternatively, a single key and certificate can be provided for all nodes under the keys 'kafka.crt' and 'kafka.key'. These certificates will be used by all nodes unless overridden by the 'kafka-<role>-X.key' and 'kafka-<role>-X.crt' files
## NOTE: Alternatively, a single key and certificate can be provided for all nodes under the keys 'tls.crt' and 'tls.key'. These certificates will be used by all nodes unless overridden by the 'kafka-<role>-X.key' and 'kafka-<role>-X.crt' files
##
existingSecret: ""
## @param tls.autoGenerated Generate automatically self-signed TLS certificates for Kafka brokers. Currently only supported if `tls.type` is `PEM`

View File

@ -7,6 +7,6 @@ dependencies:
version: 13.1.2
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.9.1
digest: sha256:5df6e862af69422cc6e287bf9dd560b3a1e56d3b49b4bc81132b0db10903cd80
generated: "2023-08-30T09:41:25.351778314Z"
version: 2.9.2
digest: sha256:467adda3c6f9bea1762beb6c252fd4d1a5ba52942ab1b9b48af60ac4e375783d
generated: "2023-08-31T19:21:10.315977353Z"

View File

@ -6,11 +6,11 @@ annotations:
category: CMS
images: |
- name: apache-exporter
image: docker.io/bitnami/apache-exporter:1.0.1-debian-11-r29
image: docker.io/bitnami/apache-exporter:1.0.1-debian-11-r32
- name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r51
image: docker.io/bitnami/os-shell:11-debian-11-r54
- name: wordpress
image: docker.io/bitnami/wordpress:6.3.1-debian-11-r0
image: docker.io/bitnami/wordpress:6.3.1-debian-11-r2
licenses: Apache-2.0
apiVersion: v2
appVersion: 6.3.1
@ -47,4 +47,4 @@ maintainers:
name: wordpress
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/wordpress
version: 17.1.4
version: 17.1.6

View File

@ -82,7 +82,7 @@ The command removes all the Kubernetes components associated with the chart and
| ------------------- | --------------------------------------------------------------------------------------------------------- | -------------------- |
| `image.registry` | WordPress image registry | `docker.io` |
| `image.repository` | WordPress image repository | `bitnami/wordpress` |
| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.3.1-debian-11-r0` |
| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.3.1-debian-11-r2` |
| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` |
| `image.pullSecrets` | WordPress image pull secrets | `[]` |
@ -249,7 +249,7 @@ The command removes all the Kubernetes components associated with the chart and
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `docker.io` |
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `bitnami/os-shell` |
| `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r51` |
| `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `11-debian-11-r54` |
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
@ -281,7 +281,7 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` |
| `metrics.image.registry` | Apache exporter image registry | `docker.io` |
| `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` |
| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `1.0.1-debian-11-r29` |
| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `1.0.1-debian-11-r32` |
| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` |

View File

@ -2,7 +2,7 @@ annotations:
category: Infrastructure
licenses: Apache-2.0
apiVersion: v2
appVersion: 2.9.1
appVersion: 2.9.2
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://bitnami.com
@ -20,4 +20,4 @@ name: common
sources:
- https://github.com/bitnami/charts
type: library
version: 2.9.1
version: 2.9.2

View File

@ -11,17 +11,14 @@ Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if .scope }}
{{- if typeIs "string" .value }}
{{- tpl (cat "{{- with $.RelativeScope -}}" .value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
{{- if contains "{{" (toJson .value) }}
{{- if .scope }}
{{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
{{- else }}
{{- tpl (cat "{{- with $.RelativeScope -}}" (.value | toYaml) "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
{{- tpl $value .context }}
{{- end }}
{{- else }}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{- $value }}
{{- end }}
{{- end -}}

View File

@ -76,7 +76,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/wordpress
tag: 6.3.1-debian-11-r0
tag: 6.3.1-debian-11-r2
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@ -766,7 +766,7 @@ volumePermissions:
image:
registry: docker.io
repository: bitnami/os-shell
tag: 11-debian-11-r51
tag: 11-debian-11-r54
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@ -860,7 +860,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/apache-exporter
tag: 1.0.1-debian-11-r29
tag: 1.0.1-debian-11-r32
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.

