diff --git a/assets/amd/amd-gpu-0.11.0.tgz b/assets/amd/amd-gpu-0.11.0.tgz new file mode 100644 index 000000000..35a08087e Binary files /dev/null and b/assets/amd/amd-gpu-0.11.0.tgz differ diff --git a/assets/argo/argo-cd-5.52.1.tgz b/assets/argo/argo-cd-5.52.1.tgz index fdcdbed4e..dbf413deb 100644 Binary files a/assets/argo/argo-cd-5.52.1.tgz and b/assets/argo/argo-cd-5.52.1.tgz differ diff --git a/assets/argo/argo-cd-5.53.8.tgz b/assets/argo/argo-cd-5.53.8.tgz new file mode 100644 index 000000000..ba825cef4 Binary files /dev/null and b/assets/argo/argo-cd-5.53.8.tgz differ diff --git a/assets/bitnami/airflow-16.4.0.tgz b/assets/bitnami/airflow-16.4.0.tgz new file mode 100644 index 000000000..49e9ee6f3 Binary files /dev/null and b/assets/bitnami/airflow-16.4.0.tgz differ diff --git a/assets/bitnami/cassandra-10.8.0.tgz b/assets/bitnami/cassandra-10.8.0.tgz new file mode 100644 index 000000000..2871fa4e7 Binary files /dev/null and b/assets/bitnami/cassandra-10.8.0.tgz differ diff --git a/assets/bitnami/kafka-26.8.0.tgz b/assets/bitnami/kafka-26.8.0.tgz new file mode 100644 index 000000000..82388e9d3 Binary files /dev/null and b/assets/bitnami/kafka-26.8.0.tgz differ diff --git a/assets/bitnami/mariadb-15.2.0.tgz b/assets/bitnami/mariadb-15.2.0.tgz new file mode 100644 index 000000000..8cbb19cca Binary files /dev/null and b/assets/bitnami/mariadb-15.2.0.tgz differ diff --git a/assets/bitnami/mysql-9.18.0.tgz b/assets/bitnami/mysql-9.18.0.tgz new file mode 100644 index 000000000..74894bac8 Binary files /dev/null and b/assets/bitnami/mysql-9.18.0.tgz differ diff --git a/assets/bitnami/postgresql-13.4.1.tgz b/assets/bitnami/postgresql-13.4.1.tgz new file mode 100644 index 000000000..a924d4bfd Binary files /dev/null and b/assets/bitnami/postgresql-13.4.1.tgz differ diff --git a/assets/bitnami/redis-18.8.0.tgz b/assets/bitnami/redis-18.8.0.tgz new file mode 100644 index 000000000..9518d87a7 Binary files /dev/null and b/assets/bitnami/redis-18.8.0.tgz differ diff --git a/assets/bitnami/spark-8.3.0.tgz b/assets/bitnami/spark-8.3.0.tgz new file mode 100644 index 000000000..0efac5ba9 Binary files /dev/null and b/assets/bitnami/spark-8.3.0.tgz differ diff --git a/assets/bitnami/tomcat-10.13.0.tgz b/assets/bitnami/tomcat-10.13.0.tgz new file mode 100644 index 000000000..55443528c Binary files /dev/null and b/assets/bitnami/tomcat-10.13.0.tgz differ diff --git a/assets/bitnami/wordpress-19.2.1.tgz b/assets/bitnami/wordpress-19.2.1.tgz new file mode 100644 index 000000000..fc4de4f2b Binary files /dev/null and b/assets/bitnami/wordpress-19.2.1.tgz differ diff --git a/assets/bitnami/zookeeper-12.6.0.tgz b/assets/bitnami/zookeeper-12.6.0.tgz new file mode 100644 index 000000000..0417ee60e Binary files /dev/null and b/assets/bitnami/zookeeper-12.6.0.tgz differ diff --git a/assets/cockroach-labs/cockroachdb-11.2.4.tgz b/assets/cockroach-labs/cockroachdb-11.2.4.tgz new file mode 100644 index 000000000..f8e738f7f Binary files /dev/null and b/assets/cockroach-labs/cockroachdb-11.2.4.tgz differ diff --git a/assets/datadog/datadog-3.52.0.tgz b/assets/datadog/datadog-3.52.0.tgz new file mode 100644 index 000000000..f9c8d648a Binary files /dev/null and b/assets/datadog/datadog-3.52.0.tgz differ diff --git a/assets/f5/f5-bigip-ctlr-0.0.2801.tgz b/assets/f5/f5-bigip-ctlr-0.0.2801.tgz new file mode 100644 index 000000000..709b903ac Binary files /dev/null and b/assets/f5/f5-bigip-ctlr-0.0.2801.tgz differ diff --git a/assets/f5/nginx-ingress-1.1.2.tgz b/assets/f5/nginx-ingress-1.1.2.tgz new file mode 100644 index 000000000..fa9393a9b Binary files /dev/null and b/assets/f5/nginx-ingress-1.1.2.tgz differ diff --git a/assets/haproxy/haproxy-1.36.1.tgz b/assets/haproxy/haproxy-1.36.1.tgz new file mode 100644 index 000000000..425ebaae2 Binary files /dev/null and b/assets/haproxy/haproxy-1.36.1.tgz differ diff --git a/assets/inaccel/fpga-operator-2.8.2.tgz b/assets/inaccel/fpga-operator-2.8.2.tgz new file mode 100644 index 000000000..3ea17ff16 Binary files /dev/null and b/assets/inaccel/fpga-operator-2.8.2.tgz differ diff --git a/assets/instana/instana-agent-1.2.67.tgz b/assets/instana/instana-agent-1.2.67.tgz new file mode 100644 index 000000000..fcd78e74c Binary files /dev/null and b/assets/instana/instana-agent-1.2.67.tgz differ diff --git a/assets/jaeger/jaeger-operator-2.50.1.tgz b/assets/jaeger/jaeger-operator-2.50.1.tgz new file mode 100644 index 000000000..c3b22bc37 Binary files /dev/null and b/assets/jaeger/jaeger-operator-2.50.1.tgz differ diff --git a/assets/jenkins/jenkins-4.12.0.tgz b/assets/jenkins/jenkins-4.12.0.tgz new file mode 100644 index 000000000..13bf73824 Binary files /dev/null and b/assets/jenkins/jenkins-4.12.0.tgz differ diff --git a/assets/kasten/k10-6.5.201.tgz b/assets/kasten/k10-6.5.201.tgz new file mode 100644 index 000000000..1a71ecae2 Binary files /dev/null and b/assets/kasten/k10-6.5.201.tgz differ diff --git a/assets/kong/kong-2.34.0.tgz b/assets/kong/kong-2.34.0.tgz new file mode 100644 index 000000000..759ccc147 Binary files /dev/null and b/assets/kong/kong-2.34.0.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.16.10.tgz b/assets/linkerd/linkerd-control-plane-1.16.10.tgz new file mode 100644 index 000000000..208ac1915 Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-1.16.10.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.16.9.tgz b/assets/linkerd/linkerd-control-plane-1.16.9.tgz index beb24782f..085592ddd 100644 Binary files a/assets/linkerd/linkerd-control-plane-1.16.9.tgz and b/assets/linkerd/linkerd-control-plane-1.16.9.tgz differ diff --git a/assets/nats/nats-1.1.7.tgz b/assets/nats/nats-1.1.7.tgz new file mode 100644 index 000000000..711fb5c9d Binary files /dev/null and b/assets/nats/nats-1.1.7.tgz differ diff --git a/assets/new-relic/nri-bundle-5.0.60.tgz b/assets/new-relic/nri-bundle-5.0.60.tgz new file mode 100644 index 000000000..7400f7a4e Binary files /dev/null and b/assets/new-relic/nri-bundle-5.0.60.tgz differ diff --git a/assets/redpanda/redpanda-5.7.10.tgz b/assets/redpanda/redpanda-5.7.10.tgz new file mode 100644 index 000000000..d80aabef6 Binary files /dev/null and b/assets/redpanda/redpanda-5.7.10.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.0.5.tgz b/assets/speedscale/speedscale-operator-2.0.5.tgz new file mode 100644 index 000000000..598baee25 Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.0.5.tgz differ diff --git a/assets/stackstate/stackstate-k8s-agent-1.0.67.tgz b/assets/stackstate/stackstate-k8s-agent-1.0.67.tgz new file mode 100644 index 000000000..173cc1968 Binary files /dev/null and b/assets/stackstate/stackstate-k8s-agent-1.0.67.tgz differ diff --git a/assets/trilio/k8s-triliovault-operator-4.0.1.tgz b/assets/trilio/k8s-triliovault-operator-4.0.1.tgz new file mode 100644 index 000000000..ea57d91d4 Binary files /dev/null and b/assets/trilio/k8s-triliovault-operator-4.0.1.tgz differ diff --git a/assets/weka/csi-wekafsplugin-2.3.4.tgz b/assets/weka/csi-wekafsplugin-2.3.4.tgz new file mode 100644 index 000000000..76f510ede Binary files /dev/null and b/assets/weka/csi-wekafsplugin-2.3.4.tgz differ diff --git a/assets/yugabyte/yugabyte-2.14.15.tgz b/assets/yugabyte/yugabyte-2.14.15.tgz new file mode 100644 index 000000000..e8cfb4cb2 Binary files /dev/null and b/assets/yugabyte/yugabyte-2.14.15.tgz differ diff --git a/assets/yugabyte/yugaware-2.14.15.tgz b/assets/yugabyte/yugaware-2.14.15.tgz new file mode 100644 index 000000000..9c713dab7 Binary files /dev/null and b/assets/yugabyte/yugaware-2.14.15.tgz differ diff --git a/charts/amd/amd-gpu/Chart.lock b/charts/amd/amd-gpu/Chart.lock index 4ce1f8c18..df1448888 100644 --- a/charts/amd/amd-gpu/Chart.lock +++ b/charts/amd/amd-gpu/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: node-feature-discovery repository: https://kubernetes-sigs.github.io/node-feature-discovery/charts - version: 0.14.3 -digest: sha256:a1651e3e727f3f60f286930ab341af1009cce742b181d19b9ec75d392c5c339b -generated: "2023-11-03T05:15:42.351779792Z" + version: 0.15.0 +digest: sha256:35fafe91e8fe2c76d852ca87cfece3ce6475d9b0719284757e2f093f4be1cac4 +generated: "2024-01-15T04:05:45.773461678Z" diff --git a/charts/amd/amd-gpu/Chart.yaml b/charts/amd/amd-gpu/Chart.yaml index 3ed8c1273..2116fb80d 100644 --- a/charts/amd/amd-gpu/Chart.yaml +++ b/charts/amd/amd-gpu/Chart.yaml @@ -4,15 +4,15 @@ annotations: catalog.cattle.io/kube-version: '>= 1.18.0-0' catalog.cattle.io/release-name: amd-gpu apiVersion: v2 -appVersion: 1.25.2.5 +appVersion: 1.25.2.6 dependencies: - condition: nfd.enabled name: node-feature-discovery repository: file://./charts/node-feature-discovery version: '>= 0.8.1-0' description: A Helm chart for deploying Kubernetes AMD GPU device plugin -home: https://github.com/ROCm/k8s-device-plugin -icon: https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/helm/logo.png +home: https://github.com/RadeonOpenCompute/k8s-device-plugin +icon: https://raw.githubusercontent.com/RadeonOpenCompute/k8s-device-plugin/master/helm/logo.png keywords: - kubernetes - cluster @@ -23,6 +23,6 @@ maintainers: - name: Kenny Ho name: amd-gpu sources: -- https://github.com/ROCm/k8s-device-plugin +- https://github.com/RadeonOpenCompute/k8s-device-plugin type: application -version: 0.10.0 +version: 0.11.0 diff --git a/charts/amd/amd-gpu/README.md b/charts/amd/amd-gpu/README.md index 839f21b52..ef3dbbc73 100644 --- a/charts/amd/amd-gpu/README.md +++ b/charts/amd/amd-gpu/README.md @@ -1,6 +1,6 @@ # AMD GPU Helm Chart -![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.25.2.5](https://img.shields.io/badge/AppVersion-1.25.2.5-informational?style=flat-square) +![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.25.2.6](https://img.shields.io/badge/AppVersion-1.25.2.6-informational?style=flat-square) A Helm chart for deploying Kubernetes AMD GPU device plugin @@ -34,7 +34,7 @@ Kubernetes: `>= 1.18.0` ## More information -https://github.com/ROCm/k8s-device-plugin +https://github.com/RadeonOpenCompute/k8s-device-plugin ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml index ba7ee404a..b85993272 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.14.3 +appVersion: v0.15.0 description: 'Detects hardware features available on each node in a Kubernetes cluster, and advertises those features using node labels. ' home: https://github.com/kubernetes-sigs/node-feature-discovery @@ -11,4 +11,4 @@ name: node-feature-discovery sources: - https://github.com/kubernetes-sigs/node-feature-discovery type: application -version: 0.14.3 +version: 0.15.0 diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/README.md b/charts/amd/amd-gpu/charts/node-feature-discovery/README.md index 16b5254d5..b8b7d90ca 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/README.md +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/README.md @@ -6,5 +6,5 @@ labels. NFD provides flexible configuration and extension points for a wide range of vendor and application specific node labeling needs. See -[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.14/deployment/helm.html) +[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.15/deployment/helm.html) for deployment instructions. diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/crds/nfd-api-crds.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/crds/nfd-api-crds.yaml index 6866c7ffe..4e6304163 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/crds/nfd-api-crds.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/crds/nfd-api-crds.yaml @@ -153,6 +153,11 @@ spec: description: Rule defines a rule for node customization such as labeling. properties: + annotations: + additionalProperties: + type: string + description: Annotations to create if the rule matches. + type: object extendedResources: additionalProperties: type: string @@ -185,19 +190,16 @@ spec: in the feature set. properties: feature: + description: Feature is the name of the feature + set to match against. type: string matchExpressions: additionalProperties: - description: "MatchExpression specifies an expression + description: MatchExpression specifies an expression to evaluate against a set of input values. It contains an operator that is applied when matching the input and an array of values that the operator - evaluates the input against. \n NB: CreateMatchExpression - or MustCreateMatchExpression() should be used - for creating new instances. \n NB: Validate() - must be called if Op or Value fields are modified - or if a new instance is created from scratch - without using the helper functions." + evaluates the input against. properties: op: description: Op is the operator to be applied. @@ -229,13 +231,46 @@ spec: required: - op type: object - description: MatchExpressionSet contains a set of - MatchExpressions, each of which is evaluated against - a set of input values. + description: MatchExpressions is the set of per-element + expressions evaluated. These match against the + value of the specified elements. + type: object + matchName: + description: MatchName in an expression that is + matched against the name of each element in the + feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that + the operand evaluates the input against. Value + should be empty if the operator is Exists, + DoesNotExist, IsTrue or IsFalse. Value should + contain exactly one element if the operator + is Gt or Lt and exactly two elements if the + operator is GtLt. In other cases Value should + contain at least one element. + items: + type: string + type: array + required: + - op type: object required: - feature - - matchExpressions type: object type: array required: @@ -251,18 +286,16 @@ spec: are evaluated against each element in the feature set. properties: feature: + description: Feature is the name of the feature set to + match against. type: string matchExpressions: additionalProperties: - description: "MatchExpression specifies an expression + description: MatchExpression specifies an expression to evaluate against a set of input values. It contains an operator that is applied when matching the input and an array of values that the operator evaluates - the input against. \n NB: CreateMatchExpression or - MustCreateMatchExpression() should be used for creating - new instances. \n NB: Validate() must be called if - Op or Value fields are modified or if a new instance - is created from scratch without using the helper functions." + the input against. properties: op: description: Op is the operator to be applied. @@ -292,12 +325,44 @@ spec: required: - op type: object - description: MatchExpressionSet contains a set of MatchExpressions, - each of which is evaluated against a set of input values. + description: MatchExpressions is the set of per-element + expressions evaluated. These match against the value + of the specified elements. + type: object + matchName: + description: MatchName in an expression that is matched + against the name of each element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that the + operand evaluates the input against. Value should + be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly + one element if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In other cases + Value should contain at least one element. + items: + type: string + type: array + required: + - op type: object required: - feature - - matchExpressions type: object type: array name: diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/cert-manager-certs.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/cert-manager-certs.yaml index ac2e51fc1..8af115316 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/cert-manager-certs.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/cert-manager-certs.yaml @@ -1,4 +1,5 @@ {{- if .Values.tls.certManager }} +{{- if .Values.master.enable }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -17,14 +18,13 @@ spec: # first one is configured for use by the worker; below are for completeness - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local - # localhost needed for grpc_health_probe - - localhost issuerRef: name: nfd-ca-issuer kind: Issuer group: cert-manager.io - +{{- end }} --- +{{- if .Values.worker.enable }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -42,6 +42,7 @@ spec: name: nfd-ca-issuer kind: Issuer group: cert-manager.io +{{- end }} {{- if .Values.topologyUpdater.enable }} --- diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrole.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrole.yaml index d4329338b..e652e1df8 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrole.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.master.rbac.create }} +{{- if and .Values.master.enable .Values.master.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrolebinding.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrolebinding.yaml index 87b3003e2..99134a1c5 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrolebinding.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.master.rbac.create }} +{{- if and .Values.master.enable .Values.master.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/master.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/master.yaml index e77ca136c..53a291e0f 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/master.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/master.yaml @@ -1,3 +1,4 @@ +{{- if .Values.master.enable }} apiVersion: apps/v1 kind: Deployment metadata: @@ -41,29 +42,13 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: - exec: - command: - - "/usr/bin/grpc_health_probe" - - "-addr=:{{ .Values.master.port | default "8080" }}" - {{- if .Values.tls.enable }} - - "-tls" - - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" - - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" - - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - {{- end }} + grpc: + port: 8080 initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: - exec: - command: - - "/usr/bin/grpc_health_probe" - - "-addr=:{{ .Values.master.port | default "8080" }}" - {{- if .Values.tls.enable }} - - "-tls" - - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" - - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" - - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - {{- end }} + grpc: + port: 8080 initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 10 @@ -85,8 +70,8 @@ spec: {{- if .Values.master.instance | empty | not }} - "-instance={{ .Values.master.instance }}" {{- end }} - - "-port={{ .Values.master.port | default "8080" }}" {{- if not .Values.enableNodeFeatureApi }} + - "-port={{ .Values.master.port | default "8080" }}" - "-enable-nodefeature-api=false" {{- else if gt (int .Values.master.replicaCount) 1 }} - "-enable-leader-election" @@ -157,3 +142,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-gc.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-gc.yaml index d803eef40..1e0e12327 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-gc.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-gc.yaml @@ -58,6 +58,9 @@ spec: drop: [ "ALL" ] readOnlyRootFilesystem: true runAsNonRoot: true + ports: + - name: metrics + containerPort: {{ .Values.gc.metricsPort | default "8081"}} {{- with .Values.gc.nodeSelector }} nodeSelector: diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-master-conf.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-master-conf.yaml index c806a8e5d..9c6e01cde 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-master-conf.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-master-conf.yaml @@ -1,3 +1,4 @@ +{{- if .Values.master.enable }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,3 +9,4 @@ metadata: data: nfd-master.conf: |- {{- .Values.master.config | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-worker-conf.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-worker-conf.yaml index 61d2a481a..a2299dea1 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-worker-conf.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/nfd-worker-conf.yaml @@ -1,3 +1,4 @@ +{{- if .Values.worker.enable }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,3 +9,4 @@ metadata: data: nfd-worker.conf: |- {{- .Values.worker.config | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/role.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/role.yaml index c71ede442..3a872e572 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/role.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.worker.rbac.create }} +{{- if and .Values.worker.enable .Values.worker.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/rolebinding.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/rolebinding.yaml index d8025be9b..a640d5f8b 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/rolebinding.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.worker.rbac.create }} +{{- if and .Values.worker.enable .Values.worker.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/service.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/service.yaml index 0d4789818..d71d1555f 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/service.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if and (not .Values.enableNodeFeatureApi) .Values.master.enable }} apiVersion: v1 kind: Service metadata: @@ -16,3 +17,4 @@ spec: selector: {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} role: master +{{- end}} diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/serviceaccount.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/serviceaccount.yaml index 34dc8b753..7da2c877e 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/serviceaccount.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if .Values.master.serviceAccount.create -}} +{{- if and .Values.master.enable .Values.master.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -42,7 +42,7 @@ metadata: {{- end }} {{- end }} -{{- if .Values.worker.serviceAccount.create }} +{{- if and .Values.worker.enable .Values.worker.serviceAccount.create }} --- apiVersion: v1 kind: ServiceAccount diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/worker.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/worker.yaml index 0e56eb5d1..f49f9bd64 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/templates/worker.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/templates/worker.yaml @@ -1,3 +1,4 @@ +{{- if .Values.worker.enable }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -44,13 +45,21 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid resources: {{- toYaml .Values.worker.resources | nindent 12 }} command: - "nfd-worker" args: - - "-server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" {{- if not .Values.enableNodeFeatureApi }} + - "-server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" - "-enable-nodefeature-api=false" {{- end }} {{- if .Values.tls.enable }} @@ -150,3 +159,4 @@ spec: {{- with .Values.worker.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} +{{- end }} diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/values.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/values.yaml index 2291aef4f..d4919bca8 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/values.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/values.yaml @@ -13,8 +13,10 @@ namespaceOverride: "" enableNodeFeatureApi: true master: + enable: true config: ### # noPublish: false + # autoDefaultNs: true # extraLabelNs: ["added.ns.io","added.kubernets.io"] # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"] # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"] @@ -45,6 +47,8 @@ master: # nfdApiParallelism: 10 ### # The TCP port that nfd-master listens for incoming requests. Default: 8080 + # Deprecated this parameter is related to the deprecated gRPC API and will + # be removed with it in a future release port: 8080 metricsPort: 8081 instance: @@ -130,6 +134,7 @@ master: values: [""] worker: + enable: true config: ### #core: # labelWhiteList: @@ -215,7 +220,7 @@ worker: # # The following feature demonstrates the capabilities of the matchFeatures # - name: "my custom rule" # labels: - # my-ng-feature: "true" + # "vendor.io/my-ng-feature": "true" # # matchFeatures implements a logical AND over all matcher terms in the # # list (i.e. all of the terms, or per-feature matchers, must match) # matchFeatures: @@ -286,7 +291,7 @@ worker: # # The following feature demonstrates the capabilities of the matchAny # - name: "my matchAny rule" # labels: - # my-ng-feature-2: "my-value" + # "vendor.io/my-ng-feature-2": "my-value" # # matchAny implements a logical IF over all elements (sub-matchers) in # # the list (i.e. at least one feature matcher must match) # matchAny: @@ -307,10 +312,17 @@ worker: # vendor: {op: In, value: ["8086"]} # class: {op: In, value: ["02"]} # + # - name: "avx wildcard rule" + # labels: + # "my-avx-feature": "true" + # matchFeatures: + # - feature: cpu.cpuid + # matchName: {op: InRegexp, value: ["^AVX512"]} + # # # The following features demonstreate label templating capabilities # - name: "my template rule" # labelsTemplate: | - # {{ range .system.osrelease }}my-system-feature.{{ .Name }}={{ .Value }} + # {{ range .system.osrelease }}vendor.io/my-system-feature.{{ .Name }}={{ .Value }} # {{ end }} # matchFeatures: # - feature: system.osrelease @@ -320,7 +332,7 @@ worker: # # - name: "my template rule 2" # labelsTemplate: | - # {{ range .pci.device }}my-pci-device.{{ .class }}-{{ .device }}=with-cpuid + # {{ range .pci.device }}vendor.io/my-pci-device.{{ .class }}-{{ .device }}=with-cpuid # {{ end }} # matchFeatures: # - feature: pci.device @@ -335,7 +347,7 @@ worker: # # previous labels and vars # - name: "my dummy kernel rule" # labels: - # "my.kernel.feature": "true" + # "vendor.io/my.kernel.feature": "true" # matchFeatures: # - feature: kernel.version # matchExpressions: @@ -350,13 +362,20 @@ worker: # # - name: "my rule using backrefs" # labels: - # "my.backref.feature": "true" + # "vendor.io/my.backref.feature": "true" # matchFeatures: # - feature: rule.matched # matchExpressions: - # my.kernel.feature: {op: IsTrue} + # vendor.io/my.kernel.feature: {op: IsTrue} # my.dummy.var: {op: Gt, value: ["0"]} # + # - name: "kconfig template rule" + # labelsTemplate: | + # {{ range .kernel.config }}kconfig-{{ .Name }}={{ .Value }} + # {{ end }} + # matchFeatures: + # - feature: kernel.config + # matchName: {op: In, value: ["SWAP", "X86", "ARM"]} ### metricsPort: 8081 @@ -493,6 +512,8 @@ gc: # cpu: 100m # memory: 128Mi + metricsPort: 8081 + nodeSelector: {} tolerations: [] annotations: {} diff --git a/charts/amd/amd-gpu/values.yaml b/charts/amd/amd-gpu/values.yaml index 79da1ffc9..2f9c9a581 100644 --- a/charts/amd/amd-gpu/values.yaml +++ b/charts/amd/amd-gpu/values.yaml @@ -10,13 +10,13 @@ dp: image: repository: docker.io/rocm/k8s-device-plugin # Overrides the image tag whose default is the chart appVersion. - tag: "1.25.2.5" + tag: "1.25.2.6" resources: {} lbl: image: repository: docker.io/rocm/k8s-device-plugin - tag: "labeller-1.25.2.5" + tag: "labeller-1.25.2.6" resources: {} imagePullSecrets: [] diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index 455261a5b..a31d99935 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/changes: | - kind: changed - description: DRY cleanup of ServiceAccounts + description: Updated documented default value for application.instanceLabelKey. artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 -appVersion: v2.9.3 +appVersion: v2.9.5 dependencies: - condition: redis-ha.enabled name: redis-ha @@ -33,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 5.52.1 +version: 5.53.8 diff --git a/charts/argo/argo-cd/README.md b/charts/argo/argo-cd/README.md index 919149b51..88280075b 100644 --- a/charts/argo/argo-cd/README.md +++ b/charts/argo/argo-cd/README.md @@ -105,6 +105,10 @@ For full list of changes please check ArtifactHub [changelog]. Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version. +### 5.53.0 + +Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir() + ### 5.52.0 Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server. If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml. @@ -446,7 +450,7 @@ NAME: my-release |-----|------|---------|-------------| | configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] | | configs.cm."admin.enabled" | bool | `true` | Enable local admin user | -| configs.cm."application.instanceLabelKey" | string | Defaults to app.kubernetes.io/instance | The name of tracking label used by Argo CD for resource pruning | +| configs.cm."application.instanceLabelKey" | string | `"argocd.argoproj.io/instance"` | The name of tracking label used by Argo CD for resource pruning | | configs.cm."exec.enabled" | bool | `false` | Enable exec feature in Argo UI | | configs.cm."server.rbac.log.enforce.enable" | bool | `false` | Enable logs RBAC enforcement | | configs.cm."timeout.hard.reconciliation" | string | `"0s"` | Timeout to refresh application data as well as target manifests cache | @@ -481,6 +485,7 @@ NAME: my-release | configs.params.create | bool | `true` | Create the argocd-cmd-params-cm configmap If false, it is expected the configmap will be created by something else. | | configs.rbac."policy.csv" | string | `''` (See [values.yaml]) | File containing user-defined policies and role definitions. | | configs.rbac."policy.default" | string | `""` | The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... | +| configs.rbac."policy.matchMode" | string | `"glob"` | Matcher function for Casbin, `glob` for glob matcher and `regex` for regex matcher. | | configs.rbac.annotations | object | `{}` | Annotations to be added to argocd-rbac-cm configmap | | configs.rbac.create | bool | `true` | Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions. If false, it is expected the configmap will be created by something else. Argo CD will not work if there is no configmap created with the name above. | | configs.rbac.scopes | string | `"[groups]"` | OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). The scope value can be a string, or a list of strings. | @@ -489,6 +494,8 @@ NAME: my-release | configs.secret.annotations | object | `{}` | Annotations to be added to argocd-secret | | configs.secret.argocdServerAdminPassword | string | `""` | Bcrypt hashed admin password | | configs.secret.argocdServerAdminPasswordMtime | string | `""` (defaults to current time) | Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` | +| configs.secret.azureDevops.password | string | `""` | Shared secret password for authenticating Azure DevOps webhook events | +| configs.secret.azureDevops.username | string | `""` | Shared secret username for authenticating Azure DevOps webhook events | | configs.secret.bitbucketServerSecret | string | `""` | Shared secret for authenticating BitbucketServer webhook events | | configs.secret.bitbucketUUID | string | `""` | UUID for authenticating Bitbucket webhook events | | configs.secret.createSecret | bool | `true` | Create the argocd-secret | @@ -609,6 +616,7 @@ NAME: my-release | repoServer.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Repo server pods | | repoServer.env | list | `[]` | Environment variables to pass to repo server | | repoServer.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to repo server | +| repoServer.existingVolumes | object | `{}` | Volumes to be used in replacement of emptydir on default volumes | | repoServer.extraArgs | list | `[]` | Additional command line arguments to pass to repo server | | repoServer.extraContainers | list | `[]` | Additional containers to be added to the repo server pod | | repoServer.hostNetwork | bool | `false` | Host Network for Repo server pods | @@ -1033,7 +1041,7 @@ The main options are listed here: | redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping | | redis-ha.haproxy.tolerations | list | `[]` | [Tolerations] for use with node taints for haproxy pods. | | redis-ha.hardAntiAffinity | bool | `true` | Whether the Redis server pods should be forced to run on separate nodes. | -| redis-ha.image.repository | string | `"redis"` | Redis repository | +| redis-ha.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | | redis-ha.image.tag | string | `"7.0.13-alpine"` | Redis tag | | redis-ha.persistentVolume.enabled | bool | `false` | Configures persistence on Redis nodes | | redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) | diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/role.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/role.yaml index 56ef17b5d..ea550e1fe 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/role.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/role.yaml @@ -34,4 +34,12 @@ rules: - events verbs: - create - - list \ No newline at end of file + - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml index 1e69bcead..4561440a7 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml @@ -16,7 +16,7 @@ metadata: {{- end }} {{- end }} type: Opaque -{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }} +{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }} # Setting a blank data again will wipe admin password/key/cert data: {{- with .Values.configs.secret.githubSecret }} @@ -34,6 +34,10 @@ data: {{- with .Values.configs.secret.gogsSecret }} webhook.gogs.secret: {{ . | b64enc }} {{- end }} + {{- if and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password }} + webhook.azuredevops.username: {{ .Values.configs.secret.azureDevops.username | b64enc }} + webhook.azuredevops.password: {{ .Values.configs.secret.azureDevops.password | b64enc }} + {{- end }} {{- with .Values.configs.secret.argocdServerTlsConfig }} tls.key: {{ .key | b64enc }} tls.crt: {{ .crt | b64enc }} diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml index a9565a2e5..2a18df6c8 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -373,14 +373,30 @@ spec: {{- end }} {{- if .Values.repoServer.useEphemeralHelmWorkingDir }} - name: helm-working-dir + {{- if .Values.repoServer.existingVolumes.helmWorkingDir -}} + {{ toYaml .Values.repoServer.existingVolumes.helmWorkingDir | nindent 8 }} + {{- else }} emptyDir: {} + {{- end }} {{- end }} - name: plugins + {{- if .Values.repoServer.existingVolumes.plugins -}} + {{ toYaml .Values.repoServer.existingVolumes.plugins | nindent 8 }} + {{- else }} emptyDir: {} + {{- end }} - name: var-files + {{- if .Values.repoServer.existingVolumes.varFiles -}} + {{ toYaml .Values.repoServer.existingVolumes.varFiles | nindent 8 }} + {{- else }} emptyDir: {} + {{- end }} - name: tmp + {{- if .Values.repoServer.existingVolumes.tmp -}} + {{ toYaml .Values.repoServer.existingVolumes.tmp | nindent 8 }} + {{- else }} emptyDir: {} + {{- end }} - name: ssh-known-hosts configMap: name: argocd-ssh-known-hosts-cm @@ -391,7 +407,11 @@ spec: configMap: name: argocd-gpg-keys-cm - name: gpg-keyring + {{- if .Values.repoServer.existingVolumes.gpgKeyring -}} + {{ toYaml .Values.repoServer.existingVolumes.gpgKeyring | nindent 8 }} + {{- else }} emptyDir: {} + {{- end }} - name: argocd-repo-server-tls secret: secretName: argocd-repo-server-tls diff --git a/charts/argo/argo-cd/values.yaml b/charts/argo/argo-cd/values.yaml index bc93065ee..58560eb59 100644 --- a/charts/argo/argo-cd/values.yaml +++ b/charts/argo/argo-cd/values.yaml @@ -161,7 +161,6 @@ configs: url: "" # -- The name of tracking label used by Argo CD for resource pruning - # @default -- Defaults to app.kubernetes.io/instance application.instanceLabelKey: argocd.argoproj.io/instance # -- Enable logs RBAC enforcement @@ -291,7 +290,7 @@ configs: # p, subject, resource, action, object, effect # Role definitions and bindings are in the form: # g, subject, inherited-subject - # policy.csv | + # policy.csv: | # p, role:org-admin, applications, *, */*, allow # p, role:org-admin, clusters, get, *, allow # p, role:org-admin, repositories, *, *, allow @@ -303,6 +302,9 @@ configs: # The scope value can be a string, or a list of strings. scopes: "[groups]" + # -- Matcher function for Casbin, `glob` for glob matcher and `regex` for regex matcher. + policy.matchMode: "glob" + # GnuPG public keys for commit verification ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/ gpg: @@ -516,6 +518,12 @@ configs: bitbucketUUID: "" # -- Shared secret for authenticating Gogs webhook events gogsSecret: "" + ## Azure DevOps + azureDevops: + # -- Shared secret username for authenticating Azure DevOps webhook events + username: "" + # -- Shared secret password for authenticating Azure DevOps webhook events + password: "" # -- add additional secrets to be added to argocd-secret ## Custom secrets. Useful for injecting SSO secrets into environment variables. @@ -1395,7 +1403,7 @@ redis-ha: ## Redis image image: # -- Redis repository - repository: redis + repository: public.ecr.aws/docker/library/redis # -- Redis tag tag: 7.0.13-alpine ## Prometheus redis-exporter sidecar @@ -1577,6 +1585,8 @@ server: ## Argo CD extensions ## This function in tech preview stage, do expect instability or breaking changes in newer versions. ## Ref: https://github.com/argoproj-labs/argocd-extension-installer + ## When you enable extensions, you need to configure RBAC of logged in Argo CD user. + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#the-extensions-resource extensions: # -- Enable support for Argo CD extensions enabled: false @@ -2217,6 +2227,24 @@ repoServer: # - name: cmp-tmp # emptyDir: {} + # -- Volumes to be used in replacement of emptydir on default volumes + existingVolumes: {} + # gpgKeyring: + # persistentVolumeClaim: + # claimName: pvc-argocd-repo-server-keyring + # helmWorkingDir: + # persistentVolumeClaim: + # claimName: pvc-argocd-repo-server-workdir + # tmp: + # persistentVolumeClaim: + # claimName: pvc-argocd-repo-server-tmp + # varFiles: + # persistentVolumeClaim: + # claimName: pvc-argocd-repo-server-varfiles + # plugins: + # persistentVolumeClaim: + # claimName: pvc-argocd-repo-server-plugins + # -- Toggle the usage of a ephemeral Helm working directory useEphemeralHelmWorkingDir: true diff --git a/charts/bitnami/airflow/Chart.lock b/charts/bitnami/airflow/Chart.lock index 6d3a801e7..d37d9aca7 100644 --- a/charts/bitnami/airflow/Chart.lock +++ b/charts/bitnami/airflow/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.6.1 + version: 18.7.0 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.2.27 + version: 13.3.