View File

@ -4,6 +4,14 @@
Nothing yet.
## 2.26.5
### Fixed
* Kuma ServiceAccount Token hints and volumes are also available in migrations
Pods.
[#877](https://github.com/Kong/charts/pull/877)
## 2.26.4
### Fixed

View File

@ -20,4 +20,4 @@ maintainers:
name: kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.26.4
version: 2.26.5

View File

@ -552,6 +552,41 @@ The name of the service used for the ingress controller's validation webhook
- name: {{ template "kong.fullname" . }}-tmp
emptyDir:
sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end }}
{{- end }}
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- if .Values.certificates.cluster.enabled }}
- name: {{ include "kong.fullname" . }}-cluster-cert

View File

@ -302,39 +302,4 @@ spec:
volumes:
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end }}
{{- end }}
{{- end }}

View File

@ -29,6 +29,9 @@ spec:
{{- range $key, $value := .Values.migrations.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}

View File

@ -31,6 +31,9 @@ spec:
{{- range $key, $value := .Values.migrations.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}

View File

@ -39,6 +39,9 @@ spec:
{{- range $key, $value := .Values.migrations.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}

View File

@ -6,4 +6,4 @@ dependencies:
repository: https://charts.redpanda.com
version: 0.1.5
digest: sha256:dd7afd55f6eb7e9b3a91b0e5eeda47138e23c255b32d277ad4cb3a7ad3ec1b1f
generated: "2023-08-29T23:24:16.635099387Z"
generated: "2023-08-31T03:08:33.366208928Z"

View File

@ -37,4 +37,4 @@ name: redpanda
sources:
- https://github.com/redpanda-data/helm-charts
type: application
version: 5.2.0
version: 5.3.0