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.14.1 -digest: sha256:bef0f24c8d9770d8e345aa48d54af3e778dce58c14f2219899cd8ad5a4e15b9c -generated: "2024-01-03T11:43:19.465902594Z" +digest: sha256:5ccdd0a9b98fdac3ad60b2fe1fe5776e2aa267addd60501166de8166377bad94 +generated: "2024-01-17T19:54:42.562153805Z" diff --git a/charts/bitnami/airflow/Chart.yaml b/charts/bitnami/airflow/Chart.yaml index 8e1e386b4..3320db34e 100644 --- a/charts/bitnami/airflow/Chart.yaml +++ b/charts/bitnami/airflow/Chart.yaml @@ -6,17 +6,17 @@ annotations: category: WorkFlow images: | - name: airflow-exporter - image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r441 + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r443 - name: airflow-scheduler image: docker.io/bitnami/airflow-scheduler:2.8.0-debian-11-r1 - name: airflow-worker image: docker.io/bitnami/airflow-worker:2.8.0-debian-11-r1 - name: airflow - image: docker.io/bitnami/airflow:2.8.0-debian-11-r1 + image: docker.io/bitnami/airflow:2.8.0-debian-11-r2 - name: git image: docker.io/bitnami/git:2.43.0-debian-11-r5 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 appVersion: 2.8.0 @@ -50,4 +50,4 @@ maintainers: name: airflow sources: - https://github.com/bitnami/charts/tree/main/bitnami/airflow -version: 16.1.11 +version: 16.4.0 diff --git a/charts/bitnami/airflow/README.md b/charts/bitnami/airflow/README.md index e555f8e99..758ac183e 100644 --- a/charts/bitnami/airflow/README.md +++ b/charts/bitnami/airflow/README.md @@ -148,8 +148,12 @@ The command removes all the Kubernetes components associated with the chart and | `web.resources.limits` | The resources limits for the Airflow web containers | `{}` | | `web.resources.requests` | The requested resources for the Airflow web containers | `{}` | | `web.podSecurityContext.enabled` | Enabled Airflow web pods' Security Context | `true` | +| `web.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `web.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `web.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `web.podSecurityContext.fsGroup` | Set Airflow web pod's Security Context fsGroup | `1001` | | `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` | +| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` | | `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` | | `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` | @@ -157,6 +161,7 @@ The command removes all the Kubernetes components associated with the chart and | `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `web.lifecycleHooks` | for the Airflow web container(s) to automate configuration before or after startup | `{}` | +| `web.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `web.hostAliases` | Deployment pod host aliases | `[]` | | `web.podLabels` | Add extra labels to the Airflow web pods | `{}` | | `web.podAnnotations` | Add extra annotations to the Airflow web pods | `{}` | @@ -199,14 +204,30 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | | `scheduler.extraEnvVarsSecret` | Secret with extra environment variables | `""` | | `scheduler.extraEnvVarsSecrets` | List of secrets with extra environment variables for Airflow scheduler pods | `[]` | +| `scheduler.livenessProbe.enabled` | Enable livenessProbe on Airflow scheduler containers | `true` | +| `scheduler.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `180` | +| `scheduler.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `scheduler.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `scheduler.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `scheduler.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `scheduler.readinessProbe.enabled` | Enable readinessProbe on Airflow scheduler containers | `true` | +| `scheduler.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `scheduler.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `scheduler.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `scheduler.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `scheduler.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `scheduler.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `scheduler.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `scheduler.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `scheduler.resources.limits` | The resources limits for the Airflow scheduler containers | `{}` | | `scheduler.resources.requests` | The requested resources for the Airflow scheduler containers | `{}` | | `scheduler.podSecurityContext.enabled` | Enabled Airflow scheduler pods' Security Context | `true` | +| `scheduler.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `scheduler.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `scheduler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `scheduler.podSecurityContext.fsGroup` | Set Airflow scheduler pod's Security Context fsGroup | `1001` | | `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` | +| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` | | `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` | | `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` | @@ -214,6 +235,7 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `scheduler.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `scheduler.lifecycleHooks` | for the Airflow scheduler container(s) to automate configuration before or after startup | `{}` | +| `scheduler.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `scheduler.hostAliases` | Deployment pod host aliases | `[]` | | `scheduler.podLabels` | Add extra labels to the Airflow scheduler pods | `{}` | | `scheduler.podAnnotations` | Add extra annotations to the Airflow scheduler pods | `{}` | @@ -281,8 +303,12 @@ The command removes all the Kubernetes components associated with the chart and | `worker.resources.limits` | The resources limits for the Airflow worker containers | `{}` | | `worker.resources.requests` | The requested resources for the Airflow worker containers | `{}` | | `worker.podSecurityContext.enabled` | Enabled Airflow worker pods' Security Context | `true` | +| `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `worker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `worker.podSecurityContext.fsGroup` | Set Airflow worker pod's Security Context fsGroup | `1001` | | `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` | +| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` | @@ -290,6 +316,7 @@ The command removes all the Kubernetes components associated with the chart and | `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `worker.lifecycleHooks` | for the Airflow worker container(s) to automate configuration before or after startup | `{}` | +| `worker.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `worker.hostAliases` | Deployment pod host aliases | `[]` | | `worker.podLabels` | Add extra labels to the Airflow worker pods | `{}` | | `worker.podAnnotations` | Add extra annotations to the Airflow worker pods | `{}` | @@ -429,8 +456,12 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.resources.limits` | The resources limits for the container | `{}` | | `metrics.resources.requests` | The requested resources for the container | `{}` | | `metrics.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `metrics.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `metrics.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `metrics.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `metrics.podSecurityContext.fsGroup` | Set Airflow exporter pod's Security Context fsGroup | `1001` | | `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | @@ -438,6 +469,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `metrics.lifecycleHooks` | for the Airflow exporter container(s) to automate configuration before or after startup | `{}` | +| `metrics.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `metrics.hostAliases` | Airflow exporter pods host aliases | `[]` | | `metrics.podLabels` | Extra labels for Airflow exporter pods | `{}` | | `metrics.podAnnotations` | Extra annotations for Airflow exporter pods | `{}` | diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/Chart.yaml index 27462200b..3f995edd0 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/Chart.yaml @@ -4,9 +4,9 @@ annotations: - name: os-shell image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r4 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r5 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r18 + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r19 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.1.0 @@ -34,4 +34,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.2.27 +version: 13.3.0 diff --git a/charts/bitnami/airflow/charts/postgresql/README.md b/charts/bitnami/airflow/charts/postgresql/README.md index 5348b1e66..fd5a2bab2 100644 --- a/charts/bitnami/airflow/charts/postgresql/README.md +++ b/charts/bitnami/airflow/charts/postgresql/README.md @@ -208,8 +208,12 @@ kubectl delete pvc -l release=my-release | `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | | `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | | `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -308,8 +312,12 @@ kubectl delete pvc -l release=my-release | `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | | `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | | `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -384,8 +392,12 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | | `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | | `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | +| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -438,6 +450,7 @@ kubectl delete pvc -l release=my-release | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | @@ -448,9 +461,9 @@ kubectl delete pvc -l release=my-release | Name | Description | Value | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | | `rbac.rules` | Custom RBAC rules to set | `[]` | @@ -470,6 +483,7 @@ kubectl delete pvc -l release=my-release | `metrics.customMetrics` | Define additional custom metrics | `{}` | | `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -546,7 +560,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -740,7 +754,7 @@ Refer to the [chart documentation for more information about how to upgrade from ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml b/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml index 812fd848d..cdf87f743 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/backup/cronjob.yaml @@ -74,7 +74,7 @@ spec: value: {{ .Values.backup.cronjob.storage.mountPath }} {{- if .Values.tls.enabled }} - name: PGSSLROOTCERT - {{- if .Values.tls.autoGenerated -}} + {{- if .Values.tls.autoGenerated }} value: /tmp/certs/ca.crt {{- else }} value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} diff --git a/charts/bitnami/airflow/charts/postgresql/values.yaml b/charts/bitnami/airflow/charts/postgresql/values.yaml index aa62e4237..307cc9574 100644 --- a/charts/bitnami/airflow/charts/postgresql/values.yaml +++ b/charts/bitnami/airflow/charts/postgresql/values.yaml @@ -98,11 +98,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r18 + tag: 16.1.0-debian-11-r19 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -438,7 +438,7 @@ primary: ## lifecycleHooks: {} ## PostgreSQL Primary resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers @@ -451,14 +451,21 @@ primary: ## Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param primary.podSecurityContext.fsGroup Group ID for the pod ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context + ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged @@ -469,6 +476,7 @@ primary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -533,7 +541,7 @@ primary: ## affinity: {} ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment @@ -802,7 +810,7 @@ readReplicas: ## lifecycleHooks: {} ## PostgreSQL read only resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers @@ -815,14 +823,21 @@ readReplicas: ## Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param readReplicas.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param readReplicas.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context + ## @param readReplicas.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged @@ -833,6 +848,7 @@ readReplicas: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -897,7 +913,7 @@ readReplicas: ## affinity: {} ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment @@ -1104,13 +1120,20 @@ backup: ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy restartPolicy: OnFailure ## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup + ## @param backup.cronjob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param backup.cronjob.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param backup.cronjob.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## backup container's Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged @@ -1120,6 +1143,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1140,7 +1164,7 @@ backup: ## @param backup.cronjob.annotations Set the cronjob annotations annotations: {} ## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ ## nodeSelector: {} storage: @@ -1312,7 +1336,7 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## @@ -1322,12 +1346,14 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 runAsGroup: 0 runAsNonRoot: false @@ -1348,7 +1374,7 @@ serviceBindings: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -1356,7 +1382,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1401,7 +1427,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r4 + tag: 0.15.0-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1443,6 +1469,7 @@ metrics: ## PostgreSQL Prometheus exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -1453,6 +1480,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1520,7 +1548,7 @@ metrics: containerPorts: metrics: 9187 ## PostgreSQL Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container ## @@ -1540,7 +1568,7 @@ metrics: clusterIP: "" ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint diff --git a/charts/bitnami/airflow/charts/redis/Chart.yaml b/charts/bitnami/airflow/charts/redis/Chart.yaml index 8d1b456d7..f9e180e84 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/Chart.yaml @@ -2,16 +2,16 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r92 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.55.0-debian-11-r3 + image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r0 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.3-debian-11-r2 + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r0 - name: redis - image: docker.io/bitnami/redis:7.2.3-debian-11-r2 + image: docker.io/bitnami/redis:7.2.4-debian-11-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 7.2.3 +appVersion: 7.2.4 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -33,4 +33,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.6.1 +version: 18.7.0 diff --git a/charts/bitnami/airflow/charts/redis/README.md b/charts/bitnami/airflow/charts/redis/README.md index fb9f29bae..1fa7bd41c 100644 --- a/charts/bitnami/airflow/charts/redis/README.md +++ b/charts/bitnami/airflow/charts/redis/README.md @@ -163,8 +163,12 @@ The command removes all the Kubernetes components associated with the chart and | `master.resources.limits` | The resources limits for the Redis® master containers | `{}` | | `master.resources.requests` | The requested resources for the Redis® master containers | `{}` | | `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | | `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | | `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | @@ -228,9 +232,9 @@ The command removes all the Kubernetes components associated with the chart and | `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | | `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | | `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | -| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | | `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Redis® replicas configuration parameters @@ -277,8 +281,12 @@ The command removes all the Kubernetes components associated with the chart and | `replica.resources.limits` | The resources limits for the Redis® replicas containers | `{}` | | `replica.resources.requests` | The requested resources for the Redis® replicas containers | `{}` | | `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | | `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | | `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | | `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | @@ -346,9 +354,9 @@ The command removes all the Kubernetes components associated with the chart and | `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | | `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | | `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | -| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | | `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Redis® Sentinel configuration parameters @@ -420,6 +428,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` | | `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` | | `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | | `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | | `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | @@ -466,7 +475,7 @@ The command removes all the Kubernetes components associated with the chart and | `rbac.rules` | Custom RBAC rules to set | `[]` | | `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | | `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | @@ -517,6 +526,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | | `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | @@ -567,27 +577,28 @@ The command removes all the Kubernetes components associated with the chart and ### Init Container Parameters -| Name | Description | Value | -| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resources.limits` | The resources limits for the init container | `{}` | -| `sysctl.resources.requests` | The requested resources for the init container | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resources.limits` | The resources limits for the init container | `{}` | +| `sysctl.resources.requests` | The requested resources for the init container | `{}` | ### useExternalDNS Parameters @@ -623,7 +634,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -1007,7 +1018,7 @@ kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remo ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml index 35860bcc6..672de5cd2 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- range $i := until (int .Values.replica.replicaCount) }} -{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" $) (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} {{ $sentinelport := 0}} {{ $redisport := 0}} @@ -20,7 +20,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" $ }}-node-{{ $i }} - namespace: {{ include "common.names.namespace" . | quote }} + namespace: {{ include "common.names.namespace" $ | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or $.Values.commonAnnotations $.Values.sentinel.service.annotations }} diff --git a/charts/bitnami/airflow/charts/redis/values.yaml b/charts/bitnami/airflow/charts/redis/values.yaml index e37fce962..ffb71df73 100644 --- a/charts/bitnami/airflow/charts/redis/values.yaml +++ b/charts/bitnami/airflow/charts/redis/values.yaml @@ -94,11 +94,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.3-debian-11-r2 + tag: 7.2.4-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -266,7 +266,7 @@ master: ## customReadinessProbe: {} ## Redis® master resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param master.resources.limits The resources limits for the Redis® master containers ## @param master.resources.requests The requested resources for the Redis® master containers ## @@ -276,14 +276,21 @@ master: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.podSecurityContext.enabled Enabled Redis® master pods' Security Context + ## @param master.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param master.podSecurityContext.fsGroup Set Redis® master pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.containerSecurityContext.enabled Enabled Redis® master containers' Security Context + ## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set Redis® master containers' Security Context runAsUser ## @param master.containerSecurityContext.runAsGroup Set Redis® master containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set Redis® master containers' Security Context runAsNonRoot @@ -293,6 +300,7 @@ master: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -372,7 +380,7 @@ master: ## affinity: {} ## @param master.nodeSelector Node labels for Redis® master pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param master.tolerations Tolerations for Redis® master pods assignment @@ -435,7 +443,7 @@ master: ## initContainers: [] ## Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param master.persistence.enabled Enable persistence on Redis® master nodes using Persistent Volume Claims @@ -576,7 +584,7 @@ master: serviceAccount: ## @param master.serviceAccount.create Specifies whether a ServiceAccount should be created ## - create: false + create: true ## @param master.serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -584,7 +592,7 @@ master: ## @param master.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param master.serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -709,7 +717,7 @@ replica: ## customReadinessProbe: {} ## Redis® replicas resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param replica.resources.limits The resources limits for the Redis® replicas containers ## @param replica.resources.requests The requested resources for the Redis® replicas containers ## @@ -727,14 +735,21 @@ replica: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.podSecurityContext.enabled Enabled Redis® replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param replica.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param replica.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param replica.podSecurityContext.fsGroup Set Redis® replicas pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.containerSecurityContext.enabled Enabled Redis® replicas containers' Security Context + ## @param replica.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param replica.containerSecurityContext.runAsUser Set Redis® replicas containers' Security Context runAsUser ## @param replica.containerSecurityContext.runAsGroup Set Redis® replicas containers' Security Context runAsGroup ## @param replica.containerSecurityContext.runAsNonRoot Set Redis® replicas containers' Security Context runAsNonRoot @@ -744,6 +759,7 @@ replica: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -823,7 +839,7 @@ replica: ## affinity: {} ## @param replica.nodeSelector Node labels for Redis® replicas pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param replica.tolerations Tolerations for Redis® replicas pods assignment @@ -886,7 +902,7 @@ replica: ## initContainers: [] ## Persistence Parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param replica.persistence.enabled Enable persistence on Redis® replicas nodes using Persistent Volume Claims @@ -1037,7 +1053,7 @@ replica: serviceAccount: ## @param replica.serviceAccount.create Specifies whether a ServiceAccount should be created ## - create: false + create: true ## @param replica.serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -1045,7 +1061,7 @@ replica: ## @param replica.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param replica.serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1071,11 +1087,11 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.3-debian-11-r2 + tag: 7.2.4-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1213,7 +1229,7 @@ sentinel: ## customReadinessProbe: {} ## Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param sentinel.persistence.enabled Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) @@ -1265,7 +1281,7 @@ sentinel: whenScaled: Retain whenDeleted: Retain ## Redis® Sentinel resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param sentinel.resources.limits The resources limits for the Redis® Sentinel containers ## @param sentinel.resources.requests The requested resources for the Redis® Sentinel containers ## @@ -1275,6 +1291,7 @@ sentinel: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser ## @param sentinel.containerSecurityContext.runAsGroup Set Redis® Sentinel containers' Security Context runAsGroup ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis® Sentinel containers' Security Context runAsNonRoot @@ -1284,6 +1301,7 @@ sentinel: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1487,7 +1505,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1554,7 +1572,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.55.0-debian-11-r3 + tag: 1.56.0-debian-11-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1641,6 +1659,7 @@ metrics: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.containerSecurityContext.enabled Enabled Redis® exporter containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Redis® exporter containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsGroup Set Redis® exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis® exporter containers' Security Context runAsNonRoot @@ -1650,6 +1669,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1666,7 +1686,7 @@ metrics: ## extraVolumeMounts: [] ## Redis® exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits The resources limits for the Redis® exporter container ## @param metrics.resources.requests The requested resources for the Redis® exporter container ## @@ -1870,7 +1890,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r92 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1882,7 +1902,7 @@ volumePermissions: ## pullSecrets: [] ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits The resources limits for the init container ## @param volumePermissions.resources.requests The requested resources for the init container ## @@ -1891,12 +1911,14 @@ volumePermissions: requests: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## init-sysctl container parameters @@ -1918,7 +1940,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r92 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1936,7 +1958,7 @@ sysctl: ## mountHostSys: false ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param sysctl.resources.limits The resources limits for the init container ## @param sysctl.resources.requests The requested resources for the init container ## diff --git a/charts/bitnami/airflow/templates/config/configmap.yaml b/charts/bitnami/airflow/templates/config/configmap.yaml index bdc3e73bf..fc8df9833 100644 --- a/charts/bitnami/airflow/templates/config/configmap.yaml +++ b/charts/bitnami/airflow/templates/config/configmap.yaml @@ -36,6 +36,7 @@ data: {{- end }} spec: {{- include "airflow.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.worker.automountServiceAccountToken }} {{- if .Values.worker.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.worker.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/templates/metrics/deployment.yaml b/charts/bitnami/airflow/templates/metrics/deployment.yaml index dbb000500..c110e6d7e 100644 --- a/charts/bitnami/airflow/templates/metrics/deployment.yaml +++ b/charts/bitnami/airflow/templates/metrics/deployment.yaml @@ -32,6 +32,7 @@ spec: app.kubernetes.io/component: metrics spec: {{- include "airflow.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.metrics.automountServiceAccountToken }} {{- if .Values.metrics.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/templates/scheduler/deployment.yaml b/charts/bitnami/airflow/templates/scheduler/deployment.yaml index a4639489b..b75c1b2e3 100644 --- a/charts/bitnami/airflow/templates/scheduler/deployment.yaml +++ b/charts/bitnami/airflow/templates/scheduler/deployment.yaml @@ -36,6 +36,7 @@ spec: {{- end }} spec: {{- include "airflow.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.scheduler.automountServiceAccountToken }} {{- if .Values.scheduler.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -149,9 +150,25 @@ spec: {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.scheduler.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.customLivenessProbe "context" $) | trim | nindent 12 }} + {{- else if .Values.scheduler.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.scheduler.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + airflow jobs check --job-type SchedulerJob --local {{- if not .Values.diagnosticMode.enabled }} 2>/dev/null {{- end }} {{- end }} {{- if .Values.scheduler.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.customReadinessProbe "context" $) | trim | nindent 12 }} + {{- else if .Values.scheduler.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.scheduler.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + airflow jobs check --job-type SchedulerJob --local {{- if not .Values.diagnosticMode.enabled }} 2>/dev/null {{- end }} {{- end }} {{- if .Values.scheduler.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/airflow/templates/web/deployment.yaml b/charts/bitnami/airflow/templates/web/deployment.yaml index 8629ff4c6..2df1c51da 100644 --- a/charts/bitnami/airflow/templates/web/deployment.yaml +++ b/charts/bitnami/airflow/templates/web/deployment.yaml @@ -35,6 +35,7 @@ spec: {{- end }} spec: {{- include "airflow.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.web.automountServiceAccountToken }} {{- if .Values.web.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.web.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/templates/worker/statefulset.yaml b/charts/bitnami/airflow/templates/worker/statefulset.yaml index e09ca9b71..06c306d06 100644 --- a/charts/bitnami/airflow/templates/worker/statefulset.yaml +++ b/charts/bitnami/airflow/templates/worker/statefulset.yaml @@ -40,6 +40,7 @@ spec: app.kubernetes.io/component: worker spec: {{- include "airflow.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.worker.automountServiceAccountToken }} {{- if .Values.worker.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.worker.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/values.yaml b/charts/bitnami/airflow/values.yaml index 82fc2bcf3..43e6da4a4 100644 --- a/charts/bitnami/airflow/values.yaml +++ b/charts/bitnami/airflow/values.yaml @@ -121,7 +121,7 @@ dags: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -188,7 +188,7 @@ web: image: registry: docker.io repository: bitnami/airflow - tag: 2.8.0-debian-11-r1 + tag: 2.8.0-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -301,14 +301,21 @@ web: ## Configure Airflow web pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param web.podSecurityContext.enabled Enabled Airflow web pods' Security Context + ## @param web.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param web.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param web.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param web.podSecurityContext.fsGroup Set Airflow web pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Airflow web containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param web.containerSecurityContext.enabled Enabled Airflow web containers' Security Context + ## @param web.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param web.containerSecurityContext.runAsUser Set Airflow web containers' Security Context runAsUser ## @param web.containerSecurityContext.runAsNonRoot Set Airflow web containers' Security Context runAsNonRoot ## @param web.containerSecurityContext.privileged Set web container's Security Context privileged @@ -318,6 +325,7 @@ web: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -329,6 +337,9 @@ web: ## @param web.lifecycleHooks for the Airflow web container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param web.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param web.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -495,6 +506,36 @@ scheduler: ## @param scheduler.extraEnvVarsSecrets List of secrets with extra environment variables for Airflow scheduler pods ## extraEnvVarsSecrets: [] + ## Configure extra options for Airflow scheduler containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param scheduler.livenessProbe.enabled Enable livenessProbe on Airflow scheduler containers + ## @param scheduler.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param scheduler.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param scheduler.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param scheduler.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param scheduler.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 180 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param scheduler.readinessProbe.enabled Enable readinessProbe on Airflow scheduler containers + ## @param scheduler.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param scheduler.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param scheduler.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param scheduler.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param scheduler.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 ## @param scheduler.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} @@ -515,14 +556,21 @@ scheduler: ## Configure Airflow scheduler pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param scheduler.podSecurityContext.enabled Enabled Airflow scheduler pods' Security Context + ## @param scheduler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param scheduler.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param scheduler.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param scheduler.podSecurityContext.fsGroup Set Airflow scheduler pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Airflow scheduler containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param scheduler.containerSecurityContext.enabled Enabled Airflow scheduler containers' Security Context + ## @param scheduler.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param scheduler.containerSecurityContext.runAsUser Set Airflow scheduler containers' Security Context runAsUser ## @param scheduler.containerSecurityContext.runAsNonRoot Set Airflow scheduler containers' Security Context runAsNonRoot ## @param scheduler.containerSecurityContext.privileged Set scheduler container's Security Context privileged @@ -532,6 +580,7 @@ scheduler: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -543,6 +592,9 @@ scheduler: ## @param scheduler.lifecycleHooks for the Airflow scheduler container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param scheduler.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param scheduler.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -777,14 +829,21 @@ worker: ## Configure Airflow worker pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param worker.podSecurityContext.enabled Enabled Airflow worker pods' Security Context + ## @param worker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param worker.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param worker.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param worker.podSecurityContext.fsGroup Set Airflow worker pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Airflow worker containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param worker.containerSecurityContext.enabled Enabled Airflow worker containers' Security Context + ## @param worker.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param worker.containerSecurityContext.runAsUser Set Airflow worker containers' Security Context runAsUser ## @param worker.containerSecurityContext.runAsNonRoot Set Airflow worker containers' Security Context runAsNonRoot ## @param worker.containerSecurityContext.privileged Set worker container's Security Context privileged @@ -794,6 +853,7 @@ worker: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -805,6 +865,9 @@ worker: ## @param worker.lifecycleHooks for the Airflow worker container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param worker.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param worker.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1316,7 +1379,7 @@ metrics: image: registry: docker.io repository: bitnami/airflow-exporter - tag: 0.20220314.0-debian-11-r441 + tag: 0.20220314.0-debian-11-r443 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1351,14 +1414,21 @@ metrics: ## Airflow exporter pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.podSecurityContext.enabled Enable security context for the pods + ## @param metrics.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param metrics.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param metrics.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param metrics.podSecurityContext.fsGroup Set Airflow exporter pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Airflow exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable Airflow exporter containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Airflow exporter containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set Airflow exporter containers' Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged @@ -1374,6 +1444,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1385,6 +1456,9 @@ metrics: ## @param metrics.lifecycleHooks for the Airflow exporter container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param metrics.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param metrics.hostAliases Airflow exporter pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## diff --git a/charts/bitnami/cassandra/Chart.lock b/charts/bitnami/cassandra/Chart.lock index a2bee0b90..b1cd95f12 100644 --- a/charts/bitnami/cassandra/Chart.lock +++ b/charts/bitnami/cassandra/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-07T11:38:22.303262695Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2024-01-17T19:55:21.831469725Z" diff --git a/charts/bitnami/cassandra/Chart.yaml b/charts/bitnami/cassandra/Chart.yaml index 6234b1ca7..636c53092 100644 --- a/charts/bitnami/cassandra/Chart.yaml +++ b/charts/bitnami/cassandra/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: cassandra-exporter - image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r431 + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r433 - name: cassandra - image: docker.io/bitnami/cassandra:4.1.3-debian-11-r78 + image: docker.io/bitnami/cassandra:4.1.3-debian-11-r81 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r92 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 appVersion: 4.1.3 @@ -35,4 +35,4 @@ maintainers: name: cassandra sources: - https://github.com/bitnami/charts/tree/main/bitnami/cassandra -version: 10.6.9 +version: 10.8.0 diff --git a/charts/bitnami/cassandra/README.md b/charts/bitnami/cassandra/README.md index 435fc9523..0285f1602 100644 --- a/charts/bitnami/cassandra/README.md +++ b/charts/bitnami/cassandra/README.md @@ -119,6 +119,7 @@ The command removes all the Kubernetes components associated with the chart and | --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ---------------- | | `replicaCount` | Number of Cassandra replicas | `1` | | `updateStrategy.type` | updateStrategy for Cassandra statefulset | `RollingUpdate` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `hostAliases` | Add deployment host aliases | `[]` | | `podManagementPolicy` | StatefulSet pod management policy | `OrderedReady` | | `priorityClassName` | Cassandra pods' priority. | `""` | @@ -134,8 +135,12 @@ The command removes all the Kubernetes components associated with the chart and | `tolerations` | Tolerations for pod assignment | `[]` | | `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | | `podSecurityContext.enabled` | Enabled Cassandra pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Cassandra pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled Cassandra containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set Cassandra containers' Security Context runAsUser | `1001` | | `containerSecurityContext.allowPrivilegeEscalation` | Set Cassandra containers' Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | Set Cassandra containers' Security Context capabilities to be dropped | `["ALL"]` | @@ -233,17 +238,18 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the container | `{}` | -| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the container | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters diff --git a/charts/bitnami/cassandra/charts/common/Chart.yaml b/charts/bitnami/cassandra/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/cassandra/charts/common/Chart.yaml +++ b/charts/bitnami/cassandra/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/cassandra/charts/common/README.md b/charts/bitnami/cassandra/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/cassandra/charts/common/README.md +++ b/charts/bitnami/cassandra/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/cassandra/charts/common/templates/_secrets.tpl b/charts/bitnami/cassandra/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/cassandra/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/cassandra/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/cassandra/templates/statefulset.yaml b/charts/bitnami/cassandra/templates/statefulset.yaml index 30f929c67..f17c4279e 100644 --- a/charts/bitnami/cassandra/templates/statefulset.yaml +++ b/charts/bitnami/cassandra/templates/statefulset.yaml @@ -34,6 +34,7 @@ spec: {{- end }} spec: {{- include "cassandra.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/cassandra/values.yaml b/charts/bitnami/cassandra/values.yaml index e5a024f23..4409e65cb 100644 --- a/charts/bitnami/cassandra/values.yaml +++ b/charts/bitnami/cassandra/values.yaml @@ -76,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/cassandra - tag: 4.1.3-debian-11-r78 + tag: 4.1.3-debian-11-r81 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -214,6 +214,9 @@ replicaCount: 1 ## updateStrategy: type: RollingUpdate +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -279,14 +282,21 @@ topologySpreadConstraints: [] ## Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled Cassandra pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set Cassandra pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled Cassandra containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set Cassandra containers' Security Context runAsUser ## @param containerSecurityContext.allowPrivilegeEscalation Set Cassandra containers' Security Context allowPrivilegeEscalation ## @param containerSecurityContext.capabilities.drop Set Cassandra containers' Security Context capabilities to be dropped @@ -297,6 +307,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -628,7 +639,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r92 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -664,6 +675,7 @@ volumePermissions: ## Init container Security Context ## Note: the chown of the data folder is done to securityContext.runAsUser ## and not the below volumePermissions.securityContext.runAsUser + ## @param volumePermissions.securityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.securityContext.runAsUser User ID for the init container ## ## When runAsUser is set to special value "auto", init container will try to chwon the @@ -673,6 +685,7 @@ volumePermissions: ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false ## securityContext: + seLinuxOptions: {} runAsUser: 0 ## @section Metrics parameters @@ -696,7 +709,7 @@ metrics: image: registry: docker.io repository: bitnami/cassandra-exporter - tag: 2.3.8-debian-11-r431 + tag: 2.3.8-debian-11-r433 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/kafka/Chart.lock b/charts/bitnami/kafka/Chart.lock index aa7516883..8c35de998 100644 --- a/charts/bitnami/kafka/Chart.lock +++ b/charts/bitnami/kafka/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: zookeeper repository: oci://registry-1.docker.io/bitnamicharts - version: 12.4.0 + version: 12.5.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.14.1 -digest: sha256:436dc8df38da8dfade2782e499dfea25d0dd1ed683bb42c8cc9f6b97f3ea66fe -generated: "2023-12-22T14:05:20.981818545Z" +digest: sha256:e4feec8f181106637521ad9f041bab689837c3793a890cbd82d0fe386eb7b4b3 +generated: "2024-01-17T19:59:13.138728344Z" diff --git a/charts/bitnami/kafka/Chart.yaml b/charts/bitnami/kafka/Chart.yaml index f9a5a90e5..1e6db8651 100644 --- a/charts/bitnami/kafka/Chart.yaml +++ b/charts/bitnami/kafka/Chart.yaml @@ -6,15 +6,15 @@ annotations: category: Infrastructure images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r2 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 - name: kafka-exporter - image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r134 + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r136 - name: kafka - image: docker.io/bitnami/kafka:3.6.1-debian-11-r0 + image: docker.io/bitnami/kafka:3.6.1-debian-11-r1 - name: kubectl - image: docker.io/bitnami/kubectl:1.29.0-debian-11-r0 + image: docker.io/bitnami/kubectl:1.29.0-debian-11-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r92 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.6.1 @@ -45,4 +45,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 26.6.3 +version: 26.8.0 diff --git a/charts/bitnami/kafka/README.md b/charts/bitnami/kafka/README.md index 5bb0d503b..684ed86dd 100644 --- a/charts/bitnami/kafka/README.md +++ b/charts/bitnami/kafka/README.md @@ -231,9 +231,13 @@ The command removes all the Kubernetes components associated with the chart and | `controller.resources.limits` | The resources limits for the container | `{}` | | `controller.resources.requests` | The requested resources for the container | `{}` | | `controller.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `controller.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `controller.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `controller.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `controller.podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | | `controller.podSecurityContext.seccompProfile.type` | Set Kafka pods's Security Context seccomp profile | `RuntimeDefault` | | `controller.containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | +| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `controller.containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | | `controller.containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | | `controller.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | @@ -332,9 +336,13 @@ The command removes all the Kubernetes components associated with the chart and | `broker.resources.limits` | The resources limits for the container | `{}` | | `broker.resources.requests` | The requested resources for the container | `{}` | | `broker.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `broker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `broker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `broker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `broker.podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | | `broker.podSecurityContext.seccompProfile.type` | Set Kafka pod's Security Context seccomp profile | `RuntimeDefault` | | `broker.containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | +| `broker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `broker.containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | | `broker.containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | | `broker.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | @@ -404,6 +412,7 @@ The command removes all the Kubernetes components associated with the chart and | `service.clusterIP` | Kafka service Cluster IP | `""` | | `service.loadBalancerIP` | Kafka service Load Balancer IP | `""` | | `service.loadBalancerSourceRanges` | Kafka service Load Balancer sources | `[]` | +| `service.allocateLoadBalancerNodePorts` | Whether to allocate node ports when service type is LoadBalancer | `true` | | `service.externalTrafficPolicy` | Kafka service external traffic policy | `Cluster` | | `service.annotations` | Additional custom annotations for Kafka service | `{}` | | `service.headless.controller.annotations` | Annotations for the controller-eligible headless service. | `{}` | @@ -420,6 +429,7 @@ The command removes all the Kubernetes components associated with the chart and | `externalAccess.autoDiscovery.resources.limits` | The resources limits for the auto-discovery init container | `{}` | | `externalAccess.autoDiscovery.resources.requests` | The requested resources for the auto-discovery init container | `{}` | | `externalAccess.autoDiscovery.containerSecurityContext.enabled` | Enable Kafka auto-discovery containers' Security Context | `true` | +| `externalAccess.autoDiscovery.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `externalAccess.autoDiscovery.containerSecurityContext.runAsUser` | Set Kafka auto-discovery containers' Security Context runAsUser | `1001` | | `externalAccess.autoDiscovery.containerSecurityContext.runAsNonRoot` | Set Kafka auto-discovery containers' Security Context runAsNonRoot | `true` | | `externalAccess.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka auto-discovery containers' Security Context allowPrivilegeEscalation | `false` | @@ -433,6 +443,7 @@ The command removes all the Kubernetes components associated with the chart and | `externalAccess.controller.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | | `externalAccess.controller.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | | `externalAccess.controller.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.controller.service.allocateLoadBalancerNodePorts` | Whether to allocate node ports when service type is LoadBalancer | `true` | | `externalAccess.controller.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | | `externalAccess.controller.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | | `externalAccess.controller.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | @@ -448,6 +459,7 @@ The command removes all the Kubernetes components associated with the chart and | `externalAccess.broker.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | | `externalAccess.broker.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | | `externalAccess.broker.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.broker.service.allocateLoadBalancerNodePorts` | Whether to allocate node ports when service type is LoadBalancer | `true` | | `externalAccess.broker.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | | `externalAccess.broker.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | | `externalAccess.broker.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | @@ -465,17 +477,18 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters @@ -530,9 +543,13 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.kafka.resources.limits` | The resources limits for the container | `{}` | | `metrics.kafka.resources.requests` | The requested resources for the container | `{}` | | `metrics.kafka.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `metrics.kafka.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `metrics.kafka.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `metrics.kafka.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `metrics.kafka.podSecurityContext.fsGroup` | Set Kafka exporter pod's Security Context fsGroup | `1001` | | `metrics.kafka.podSecurityContext.seccompProfile.type` | Set Kafka exporter pod's Security Context seccomp profile | `RuntimeDefault` | | `metrics.kafka.containerSecurityContext.enabled` | Enable Kafka exporter containers' Security Context | `true` | +| `metrics.kafka.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.kafka.containerSecurityContext.runAsUser` | Set Kafka exporter containers' Security Context runAsUser | `1001` | | `metrics.kafka.containerSecurityContext.runAsNonRoot` | Set Kafka exporter containers' Security Context runAsNonRoot | `true` | | `metrics.kafka.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka exporter containers' Security Context allowPrivilegeEscalation | `false` | @@ -572,6 +589,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | | `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX exporter containers' Security Context | `true` | +| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.jmx.containerSecurityContext.runAsUser` | Set Prometheus JMX exporter containers' Security Context runAsUser | `1001` | | `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set Prometheus JMX exporter containers' Security Context runAsNonRoot | `true` | | `metrics.jmx.containerSecurityContext.allowPrivilegeEscalation` | Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation | `false` | @@ -644,9 +662,13 @@ The command removes all the Kubernetes components associated with the chart and | `provisioning.resources.limits` | The resources limits for the Kafka provisioning container | `{}` | | `provisioning.resources.requests` | The requested resources for the Kafka provisioning container | `{}` | | `provisioning.podSecurityContext.enabled` | Enable security context for the pods | `true` | +| `provisioning.