View File

@ -0,0 +1,463 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "configmap-content-no-seed" -}}
{{- /*
configmap content without seed list.
*/ -}}
{{- $root := . }}
{{- $values := .Values }}
{{- /*
It's impossible to do a rolling upgrade from not-tls-enabled rpc to tls-enabled rpc.
*/ -}}
{{- $check := list
(include "redpanda-atleast-23-1-2" .|fromJson).bool
(include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool
(include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool
-}}
{{- $wantedRPCTLS := (include "rpc-tls-enabled" . | fromJson).bool -}}
{{- if and (not (mustHas true $check)) $wantedRPCTLS -}}
{{- fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (include "redpanda.semver" .)) -}}
{{- end -}}
{{- $cm := lookup "v1" "ConfigMap" .Release.Namespace (include "redpanda.fullname" .) -}}
{{- $redpandaYAML := dig "data" "redpanda.yaml" "" $cm | fromYaml -}}
{{- $currentRPCTLS := dig "redpanda" "rpc_server_tls" "enabled" false $redpandaYAML -}}
{{- /* Lookup will return an empty map when running `helm template` or when `--dry-run` is passed. */ -}}
{{- if (and .Release.IsUpgrade $cm) -}}
{{- if ne $currentRPCTLS $wantedRPCTLS -}}
{{- if eq (get .Values "force" | default false) false -}}
{{- fail (join "\n" (list
(printf "\n\nError: Cannot do a rolling restart to enable or disable tls at the RPC layer: changing listeners.rpc.tls.enabled (redpanda.yaml:repdanda.rpc_server_tls.enabled) from %v to %v" $currentRPCTLS $wantedRPCTLS)
"***WARNING The following instructions will result in a short period of downtime."
"To accept this risk, run the upgrade again adding `--force=true` and do the following:\n"
"While helm is upgrading the release, manually delete ALL the pods:"
(printf " kubectl -n %s delete pod -l app.kubernetes.io/component=redpanda-statefulset" .Release.Namespace)
"\nIf you got here thinking rpc tls was already enabled, see technical service bulletin 2023-01."
))
-}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $users := list -}}
{{- if (include "sasl-enabled" . | fromJson).bool -}}
{{- range $user := .Values.auth.sasl.users -}}
{{- $users = append $users $user.name -}}
{{- end -}}
{{- end -}}
bootstrap.yaml: |
kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }}
enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }}
enable_rack_awareness: {{ .Values.rackAwareness.enabled }}
{{- if $users }}
superusers: {{ toJson $users }}
{{- end }}
{{- with (dig "cluster" dict .Values.config) }}
{{- range $key, $element := .}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- include "tunable" . }}
{{- if and (not (hasKey .Values.config.cluster "storage_min_free_bytes")) ((include "redpanda-atleast-22-2-0" . | fromJson).bool) }}
storage_min_free_bytes: {{ include "storage-min-free-bytes" . }}
{{- end }}
{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }}
{{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }}
{{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_cache_directory" }}
{{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
{{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}}
{{- end }}
{{- range $key, $element := $tieredStorageConfig}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
redpanda.yaml: |
config_file: /etc/redpanda/redpanda.yaml
{{- if .Values.logging.usageStats.enabled }}
{{- with (dig "usageStats" "organization" "" .Values.logging) }}
organization: {{ . }}
{{- end }}
{{- with (dig "usageStats" "clusterId" "" .Values.logging) }}
cluster_id: {{ . }}
{{- end }}
{{- end }}
redpanda:
{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
empty_seed_starts_cluster: false
{{- end }}
kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }}
enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }}
{{- if $users }}
superusers: {{ toJson $users }}
{{- end }}
{{- with (dig "cluster" dict .Values.config) }}
{{- range $key, $element := . }}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- with (dig "tunable" dict .Values.config) }}
{{- range $key, $element := .}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- if not (hasKey .Values.config.cluster "storage_min_free_bytes") }}
storage_min_free_bytes: {{ include "storage-min-free-bytes" . }}
{{- end }}
{{- with dig "node" dict .Values.config }}
{{- range $key, $element := .}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- /* LISTENERS */}}
{{- /* Admin API */}}
{{- $service := .Values.listeners.admin }}
admin:
- name: internal
address: 0.0.0.0
port: {{ $service.port }}
{{- range $name, $listener := $service.external }}
{{- if and $listener.port $name }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- end }}
{{- end }}
admin_api_tls:
{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key
require_client_auth: {{ $service.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $service.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $service.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "admin-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "admin-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined" $certName)}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- /* Kafka API */}}
{{- $kafkaService := .Values.listeners.kafka }}
kafka_api:
- name: internal
address: 0.0.0.0
port: {{ $kafkaService.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $kafkaService.authenticationMethod }}
authentication_method: {{ default "sasl" $kafkaService.authenticationMethod }}
{{- end }}
{{- range $name, $listener := $kafkaService.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }}
authentication_method: {{ default "sasl" $listener.authenticationMethod }}
{{- end }}
{{- end }}
kafka_api_tls:
{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key
require_client_auth: {{ $kafkaService.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $kafkaService.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $kafkaService.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "kafka-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "kafka-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined" $certName)}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- /* RPC Server */}}
{{- $service = .Values.listeners.rpc }}
rpc_server:
address: 0.0.0.0
port: {{ $service.port }}
{{- if (include "rpc-tls-enabled" . | fromJson).bool }}
rpc_server_tls:
enabled: true
cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key
require_client_auth: {{ $service.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $service.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
seed_servers:
{{- with $root.tempConfigMapServerList -}}
{{- . | trim | nindent 8 }}
{{- end -}}
{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }}
{{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }}
{{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
{{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}}
{{- end }}
{{- range $key, $element := $tieredStorageConfig}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- /* Schema Registry API */}}
{{- if and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }}
{{- $schemaRegistryService := .Values.listeners.schemaRegistry }}
schema_registry:
schema_registry_api:
- name: internal
address: 0.0.0.0
port: {{ $schemaRegistryService.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $schemaRegistryService.authenticationMethod }}
authentication_method: {{ default "http_basic" $schemaRegistryService.authenticationMethod }}
{{- end }}
{{- range $name, $listener := $schemaRegistryService.external }}
- name: {{ $name }}
address: 0.0.0.0
{{- /*
when upgrading from an older version that had a missing port, fail if we cannot guess a default
this should work in all cases as the older versions would have failed with multiple listeners anyway
*/}}
{{- if and (empty $listener.port) (ne (len $schemaRegistryService.external) 1) }}
{{- fail "missing required port for schemaRegistry listener $listener.name" }}
{{- end }}
port: {{ $listener.port | default 8084 }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }}
authentication_method: {{ default "http_basic" $listener.authenticationMethod }}
{{- end }}
{{- end }}
schema_registry_api_tls:
{{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.key
require_client_auth: {{ $schemaRegistryService.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $schemaRegistryService.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $schemaRegistryService.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "schemaRegistry-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- /* HTTP Proxy */}}
{{- if and .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }}
{{- $HTTPService := .Values.listeners.http }}
pandaproxy:
pandaproxy_api:
- name: internal
address: 0.0.0.0
port: {{ $HTTPService.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $HTTPService.authenticationMethod }}
authentication_method: {{ default "http_basic" $HTTPService.authenticationMethod }}
{{- end }}
{{- range $name, $listener := $HTTPService.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }}
authentication_method: {{ default "http_basic" $listener.authenticationMethod }}
{{- end }}
{{- end }}
pandaproxy_api_tls:
{{- if (include "http-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.key
require_client_auth: {{ $HTTPService.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $HTTPService.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $HTTPService.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "http-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "http-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- /* END LISTENERS */}}
rpk:
{{- with (dig "rpk" dict .Values.config) }}
{{- . | toYaml | nindent 6}}
{{- end }}
enable_usage_stats: {{ .Values.logging.usageStats.enabled }}
overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }}
enable_memory_locking: {{ dig "memory" "enable_memory_locking" false .Values.resources }}
{{- if hasKey .Values.tuning "tune_aio_events" }}
tune_aio_events: {{ .Values.tuning.tune_aio_events }}
{{- end }}
{{- if hasKey .Values.tuning "tune_clocksource" }}
tune_clocksource: {{ .Values.tuning.tune_clocksource }}
{{- end }}
{{- if hasKey .Values.tuning "tune_ballast_file" }}
tune_ballast_file: {{ .Values.tuning.tune_ballast_file }}
{{- end }}
{{- if hasKey .Values.tuning "ballast_file_path" }}
ballast_file_path: {{ .Values.tuning.ballast_file_path }}
{{- end }}
{{- if hasKey .Values.tuning "ballast_file_size" }}
ballast_file_size: {{ .Values.tuning.ballast_file_size }}
{{- end }}
{{- if hasKey .Values.tuning "well_known_io" }}
well_known_io: {{ .Values.tuning.well_known_io }}
{{- end }}
{{- end -}}
{{- define "configmap-server-list" -}}
{{- $root := . }}
{{- range (include "seed-server-list" $root | mustFromJson) }}
- host:
address: {{ . }}
port: {{ $root.Values.listeners.rpc.port }}
{{- end }}
{{- end -}}
{{- define "configmap-with-server-list" -}}
{{- $root := . }}
{{- $serverList := (include "configmap-server-list" $root ) -}}
{{- $r := set $root "tempConfigMapServerList" ( $serverList ) }}
{{ include "configmap-content-no-seed" $r }}
{{- end -}}