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `provisioning.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `provisioning.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `provisioning.podSecurityContext.fsGroup` | Set Kafka provisioning pod's Security Context fsGroup | `1001` | | `provisioning.podSecurityContext.seccompProfile.type` | Set Kafka provisioning pod's Security Context seccomp profile | `RuntimeDefault` | | `provisioning.containerSecurityContext.enabled` | Enable Kafka provisioning containers' Security Context | `true` | +| `provisioning.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `provisioning.containerSecurityContext.runAsUser` | Set Kafka provisioning containers' Security Context runAsUser | `1001` | | `provisioning.containerSecurityContext.runAsNonRoot` | Set Kafka provisioning containers' Security Context runAsNonRoot | `true` | | `provisioning.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka provisioning containers' Security Context allowPrivilegeEscalation | `false` | @@ -1476,4 +1498,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.lock b/charts/bitnami/kafka/charts/zookeeper/Chart.lock index a372b3855..b17a2237d 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.lock +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-08T15:19:54.720987032Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2024-01-01T00:08:42.872982603Z" diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml index 6a75e04fc..cc3510b49 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml @@ -2,9 +2,9 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: zookeeper - image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r2 + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.9.1 @@ -26,4 +26,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.4.0 +version: 12.5.0 diff --git a/charts/bitnami/kafka/charts/zookeeper/README.md b/charts/bitnami/kafka/charts/zookeeper/README.md index 22f0b9122..3f50dee51 100644 --- a/charts/bitnami/kafka/charts/zookeeper/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/README.md @@ -111,8 +111,8 @@ The command removes all the Kubernetes components associated with the chart and | `fourlwCommandsWhitelist` | A list of comma separated Four Letter Words commands that can be executed | `srvr, mntr, ruok` | | `minServerId` | Minimal SERVER_ID value, nodes increment their IDs respectively | `1` | | `listenOnAllIPs` | Allow ZooKeeper to listen for connections from its peers on all available IP addresses | `false` | -| `autopurge.snapRetainCount` | The most recent snapshots amount (and corresponding transaction logs) to retain | `3` | -| `autopurge.purgeInterval` | The time interval (in hours) for which the purge task has to be triggered | `0` | +| `autopurge.snapRetainCount` | The most recent snapshots amount (and corresponding transaction logs) to retain | `10` | +| `autopurge.purgeInterval` | The time interval (in hours) for which the purge task has to be triggered | `1` | | `logLevel` | Log level for the ZooKeeper server. ERROR by default | `ERROR` | | `jvmFlags` | Default JVM flags for the ZooKeeper process | `""` | | `dataLogDir` | Dedicated data log directory | `""` | @@ -161,8 +161,12 @@ The command removes all the Kubernetes components associated with the chart and | `resources.requests.memory` | The requested memory for the ZooKeeper containers | `256Mi` | | `resources.requests.cpu` | The requested cpu for the ZooKeeper containers | `250m` | | `podSecurityContext.enabled` | Enabled ZooKeeper pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -228,9 +232,9 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for ZooKeeper pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for ZooKeeper pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Persistence parameters @@ -251,18 +255,19 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -346,7 +351,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/zooke ## Configuration and installation details -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -523,7 +528,7 @@ kubectl delete statefulset zookeeper-zookeeper --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md b/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_secrets.tpl b/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/kafka/charts/zookeeper/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml index b4bdfceee..0aa6ffa34 100644 --- a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml @@ -378,26 +378,20 @@ spec: {{- else if .Values.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled" "probeCommandTimeout") "context" $) | nindent 12 }} exec: - {{- if not .Values.service.disableBaseClientPort }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} nc -w {{ .Values.livenessProbe.probeCommandTimeout }} -q 1 localhost {{ .Values.containerPorts.client }} | grep imok'] - {{- else if not .Values.tls.client.enabled }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok'] - {{- else }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok'] - {{- end }} + command: + - /bin/bash + - -ec + - ZOO_HC_TIMEOUT={{ .Values.livenessProbe.probeCommandTimeout }} /opt/bitnami/scripts/zookeeper/healthcheck.sh {{- end }} {{- if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} {{- else if .Values.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled" "probeCommandTimeout") "context" $) | nindent 12 }} exec: - {{- if not .Values.service.disableBaseClientPort }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} nc -w {{ .Values.readinessProbe.probeCommandTimeout }} -q 1 localhost {{ .Values.containerPorts.client }} | grep imok'] - {{- else if not .Values.tls.client.enabled }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok'] - {{- else }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok'] - {{- end }} + command: + - /bin/bash + - -ec + - ZOO_HC_TIMEOUT={{ .Values.readinessProbe.probeCommandTimeout }} /opt/bitnami/scripts/zookeeper/healthcheck.sh {{- end }} {{- if .Values.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/kafka/charts/zookeeper/values.yaml b/charts/bitnami/kafka/charts/zookeeper/values.yaml index 77ae8912f..9d06d661f 100644 --- a/charts/bitnami/kafka/charts/zookeeper/values.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/values.yaml @@ -79,11 +79,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.9.1-debian-11-r2 + tag: 3.9.1-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -185,11 +185,11 @@ listenOnAllIPs: false autopurge: ## @param autopurge.snapRetainCount The most recent snapshots amount (and corresponding transaction logs) to retain ## - snapRetainCount: 3 + snapRetainCount: 10 ## @param autopurge.purgeInterval The time interval (in hours) for which the purge task has to be triggered - ## Set to a positive integer to enable the auto purging + ## Set to a positive integer to enable the auto purging. Set to 0 to disable auto purging. ## - purgeInterval: 0 + purgeInterval: 1 ## @param logLevel Log level for the ZooKeeper server. ERROR by default ## Have in mind if you set it to INFO or WARN the ReadinessProve will produce a lot of logs ## @@ -312,7 +312,7 @@ customStartupProbe: {} ## lifecycleHooks: {} ## ZooKeeper resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param resources.limits The resources limits for the ZooKeeper containers ## @param resources.requests.memory The requested memory for the ZooKeeper containers ## @param resources.requests.cpu The requested cpu for the ZooKeeper containers @@ -325,14 +325,21 @@ resources: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled ZooKeeper pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set ZooKeeper pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -343,6 +350,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -397,7 +405,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -542,7 +550,7 @@ service: disableBaseClientPort: false ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -557,7 +565,7 @@ service: ## clusterIP: "" ## @param service.loadBalancerIP ZooKeeper service Load Balancer IP - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" ## @param service.loadBalancerSourceRanges ZooKeeper service Load Balancer sources @@ -606,7 +614,7 @@ networkPolicy: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for ZooKeeper pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -614,7 +622,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -622,7 +630,7 @@ serviceAccount: ## @section Persistence parameters ## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable ZooKeeper data persistence using PVC. If false, use emptyDir @@ -700,7 +708,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -712,7 +720,7 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## @@ -723,10 +731,12 @@ volumePermissions: ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser ## @param volumePermissions.containerSecurityContext.enabled Enabled init container Security Context + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 0 ## @section Metrics parameters @@ -910,7 +920,7 @@ tls: ## truststorePassword: "" ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param tls.resources.limits The resources limits for the TLS init container ## @param tls.resources.requests The requested resources for the TLS init container ## diff --git a/charts/bitnami/kafka/templates/broker/svc-external-access.yaml b/charts/bitnami/kafka/templates/broker/svc-external-access.yaml index 3b4367d85..df286dfe5 100644 --- a/charts/bitnami/kafka/templates/broker/svc-external-access.yaml +++ b/charts/bitnami/kafka/templates/broker/svc-external-access.yaml @@ -30,6 +30,7 @@ metadata: spec: type: {{ $.Values.externalAccess.broker.service.type }} {{- if eq $.Values.externalAccess.broker.service.type "LoadBalancer" }} + allocateLoadBalancerNodePorts: {{ $.Values.externalAccess.broker.service.allocateLoadBalancerNodePorts }} {{- if and (not (empty $.Values.externalAccess.broker.service.loadBalancerIPs)) (eq (len $.Values.externalAccess.broker.service.loadBalancerIPs) $replicaCount) }} loadBalancerIP: {{ index $.Values.externalAccess.broker.service.loadBalancerIPs $i }} {{- end }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml b/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml index 68f9854c7..4bdb65a62 100644 --- a/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml +++ b/charts/bitnami/kafka/templates/controller-eligible/svc-external-access.yaml @@ -31,6 +31,7 @@ metadata: spec: type: {{ $.Values.externalAccess.controller.service.type }} {{- if eq $.Values.externalAccess.controller.service.type "LoadBalancer" }} + allocateLoadBalancerNodePorts: {{ $.Values.externalAccess.controller.service.allocateLoadBalancerNodePorts }} {{- if and (not (empty $.Values.externalAccess.controller.service.loadBalancerIPs)) (eq (len $.Values.externalAccess.controller.service.loadBalancerIPs) $replicaCount) }} loadBalancerIP: {{ index $.Values.externalAccess.controller.service.loadBalancerIPs $i }} {{- end }} diff --git a/charts/bitnami/kafka/templates/svc.yaml b/charts/bitnami/kafka/templates/svc.yaml index a37ba6274..9f0b0b38f 100644 --- a/charts/bitnami/kafka/templates/svc.yaml +++ b/charts/bitnami/kafka/templates/svc.yaml @@ -22,12 +22,15 @@ spec: {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + {{- if (eq .Values.service.type "LoadBalancer") }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- if (not (empty .Values.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + {{- if (not (empty .Values.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} + {{- end }} {{- if .Values.service.sessionAffinity }} sessionAffinity: {{ .Values.service.sessionAffinity }} {{- end }} diff --git a/charts/bitnami/kafka/values.yaml b/charts/bitnami/kafka/values.yaml index 7b1c6b3cd..210962554 100644 --- a/charts/bitnami/kafka/values.yaml +++ b/charts/bitnami/kafka/values.yaml @@ -80,7 +80,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/kafka - tag: 3.6.1-debian-11-r0 + tag: 3.6.1-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -603,17 +603,24 @@ controller: ## Kafka pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param controller.podSecurityContext.enabled Enable security context for the pods + ## @param controller.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param controller.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param controller.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param controller.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup ## @param controller.podSecurityContext.seccompProfile.type Set Kafka pods's Security Context seccomp profile ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 seccompProfile: type: "RuntimeDefault" ## Kafka containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param controller.containerSecurityContext.enabled Enable Kafka containers' Security Context + ## @param controller.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param controller.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser ## @param controller.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot ## @param controller.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged @@ -628,6 +635,7 @@ controller: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -992,17 +1000,24 @@ broker: ## Kafka pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param broker.podSecurityContext.enabled Enable security context for the pods + ## @param broker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param broker.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param broker.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param broker.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup ## @param broker.podSecurityContext.seccompProfile.type Set Kafka pod's Security Context seccomp profile ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 seccompProfile: type: "RuntimeDefault" ## Kafka containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param broker.containerSecurityContext.enabled Enable Kafka containers' Security Context + ## @param broker.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param broker.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser ## @param broker.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot ## @param broker.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged @@ -1017,6 +1032,7 @@ broker: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -1300,6 +1316,10 @@ service: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] + ## @param service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true ## @param service.externalTrafficPolicy Kafka service external traffic policy ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## @@ -1350,7 +1370,7 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.29.0-debian-11-r0 + tag: 1.29.0-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1375,6 +1395,7 @@ externalAccess: ## Kafka provisioning containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param externalAccess.autoDiscovery.containerSecurityContext.enabled Enable Kafka auto-discovery containers' Security Context + ## @param externalAccess.autoDiscovery.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param externalAccess.autoDiscovery.containerSecurityContext.runAsUser Set Kafka auto-discovery containers' Security Context runAsUser ## @param externalAccess.autoDiscovery.containerSecurityContext.runAsNonRoot Set Kafka auto-discovery containers' Security Context runAsNonRoot ## @param externalAccess.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation Set Kafka auto-discovery containers' Security Context allowPrivilegeEscalation @@ -1390,6 +1411,7 @@ externalAccess: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -1442,6 +1464,10 @@ externalAccess: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] + ## @param externalAccess.controller.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true ## @param externalAccess.controller.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount ## e.g: ## nodePorts: @@ -1520,6 +1546,10 @@ externalAccess: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] + ## @param externalAccess.broker.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true ## @param externalAccess.broker.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount ## e.g: ## nodePorts: @@ -1626,7 +1656,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r92 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1648,9 +1678,11 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## @section Other Parameters @@ -1708,7 +1740,7 @@ metrics: image: registry: docker.io repository: bitnami/kafka-exporter - tag: 1.7.0-debian-11-r134 + tag: 1.7.0-debian-11-r136 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1821,17 +1853,24 @@ metrics: ## Kafka exporter pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.kafka.podSecurityContext.enabled Enable security context for the pods + ## @param metrics.kafka.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param metrics.kafka.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param metrics.kafka.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param metrics.kafka.podSecurityContext.fsGroup Set Kafka exporter pod's Security Context fsGroup ## @param metrics.kafka.podSecurityContext.seccompProfile.type Set Kafka exporter pod's Security Context seccomp profile ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 seccompProfile: type: "RuntimeDefault" ## Kafka exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.kafka.containerSecurityContext.enabled Enable Kafka exporter containers' Security Context + ## @param metrics.kafka.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.kafka.containerSecurityContext.runAsUser Set Kafka exporter containers' Security Context runAsUser ## @param metrics.kafka.containerSecurityContext.runAsNonRoot Set Kafka exporter containers' Security Context runAsNonRoot ## @param metrics.kafka.containerSecurityContext.allowPrivilegeEscalation Set Kafka exporter containers' Security Context allowPrivilegeEscalation @@ -1846,6 +1885,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -2016,7 +2056,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r2 + tag: 0.20.0-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -2033,6 +2073,7 @@ metrics: ## Prometheus JMX exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.jmx.containerSecurityContext.enabled Enable Prometheus JMX exporter containers' Security Context + ## @param metrics.jmx.