View File

@ -14,47 +14,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $root := . }}
{{- $values := .Values }}
{{- /*
It's impossible to do a rolling upgrade from not-tls-enabled rpc to tls-enabled rpc.
*/ -}}
{{- $check := list
(include "redpanda-atleast-23-1-2" .|fromJson).bool
(include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool
(include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool
-}}
{{- $wantedRPCTLS := (include "rpc-tls-enabled" . | fromJson).bool -}}
{{- if and (not (mustHas true $check)) $wantedRPCTLS -}}
{{- fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (include "redpanda.semver" .)) -}}
{{- end -}}
{{- $cm := lookup "v1" "ConfigMap" .Release.Namespace (include "redpanda.fullname" .) -}}
{{- $redpandaYAML := dig "data" "redpanda.yaml" "" $cm | fromYaml -}}
{{- $currentRPCTLS := dig "redpanda" "rpc_server_tls" "enabled" false $redpandaYAML -}}
{{- /* Lookup will return an empty map when running `helm template` or when `--dry-run` is passed. */ -}}
{{- if (and .Release.IsUpgrade $cm) -}}
{{- if ne $currentRPCTLS $wantedRPCTLS -}}
{{- if eq (get .Values "force" | default false) false -}}
{{- fail (join "\n" (list
(printf "\n\nError: Cannot do a rolling restart to enable or disable tls at the RPC layer: changing listeners.rpc.tls.enabled (redpanda.yaml:repdanda.rpc_server_tls.enabled) from %v to %v" $currentRPCTLS $wantedRPCTLS)
"***WARNING The following instructions will result in a short period of downtime."
"To accept this risk, run the upgrade again adding `--force=true` and do the following:\n"
"While helm is upgrading the release, manually delete ALL the pods:"
(printf " kubectl -n %s delete pod -l app.kubernetes.io/component=redpanda-statefulset" .Release.Namespace)
"\nIf you got here thinking rpc tls was already enabled, see technical service bulletin 2023-01."
))
-}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $users := list -}}
{{- if (include "sasl-enabled" . | fromJson).bool -}}
{{- range $user := .Values.auth.sasl.users -}}
{{- $users = append $users $user.name -}}
{{- end -}}
{{- end -}}
---
apiVersion: v1
kind: ConfigMap
@ -66,388 +25,4 @@ metadata:
{{- . | nindent 4 }}
{{- end }}
data:
bootstrap.yaml: |
kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }}
enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }}
enable_rack_awareness: {{ .Values.rackAwareness.enabled }}
{{- if $users }}
superusers: {{ toJson $users }}
{{- end }}
{{- with (dig "cluster" dict .Values.config) }}
{{- range $key, $element := .}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- include "tunable" . }}
{{- if and (not (hasKey .Values.config.cluster "storage_min_free_bytes")) ((include "redpanda-atleast-22-2-0" . | fromJson).bool) }}
storage_min_free_bytes: {{ include "storage-min-free-bytes" . }}
{{- end }}
{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }}
{{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }}
{{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_cache_directory" }}
{{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
{{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}}
{{- end }}
{{- range $key, $element := $tieredStorageConfig}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
redpanda.yaml: |
config_file: /etc/redpanda/redpanda.yaml
{{- if .Values.logging.usageStats.enabled }}
{{- with (dig "usageStats" "organization" "" .Values.logging) }}
organization: {{ . }}
{{- end }}
{{- with (dig "usageStats" "clusterId" "" .Values.logging) }}
cluster_id: {{ . }}
{{- end }}
{{- end }}
redpanda:
{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
empty_seed_starts_cluster: false
{{- end }}
kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }}
enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }}
{{- if $users }}
superusers: {{ toJson $users }}
{{- end }}
{{- with (dig "cluster" dict .Values.config) }}
{{- range $key, $element := . }}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- with (dig "tunable" dict .Values.config) }}
{{- range $key, $element := .}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- if not (hasKey .Values.config.cluster "storage_min_free_bytes") }}
storage_min_free_bytes: {{ include "storage-min-free-bytes" . }}
{{- end }}
{{- with dig "node" dict .Values.config }}
{{- range $key, $element := .}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- /* LISTENERS */}}
{{- /* Admin API */}}
{{- $service := .Values.listeners.admin }}
admin:
- name: internal
address: 0.0.0.0
port: {{ $service.port }}
{{- range $name, $listener := $service.external }}
{{- if and $listener.port $name }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- end }}
{{- end }}
admin_api_tls:
{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key
require_client_auth: {{ $service.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $service.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $service.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "admin-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "admin-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined" $certName)}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- /* Kafka API */}}
{{- $kafkaService := .Values.listeners.kafka }}
kafka_api:
- name: internal
address: 0.0.0.0
port: {{ $kafkaService.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $kafkaService.authenticationMethod }}
authentication_method: {{ default "sasl" $kafkaService.authenticationMethod }}
{{- end }}
{{- range $name, $listener := $kafkaService.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }}
authentication_method: {{ default "sasl" $listener.authenticationMethod }}
{{- end }}
{{- end }}
kafka_api_tls:
{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key