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.jmx.containerSecurityContext.runAsUser Set Prometheus JMX exporter containers' Security Context runAsUser ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set Prometheus JMX exporter containers' Security Context runAsNonRoot ## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation @@ -2047,6 +2088,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -2343,17 +2385,24 @@ provisioning: ## Kafka provisioning pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param provisioning.podSecurityContext.enabled Enable security context for the pods + ## @param provisioning.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param provisioning.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param provisioning.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param provisioning.podSecurityContext.fsGroup Set Kafka provisioning pod's Security Context fsGroup ## @param provisioning.podSecurityContext.seccompProfile.type Set Kafka provisioning pod's Security Context seccomp profile ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 seccompProfile: type: "RuntimeDefault" ## Kafka provisioning containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param provisioning.containerSecurityContext.enabled Enable Kafka provisioning containers' Security Context + ## @param provisioning.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param provisioning.containerSecurityContext.runAsUser Set Kafka provisioning containers' Security Context runAsUser ## @param provisioning.containerSecurityContext.runAsNonRoot Set Kafka provisioning containers' Security Context runAsNonRoot ## @param provisioning.containerSecurityContext.allowPrivilegeEscalation Set Kafka provisioning containers' Security Context allowPrivilegeEscalation @@ -2368,6 +2417,7 @@ provisioning: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index aefa53103..db12ccaf9 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.2.2-debian-11-r1 + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r3 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r92 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 appVersion: 11.2.2 @@ -37,4 +37,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 15.0.1 +version: 15.2.0 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index c1e71d02e..37350bf2a 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -114,6 +114,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | | `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | | `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `primary.hostAliases` | Add deployment host aliases | `[]` | | `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | | `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | @@ -135,8 +136,12 @@ The command removes all the Kubernetes components associated with the chart and | `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | | `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | | `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | @@ -210,6 +215,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | | `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | | `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `secondary.hostAliases` | Add deployment host aliases | `[]` | | `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | | `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | @@ -231,8 +237,12 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | | `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | | `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | +| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | @@ -333,6 +343,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | @@ -414,7 +425,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/maria ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -567,7 +578,7 @@ kubectl delete statefulset opencart-mariadb --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/mariadb/templates/primary/statefulset.yaml index 4b1369b67..40d78eb9f 100644 --- a/charts/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/primary/statefulset.yaml @@ -37,6 +37,7 @@ spec: app.kubernetes.io/component: primary spec: {{- include "mariadb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} {{- if .Values.primary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml index 82d4de9dd..7419178cb 100644 --- a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -43,6 +43,7 @@ spec: schedulerName: {{ (coalesce .Values.secondary.schedulerName .Values.schedulerName) | quote }} {{- end }} serviceAccountName: {{ template "mariadb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.secondary.automountServiceAccountToken }} {{- if .Values.secondary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index feda971a7..dac39b648 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -90,11 +90,11 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.2.2-debian-11-r1 + tag: 11.2.2-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -185,6 +185,9 @@ primary: ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param primary.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -278,7 +281,7 @@ primary: ## affinity: {} ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param primary.tolerations Tolerations for MariaDB primary pods assignment @@ -313,14 +316,21 @@ primary: ## MariaDB primary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MariaDB primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext + ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged @@ -330,6 +340,7 @@ primary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -339,7 +350,7 @@ primary: seccompProfile: type: "RuntimeDefault" ## MariaDB primary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -446,7 +457,7 @@ primary: ## extraEnvVarsSecret: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir @@ -589,6 +600,9 @@ secondary: ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param secondary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param secondary.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -680,7 +694,7 @@ secondary: ## affinity: {} ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment @@ -715,14 +729,21 @@ secondary: ## MariaDB secondary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods + ## @param secondary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param secondary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param secondary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MariaDB secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext + ## @param secondary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged @@ -732,6 +753,7 @@ secondary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -741,7 +763,7 @@ secondary: seccompProfile: type: "RuntimeDefault" ## MariaDB secondary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -848,7 +870,7 @@ secondary: ## extraEnvVarsSecret: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` @@ -1016,7 +1038,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r92 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1052,7 +1074,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r0 + tag: 0.15.1-debian-11-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1116,6 +1138,7 @@ metrics: ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged @@ -1133,6 +1156,7 @@ metrics: enabled: false privileged: false runAsNonRoot: true + seLinuxOptions: {} runAsUser: 1001 allowPrivilegeEscalation: false capabilities: @@ -1140,7 +1164,7 @@ metrics: seccompProfile: type: "RuntimeDefault" ## Mysqld Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/charts/bitnami/mysql/Chart.yaml b/charts/bitnami/mysql/Chart.yaml index e6b4b011e..f26b02be2 100644 --- a/charts/bitnami/mysql/Chart.yaml +++ b/charts/bitnami/mysql/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: Database images: | - name: mysql - image: docker.io/bitnami/mysql:8.0.35-debian-11-r2 + image: docker.io/bitnami/mysql:8.0.36-debian-11-r0 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 -appVersion: 8.0.35 +appVersion: 8.0.36 dependencies: - name: common repository: file://./charts/common @@ -36,4 +36,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 9.16.1 +version: 9.18.0 diff --git a/charts/bitnami/mysql/README.md b/charts/bitnami/mysql/README.md index 103aa96f2..3e9712bda 100644 --- a/charts/bitnami/mysql/README.md +++ b/charts/bitnami/mysql/README.md @@ -114,6 +114,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.command` | Override default container command on MySQL Primary container(s) (useful when using custom images) | `[]` | | `primary.args` | Override default container args on MySQL Primary container(s) (useful when using custom images) | `[]` | | `primary.lifecycleHooks` | for the MySQL Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `primary.hostAliases` | Deployment pod host aliases | `[]` | | `primary.configuration` | Configure MySQL Primary with a custom my.cnf file | `""` | | `primary.existingConfigmap` | Name of existing ConfigMap with MySQL Primary configuration. | `""` | @@ -134,8 +135,12 @@ The command removes all the Kubernetes components associated with the chart and | `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | | `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MySQL primary pods | `""` | | `primary.podSecurityContext.enabled` | Enable security context for MySQL primary pods | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MySQL primary container securityContext | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | User ID for the MySQL primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set MySQL primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | @@ -208,6 +213,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------- | | `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | | `secondary.replicaCount` | Number of MySQL secondary replicas | `1` | +| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `secondary.hostAliases` | Deployment pod host aliases | `[]` | | `secondary.command` | Override default container command on MySQL Secondary container(s) (useful when using custom images) | `[]` | | `secondary.args` | Override default container args on MySQL Secondary container(s) (useful when using custom images) | `[]` | @@ -231,8 +237,12 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | | `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MySQL secondary pods | `""` | | `secondary.podSecurityContext.enabled` | Enable security context for MySQL secondary pods | `true` | +| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MySQL secondary container securityContext | `true` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MySQL secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set MySQL secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | @@ -306,7 +316,7 @@ The command removes all the Kubernetes components associated with the chart and | `serviceAccount.create` | Enable the creation of a ServiceAccount for MySQL pods | `true` | | `serviceAccount.name` | Name of the created ServiceAccount | `""` | | `serviceAccount.annotations` | Annotations for MySQL Service Account | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | | `rbac.create` | Whether to create & use RBAC resources or not | `false` | | `rbac.rules` | Custom RBAC rules to set | `[]` | @@ -332,52 +342,53 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics parameters -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | -| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.containerSecurityContext.enabled` | MySQL metrics container securityContext | `true` | -| `metrics.containerSecurityContext.runAsUser` | User ID for the MySQL metrics container | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set MySQL metrics container's Security Context runAsNonRoot | `true` | -| `metrics.service.type` | Kubernetes service type for MySQL Prometheus Exporter | `ClusterIP` | -| `metrics.service.clusterIP` | Kubernetes service clusterIP for MySQL Prometheus Exporter | `""` | -| `metrics.service.port` | MySQL Prometheus Exporter service port | `9104` | -| `metrics.service.annotations` | Prometheus exporter service annotations | `{}` | -| `metrics.extraArgs.primary` | Extra args to be passed to mysqld_exporter on Primary pods | `[]` | -| `metrics.extraArgs.secondary` | Extra args to be passed to mysqld_exporter on Secondary pods | `[]` | -| `metrics.resources.limits` | The resources limits for MySQL prometheus exporter containers | `{}` | -| `metrics.resources.requests` | The requested resources for MySQL prometheus exporter containers | `{}` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | Specify the namespace in which the serviceMonitor resource will be created | `""` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | -| `metrics.serviceMonitor.annotations` | ServiceMonitor annotations | `{}` | -| `metrics.prometheusRule.enabled` | Creates a Prometheus Operator prometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the prometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | +| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.containerSecurityContext.enabled` | MySQL metrics container securityContext | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | User ID for the MySQL metrics container | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set MySQL metrics container's Security Context runAsNonRoot | `true` | +| `metrics.service.type` | Kubernetes service type for MySQL Prometheus Exporter | `ClusterIP` | +| `metrics.service.clusterIP` | Kubernetes service clusterIP for MySQL Prometheus Exporter | `""` | +| `metrics.service.port` | MySQL Prometheus Exporter service port | `9104` | +| `metrics.service.annotations` | Prometheus exporter service annotations | `{}` | +| `metrics.extraArgs.primary` | Extra args to be passed to mysqld_exporter on Primary pods | `[]` | +| `metrics.extraArgs.secondary` | Extra args to be passed to mysqld_exporter on Secondary pods | `[]` | +| `metrics.resources.limits` | The resources limits for MySQL prometheus exporter containers | `{}` | +| `metrics.resources.requests` | The requested resources for MySQL prometheus exporter containers | `{}` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Specify the namespace in which the serviceMonitor resource will be created | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.annotations` | ServiceMonitor annotations | `{}` | +| `metrics.prometheusRule.enabled` | Creates a Prometheus Operator prometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the prometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | The above parameters map to the env variables defined in [bitnami/mysql](https://github.com/bitnami/containers/tree/main/bitnami/mysql). For more information please refer to the [bitnami/mysql](https://github.com/bitnami/containers/tree/main/bitnami/mysql) image documentation. @@ -406,7 +417,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mysql ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -560,7 +571,7 @@ kubectl delete statefulset mysql-slave --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/mysql/templates/primary/statefulset.yaml b/charts/bitnami/mysql/templates/primary/statefulset.yaml index b6702b7f5..a6643d162 100644 --- a/charts/bitnami/mysql/templates/primary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/primary/statefulset.yaml @@ -41,6 +41,7 @@ spec: {{- end }} serviceAccountName: {{ template "mysql.serviceAccountName" . }} {{- include "mysql.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} {{- if .Values.primary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/mysql/templates/secondary/statefulset.yaml b/charts/bitnami/mysql/templates/secondary/statefulset.yaml index c22e5e66a..23162cc06 100644 --- a/charts/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/secondary/statefulset.yaml @@ -42,6 +42,7 @@ spec: {{- end }} serviceAccountName: {{ include "mysql.serviceAccountName" . }} {{- include "mysql.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.secondary.automountServiceAccountToken }} {{- if .Values.secondary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/mysql/values.yaml b/charts/bitnami/mysql/values.yaml index be02cb4f7..baf16715c 100644 --- a/charts/bitnami/mysql/values.yaml +++ b/charts/bitnami/mysql/values.yaml @@ -85,11 +85,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mysql - tag: 8.0.35-debian-11-r2 + tag: 8.0.36-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -195,6 +195,9 @@ primary: ## @param primary.lifecycleHooks for the MySQL Primary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param primary.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -277,7 +280,7 @@ primary: ## affinity: {} ## @param primary.nodeSelector Node labels for MySQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param primary.tolerations Tolerations for MySQL primary pods assignment @@ -310,14 +313,21 @@ primary: ## MySQL primary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param primary.podSecurityContext.enabled Enable security context for MySQL primary pods + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MySQL primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MySQL primary container securityContext + ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MySQL primary container ## @param primary.containerSecurityContext.runAsNonRoot Set MySQL primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -326,6 +336,7 @@ primary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -334,7 +345,7 @@ primary: seccompProfile: type: "RuntimeDefault" ## MySQL primary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -438,7 +449,7 @@ primary: ## extraPorts: [] ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param primary.persistence.enabled Enable persistence on MySQL primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir @@ -587,6 +598,9 @@ secondary: ## @param secondary.replicaCount Number of MySQL secondary replicas ## replicaCount: 1 + ## @param secondary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param secondary.