require_client_auth: {{ $kafkaService.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $kafkaService.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $kafkaService.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "kafka-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "kafka-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined" $certName)}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- /* RPC Server */}}
{{- $service = .Values.listeners.rpc }}
rpc_server:
address: 0.0.0.0
port: {{ $service.port }}
{{- if (include "rpc-tls-enabled" . | fromJson).bool }}
rpc_server_tls:
enabled: true
cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key
require_client_auth: {{ $service.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $service.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
seed_servers:
{{- range (include "seed-server-list" . | mustFromJson) }}
- host:
address: {{ . }}
port: {{ $values.listeners.rpc.port }}
{{- end }}
{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }}
{{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }}
{{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
{{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}}
{{- end }}
{{- range $key, $element := $tieredStorageConfig}}
{{- if or (eq (typeOf $element) "bool") $element }}
{{ $key }}: {{ $element | toYaml }}
{{- end }}
{{- end }}
{{- end }}
{{- /* Schema Registry API */}}
{{- if and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }}
{{- $schemaRegistryService := .Values.listeners.schemaRegistry }}
schema_registry:
schema_registry_api:
- name: internal
address: 0.0.0.0
port: {{ $schemaRegistryService.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $schemaRegistryService.authenticationMethod }}
authentication_method: {{ default "http_basic" $schemaRegistryService.authenticationMethod }}
{{- end }}
{{- range $name, $listener := $schemaRegistryService.external }}
- name: {{ $name }}
address: 0.0.0.0
{{- /*
when upgrading from an older version that had a missing port, fail if we cannot guess a default
this should work in all cases as the older versions would have failed with multiple listeners anyway
*/}}
{{- if and (empty $listener.port) (ne (len $schemaRegistryService.external) 1) }}
{{- fail "missing required port for schemaRegistry listener $listener.name" }}
{{- end }}
port: {{ $listener.port | default 8084 }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }}
authentication_method: {{ default "http_basic" $listener.authenticationMethod }}
{{- end }}
{{- end }}
schema_registry_api_tls:
{{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.key
require_client_auth: {{ $schemaRegistryService.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $schemaRegistryService.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $schemaRegistryService.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "schemaRegistry-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- /* HTTP Proxy */}}
{{- if and .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }}
{{- $HTTPService := .Values.listeners.http }}
pandaproxy:
pandaproxy_api:
- name: internal
address: 0.0.0.0
port: {{ $HTTPService.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $HTTPService.authenticationMethod }}
authentication_method: {{ default "http_basic" $HTTPService.authenticationMethod }}
{{- end }}
{{- range $name, $listener := $HTTPService.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }}
authentication_method: {{ default "http_basic" $listener.authenticationMethod }}
{{- end }}
{{- end }}
pandaproxy_api_tls:
{{- if (include "http-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.key
require_client_auth: {{ $HTTPService.tls.requireClientAuth }}
{{- $cert := get .Values.tls.certs $HTTPService.tls.cert }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
{{- if $cert.caEnabled }}
truststore_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- range $name, $listener := $HTTPService.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "http-external-tls-enabled" $k | fromJson).bool }}
{{- $mtls := dig "tls" "requireClientAuth" false $listener }}
{{- $mtls = dig "tls" "requireClientAuth" $mtls $k }}
{{- $certName := include "http-external-tls-cert" $k }}
{{- $certPath := printf "/etc/tls/certs/%s" $certName }}
{{- $cert := get $values.tls.certs $certName }}
{{- if empty $cert }}
{{- fail (printf "Certificate, '%s', used but not defined")}}
{{- end }}
- name: {{ $name }}
enabled: true
cert_file: {{ $certPath }}/tls.crt
key_file: {{ $certPath }}/tls.key
require_client_auth: {{ $mtls }}
{{- if $cert.caEnabled }}
truststore_file: {{ $certPath }}/ca.crt
{{- else }}
{{- /* This is a required field so we use the default in the redpanda debian container */}}
truststore_file: /etc/ssl/certs/ca-certificates.crt
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- /* END LISTENERS */}}
rpk:
{{- with (dig "rpk" dict .Values.config) }}
{{- . | toYaml | nindent 6}}
{{- end }}
enable_usage_stats: {{ .Values.logging.usageStats.enabled }}
overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }}
enable_memory_locking: {{ dig "memory" "enable_memory_locking" false .Values.resources }}
{{- if hasKey .Values.tuning "tune_aio_events" }}
tune_aio_events: {{ .Values.tuning.tune_aio_events }}
{{- end }}
{{- if hasKey .Values.tuning "tune_clocksource" }}
tune_clocksource: {{ .Values.tuning.tune_clocksource }}
{{- end }}
{{- if hasKey .Values.tuning "tune_ballast_file" }}
tune_ballast_file: {{ .Values.tuning.tune_ballast_file }}
{{- end }}
{{- if hasKey .Values.tuning "ballast_file_path" }}
ballast_file_path: {{ .Values.tuning.ballast_file_path }}
{{- end }}
{{- if hasKey .Values.tuning "ballast_file_size" }}
ballast_file_size: {{ .Values.tuning.ballast_file_size }}
{{- end }}
{{- if hasKey .Values.tuning "well_known_io" }}
well_known_io: {{ .Values.tuning.well_known_io }}
{{- end }}
{{ include "configmap-with-server-list" . | trim }}

View File

@ -57,7 +57,7 @@ spec:
labels: {{ (include "statefulset-pod-labels" .) | nindent 8 }}
redpanda.com/poddisruptionbudget: {{ template "redpanda.name" . }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/config: {{ include "configmap-content-no-seed" . | sha256sum }}
{{- with $.Values.statefulset.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: speedscale-operator
apiVersion: v1
appVersion: 1.3.320
appVersion: 1.3.335
description: Stress test your APIs with real world scenarios. Collect and replay
traffic without scripting.
home: https://speedscale.com
@ -24,4 +24,4 @@ maintainers:
- email: support@speedscale.com
name: Speedscale Support
name: speedscale-operator
version: 1.3.28
version: 1.3.29

View File

@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
incompatible breaking change needing manual actions.
### Upgrade to 1.3.28
### Upgrade to 1.3.29
```bash
kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.28/templates/crds/trafficreplays.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.29/templates/crds/trafficreplays.yaml
```
### Upgrade to 1.1.0

View File

@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
incompatible breaking change needing manual actions.
### Upgrade to 1.3.28
### Upgrade to 1.3.29
```bash
kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.28/templates/crds/trafficreplays.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.3.29/templates/crds/trafficreplays.yaml
```
### Upgrade to 1.1.0

View File

@ -20,7 +20,7 @@ clusterName: "my-cluster"
# Speedscale components image settings.
image:
registry: gcr.io/speedscale
tag: v1.3.320
tag: v1.3.335
pullPolicy: Always
# Log level for Speedscale components.

View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.19.0-0'
catalog.cattle.io/release-name: k8s-triliovault-operator
apiVersion: v2
appVersion: 3.1.1
appVersion: 3.1.2
dependencies:
- condition: observability.enabled
name: observability
@ -21,4 +21,4 @@ maintainers:
name: k8s-triliovault-operator
sources:
- https://github.com/trilioData/k8s-triliovault-operator
version: 3.1.1
version: 3.1.2

View File

@ -56,4 +56,4 @@ Once all the pods are in running state, you can access the TVK UI from your brow
For more details on how to access the TVK UI, follow this guide: https://docs.trilio.io/kubernetes/management-console-ui/accessing-the-ui
You can start backup and restore of your application using TVK. For more details on how to do that, please follow our
getting started guide: https://docs.trilio.io/kubernetes/getting-started-3/getting-started-with-management-console
getting started guide: https://docs.trilio.io/kubernetes/advanced-configuration/management-console

View File

@ -4,7 +4,7 @@ operator-webhook-init:
repository: operator-webhook-init
k8s-triliovault-operator:
repository: k8s-triliovault-operator
tag: "3.1.1"
tag: "3.1.2"
# create image pull secrets and specify the name here.
imagePullSecret: ""
priorityClassName: ""
@ -174,8 +174,8 @@ podLabels:
linkerd.io/inject: disabled
relatedImages:
tags:
tvk: "3.1.1"
event: "3.1.1"
tvk: "3.1.2"
event: "3.1.2"
control-plane:
image: "control-plane"
metamover:

View File

@ -25046,6 +25046,34 @@ entries:
- assets/jenkins/jenkins-4.2.9.tgz
version: 4.2.9
k8s-triliovault-operator:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator
catalog.cattle.io/kube-version: '>=1.19.0-0'
catalog.cattle.io/release-name: k8s-triliovault-operator
apiVersion: v2
appVersion: 3.1.2
created: "2023-09-01T15:03:24.560392195Z"
dependencies:
- condition: observability.enabled
name: observability
repository: file://./charts/observability
version: ^0.1.0
description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault
Application Lifecycle.
digest: 712d5508b98bcf391b45099ea68fe8823adfbca55e1450586c66778b7bcf9a82
home: https://github.com/trilioData/k8s-triliovault-operator
icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png
kubeVersion: '>=1.19.0-0'
maintainers:
- email: prafull.ladha@trilio.io
name: prafull11
name: k8s-triliovault-operator
sources:
- https://github.com/trilioData/k8s-triliovault-operator
urls:
- assets/trilio/k8s-triliovault-operator-3.1.2.tgz
version: 3.1.2
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator
@ -26683,6 +26711,58 @@ entries:
- assets/kasten/k10-4.5.900.tgz
version: 4.5.900
kafka:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Apache Kafka
catalog.cattle.io/kube-version: '>=1.19-0'
catalog.cattle.io/release-name: kafka
category: Infrastructure
images: |
- name: jmx-exporter
image: docker.io/bitnami/jmx-exporter:0.19.0-debian-11-r57
- name: kafka-exporter
image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r93
- name: kafka
image: docker.io/bitnami/kafka:3.5.1-debian-11-r35
- name: kubectl
image: docker.io/bitnami/kubectl:1.25.13-debian-11-r5
- name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r51
licenses: Apache-2.0
apiVersion: v2
appVersion: 3.5.1
created: "2023-09-01T15:03:16.825486077Z"
dependencies:
- condition: zookeeper.enabled
name: zookeeper
repository: file://./charts/zookeeper
version: 12.x.x
- name: common
repository: file://./charts/common
tags:
- bitnami-common
version: 2.x.x
description: Apache Kafka is a distributed streaming platform designed to build
real-time pipelines and can be used as a message broker or as a replacement
for a log aggregation solution for big data applications.
digest: b4aa6f0626e742d2165b0fbb347a0f25c6d5116b7dfd46cbb98545be6be3759b
home: https://bitnami.com
icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg
keywords:
- kafka
- zookeeper
- streaming
- producer
- consumer
maintainers:
- name: VMware, Inc.
url: https://github.com/bitnami/charts
name: kafka
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/kafka
urls:
- assets/bitnami/kafka-25.1.5.tgz
version: 25.1.5
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Apache Kafka
@ -29165,6 +29245,33 @@ entries:
- assets/elastic/kibana-7.17.3.tgz
version: 7.17.3
kong:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Kong Gateway
catalog.cattle.io/release-name: kong
apiVersion: v2
appVersion: "3.3"
created: "2023-09-01T15:03:22.032680464Z"
dependencies:
- condition: postgresql.enabled
name: postgresql
repository: file://./charts/postgresql
version: 11.9.13
description: The Cloud-Native Ingress and API-management
digest: de6bbed8ac0dfb2bd3d25612417db8e3c4ea24b6fe036e029a992adeecd4959c
home: https://konghq.com/
icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png
maintainers:
- email: harry@konghq.com
name: hbagdi
- email: traines@konghq.com
name: rainest
name: kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
urls:
- assets/kong/kong-2.26.5.tgz
version: 2.26.5
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Kong Gateway
@ -43689,6 +43796,50 @@ entries:
- assets/bitnami/redis-17.3.7.tgz
version: 17.3.7
redpanda:
- annotations:
artifacthub.io/images: |
- name: redpanda
image: docker.redpanda.com/redpandadata/redpanda:v23.2.7
- name: busybox
image: busybox:latest
- name: mintel/docker-alpine-bash-curl-jq
image: mintel/docker-alpine-bash-curl-jq:latest
artifacthub.io/license: Apache-2.0
artifacthub.io/links: |
- name: Documentation
url: https://docs.redpanda.com
- name: "Helm (>= 3.6.0)"
url: https://helm.sh/docs/intro/install/
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Redpanda
catalog.cattle.io/kube-version: '>=1.21-0'
catalog.cattle.io/release-name: redpanda
apiVersion: v2
appVersion: v23.2.7
created: "2023-09-01T15:03:23.741247578Z"
dependencies:
- condition: console.enabled
name: console
repository: file://./charts/console
version: '>=0.5 <1.0'
- condition: connectors.enabled
name: connectors
repository: file://./charts/connectors
version: '>=0.1.2 <1.0'
description: Redpanda is the real-time engine for modern apps.
digest: 61dcd3ac0abe8dd9ab74e3bd57a84ac317bfd29fe27709b8850f60fa2194ec82
icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
kubeVersion: '>=1.21-0'
maintainers:
- name: redpanda-data
url: https://github.com/orgs/redpanda-data/people
name: redpanda
sources:
- https://github.com/redpanda-data/helm-charts
type: application
urls:
- assets/redpanda/redpanda-5.3.0.tgz
version: 5.3.0
- annotations:
artifacthub.io/images: |
- name: redpanda
@ -46455,6 +46606,48 @@ entries:
- assets/redpanda/redpanda-2.1.7.tgz
version: 2.1.7
s3gw:
- annotations:
app.aquarist-labs.io/name: s3gw
artifacthub.io/category: storage
artifacthub.io/links: |
- name: homepage
url: https://s3gw.io/
- name: support
url: https://github.com/aquarist-labs/s3gw/issues
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: S3 Gateway
catalog.cattle.io/experimental: "true"
catalog.cattle.io/kube-version: '>=1.14'
catalog.cattle.io/namespace: s3gw
catalog.cattle.io/release-name: s3gw
apiVersion: v2
appVersion: latest
created: "2023-09-01T15:03:14.160391249Z"
description: 'Easy-to-use Open Source and Cloud Native S3 service for use on Rancher''s
Kubernetes. '
digest: a160a0c536d48ee0cd0eb81afc5c374958d3e85b87f40c019f060e2be7f43048
home: https://github.com/aquarist-labs/s3gw
icon: https://s3gw.io/img/logo-xl.png
keywords:
- storage
- s3
kubeVersion: '>=1.14'
maintainers:
- email: s3gw@suse.com
name: s3gw maintainers
url: https://github.com/orgs/aquarist-labs/projects/5
name: s3gw
sources:
- https://github.com/aquarist-labs/s3gw-charts
- https://github.com/aquarist-labs/s3gw
- https://github.com/aquarist-labs/ceph
- https://github.com/aquarist-labs/s3gw-ui
- https://github.com/aquarist-labs/s3gw-cosi-driver
- https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar
type: application
urls:
- assets/aquarist-labs/s3gw-0.20.0.tgz
version: 0.20.0
- annotations:
app.aquarist-labs.io/name: s3gw
artifacthub.io/category: storage
@ -48318,6 +48511,37 @@ entries:
- assets/bitnami/spark-6.3.8.tgz
version: 6.3.8
speedscale-operator:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: speedscale-operator
apiVersion: v1
appVersion: 1.3.335
created: "2023-09-01T15:03:23.838581351Z"
description: Stress test your APIs with real world scenarios. Collect and replay
traffic without scripting.
digest: e8b2a8598ca6040fc58ce49429404a9b1c449f3f04cf14a0464f0d002fd06d02
home: https://speedscale.com
icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png
keywords:
- speedscale
- test
- testing
- regression
- reliability
- load
- replay
- network
- traffic
kubeVersion: '>= 1.17.0-0'
maintainers:
- email: support@speedscale.com
name: Speedscale Support
name: speedscale-operator
urls:
- assets/speedscale/speedscale-operator-1.3.29.tgz
version: 1.3.29
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator
@ -54753,6 +54977,60 @@ entries:
- assets/hashicorp/vault-0.22.0.tgz
version: 0.22.0
wordpress:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: WordPress
catalog.cattle.io/kube-version: '>=1.19-0'
catalog.cattle.io/release-name: wordpress
category: CMS
images: |
- name: apache-exporter
image: docker.io/bitnami/apache-exporter:1.0.1-debian-11-r32
- name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r54
- name: wordpress
image: docker.io/bitnami/wordpress:6.3.1-debian-11-r2
licenses: Apache-2.0
apiVersion: v2
appVersion: 6.3.1
created: "2023-09-01T15:03:18.6233484Z"
dependencies:
- condition: memcached.enabled
name: memcached
repository: file://./charts/memcached
version: 6.x.x
- condition: mariadb.enabled
name: mariadb
repository: file://./charts/mariadb
version: 13.x.x
- name: common
repository: file://./charts/common
tags:
- bitnami-common
version: 2.x.x
description: WordPress is the world's most popular blogging and content management
platform. Powerful yet simple, everyone from students to global corporations
use it to build beautiful, functional websites.
digest: 67809561f34f3fa58fd45d6c0bb791d6c3a92bc590ee1d9c7c6e84ab6fa53731
home: https://bitnami.com
icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png
keywords:
- application
- blog
- cms
- http
- php
- web
- wordpress
maintainers:
- name: VMware, Inc.
url: https://github.com/bitnami/charts
name: wordpress
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/wordpress
urls:
- assets/bitnami/wordpress-17.1.6.tgz
version: 17.1.6
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: WordPress