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -679,7 +693,7 @@ secondary: ## affinity: {} ## @param secondary.nodeSelector Node labels for MySQL secondary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param secondary.tolerations Tolerations for MySQL secondary pods assignment @@ -712,14 +726,21 @@ secondary: ## MySQL secondary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param secondary.podSecurityContext.enabled Enable security context for MySQL secondary pods + ## @param secondary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param secondary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param secondary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MySQL secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MySQL secondary container securityContext + ## @param secondary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MySQL secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set MySQL secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -728,6 +749,7 @@ secondary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -736,7 +758,7 @@ secondary: seccompProfile: type: "RuntimeDefault" ## MySQL secondary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -840,7 +862,7 @@ secondary: ## extraPorts: [] ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param secondary.persistence.enabled Enable persistence on MySQL secondary replicas using a `PersistentVolumeClaim` @@ -998,7 +1020,7 @@ serviceAccount: annotations: {} ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Role Based Access ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ @@ -1071,7 +1093,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1105,7 +1127,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r0 + tag: 0.15.1-debian-11-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1119,11 +1141,13 @@ metrics: ## MySQL metrics container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled MySQL metrics container securityContext + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MySQL metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set MySQL metrics container's Security Context runAsNonRoot ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true ## MySQL Prometheus exporter service parameters @@ -1184,7 +1208,7 @@ metrics: primary: [] secondary: [] ## Mysqld Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index f35f894cb..a01febc97 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r95 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r5 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r6 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r19 + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.1.0 @@ -38,4 +38,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.2.29 +version: 13.4.1 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index e934eb378..31ce3053e 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -208,8 +208,12 @@ kubectl delete pvc -l release=my-release | `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | | `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | | `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -217,6 +221,7 @@ kubectl delete pvc -l release=my-release | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | | `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | | `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | @@ -308,8 +313,12 @@ kubectl delete pvc -l release=my-release | `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | | `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | | `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -317,6 +326,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `readReplicas.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | | `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | | `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | @@ -384,8 +394,12 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | | `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | | `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | +| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -438,6 +452,7 @@ kubectl delete pvc -l release=my-release | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | @@ -448,9 +463,9 @@ kubectl delete pvc -l release=my-release | Name | Description | Value | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | | `rbac.rules` | Custom RBAC rules to set | `[]` | @@ -470,6 +485,7 @@ kubectl delete pvc -l release=my-release | `metrics.customMetrics` | Define additional custom metrics | `{}` | | `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | diff --git a/charts/bitnami/postgresql/templates/primary/statefulset.yaml b/charts/bitnami/postgresql/templates/primary/statefulset.yaml index cb9374d6b..1f0c96203 100644 --- a/charts/bitnami/postgresql/templates/primary/statefulset.yaml +++ b/charts/bitnami/postgresql/templates/primary/statefulset.yaml @@ -49,6 +49,7 @@ spec: {{- end }} serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} {{- if .Values.primary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/postgresql/templates/read/statefulset.yaml b/charts/bitnami/postgresql/templates/read/statefulset.yaml index 826870065..f11ae0a89 100644 --- a/charts/bitnami/postgresql/templates/read/statefulset.yaml +++ b/charts/bitnami/postgresql/templates/read/statefulset.yaml @@ -47,6 +47,7 @@ spec: {{- end }} serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }} {{- if .Values.readReplicas.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index 02699af25..316559c55 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -98,11 +98,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r19 + tag: 16.1.0-debian-11-r22 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -438,7 +438,7 @@ primary: ## lifecycleHooks: {} ## PostgreSQL Primary resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers @@ -451,14 +451,21 @@ primary: ## Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param primary.podSecurityContext.fsGroup Group ID for the pod ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context + ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged @@ -469,6 +476,7 @@ primary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -478,6 +486,9 @@ primary: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param primary.hostAliases PostgreSQL primary pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -533,7 +544,7 @@ primary: ## affinity: {} ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment @@ -802,7 +813,7 @@ readReplicas: ## lifecycleHooks: {} ## PostgreSQL read only resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers @@ -815,14 +826,21 @@ readReplicas: ## Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param readReplicas.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param readReplicas.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context + ## @param readReplicas.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged @@ -833,6 +851,7 @@ readReplicas: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -842,6 +861,9 @@ readReplicas: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" + ## @param readReplicas.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -897,7 +919,7 @@ readReplicas: ## affinity: {} ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment @@ -1104,13 +1126,20 @@ backup: ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy restartPolicy: OnFailure ## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup + ## @param backup.cronjob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param backup.cronjob.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param backup.cronjob.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## backup container's Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged @@ -1120,6 +1149,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1140,7 +1170,7 @@ backup: ## @param backup.cronjob.annotations Set the cronjob annotations annotations: {} ## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ ## nodeSelector: {} storage: @@ -1300,7 +1330,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r95 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1312,7 +1342,7 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## @@ -1322,12 +1352,14 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 runAsGroup: 0 runAsNonRoot: false @@ -1348,7 +1380,7 @@ serviceBindings: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -1356,7 +1388,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1401,7 +1433,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r5 + tag: 0.15.0-debian-11-r6 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1443,6 +1475,7 @@ metrics: ## PostgreSQL Prometheus exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -1453,6 +1486,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1520,7 +1554,7 @@ metrics: containerPorts: metrics: 9187 ## PostgreSQL Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container ## @@ -1540,7 +1574,7 @@ metrics: clusterIP: "" ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index 25aa5902a..01187ac84 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -6,13 +6,13 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r0 + image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r1 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r0 + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r3 - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r0 + image: docker.io/bitnami/redis:7.2.4-debian-11-r2 licenses: Apache-2.0 apiVersion: v2 appVersion: 7.2.4 @@ -37,4 +37,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.6.3 +version: 18.8.0 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index cc5c08ffe..7874db508 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -163,8 +163,12 @@ The command removes all the Kubernetes components associated with the chart and | `master.resources.limits` | The resources limits for the Redis® master containers | `{}` | | `master.resources.requests` | The requested resources for the Redis® master containers | `{}` | | `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | | `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | | `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | @@ -176,6 +180,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | | `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | | `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `master.hostAliases` | Redis® master pods host aliases | `[]` | | `master.podLabels` | Extra labels for Redis® master pods | `{}` | | `master.podAnnotations` | Annotations for Redis® master pods | `{}` | @@ -228,9 +233,9 @@ The command removes all the Kubernetes components associated with the chart and | `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | | `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | | `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | -| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | | `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Redis® replicas configuration parameters @@ -277,8 +282,12 @@ The command removes all the Kubernetes components associated with the chart and | `replica.resources.limits` | The resources limits for the Redis® replicas containers | `{}` | | `replica.resources.requests` | The requested resources for the Redis® replicas containers | `{}` | | `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | | `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | | `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | | `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | @@ -290,6 +299,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | | `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | | `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | | `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | | `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | @@ -346,9 +356,9 @@ The command removes all the Kubernetes components associated with the chart and | `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | | `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | | `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | -| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | | `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Redis® Sentinel configuration parameters @@ -420,6 +430,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` | | `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` | | `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | | `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | | `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | @@ -466,7 +477,7 @@ The command removes all the Kubernetes components associated with the chart and | `rbac.rules` | Custom RBAC rules to set | `[]` | | `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | | `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | @@ -517,6 +528,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | | `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | @@ -567,27 +579,28 @@ The command removes all the Kubernetes components associated with the chart and ### Init Container Parameters -| Name | Description | Value | -| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resources.limits` | The resources limits for the init container | `{}` | -| `sysctl.resources.requests` | The requested resources for the init container | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resources.limits` | The resources limits for the init container | `{}` | +| `sysctl.resources.requests` | The requested resources for the init container | `{}` | ### useExternalDNS Parameters diff --git a/charts/bitnami/redis/templates/master/application.yaml b/charts/bitnami/redis/templates/master/application.yaml index 2da5bd5fc..84569b930 100644 --- a/charts/bitnami/redis/templates/master/application.yaml +++ b/charts/bitnami/redis/templates/master/application.yaml @@ -65,7 +65,7 @@ spec: securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.masterServiceAccountName" . }} - automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.master.automountServiceAccountToken }} {{- if .Values.master.priorityClassName }} priorityClassName: {{ .Values.master.priorityClassName | quote }} {{- end }} diff --git a/charts/bitnami/redis/templates/replicas/application.yaml b/charts/bitnami/redis/templates/replicas/application.yaml index 67d83c8ba..aeb193ae1 100644 --- a/charts/bitnami/redis/templates/replicas/application.yaml +++ b/charts/bitnami/redis/templates/replicas/application.yaml @@ -63,7 +63,7 @@ spec: securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.replicaServiceAccountName" . }} - automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} {{- if .Values.replica.priorityClassName }} priorityClassName: {{ .Values.replica.priorityClassName | quote }} {{- end }} diff --git a/charts/bitnami/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/redis/templates/sentinel/statefulset.yaml index 5b28f8c4e..73950ac35 100644 --- a/charts/bitnami/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/redis/templates/sentinel/statefulset.yaml @@ -54,13 +54,13 @@ spec: {{- end }} spec: {{- include "redis.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} {{- if .Values.replica.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.replica.podSecurityContext.enabled }} securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} - automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} serviceAccountName: {{ template "redis.serviceAccountName" . }} {{- if .Values.replica.priorityClassName }} priorityClassName: {{ .Values.replica.priorityClassName | quote }} diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index 7ff978c35..5af444cb4 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -94,11 +94,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.4-debian-11-r0 + tag: 7.2.4-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -266,7 +266,7 @@ master: ## customReadinessProbe: {} ## Redis® master resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param master.resources.limits The resources limits for the Redis® master containers ## @param master.resources.requests The requested resources for the Redis® master containers ## @@ -276,14 +276,21 @@ master: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.podSecurityContext.enabled Enabled Redis® master pods' Security Context + ## @param master.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param master.podSecurityContext.fsGroup Set Redis® master pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.containerSecurityContext.enabled Enabled Redis® master containers' Security Context + ## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set Redis® master containers' Security Context runAsUser ## @param master.containerSecurityContext.runAsGroup Set Redis® master containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set Redis® master containers' Security Context runAsNonRoot @@ -293,6 +300,7 @@ master: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -325,6 +333,9 @@ master: ## @param master.priorityClassName Redis® master pods' priorityClassName ## priorityClassName: "" + ## @param master.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param master.hostAliases Redis® master pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -372,7 +383,7 @@ master: ## affinity: {} ## @param master.nodeSelector Node labels for Redis® master pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param master.tolerations Tolerations for Redis® master pods assignment @@ -435,7 +446,7 @@ master: ## initContainers: [] ## Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param master.persistence.enabled Enable persistence on Redis® master nodes using Persistent Volume Claims @@ -576,7 +587,7 @@ master: serviceAccount: ## @param master.serviceAccount.create Specifies whether a ServiceAccount should be created ## - create: false + create: true ## @param master.serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -584,7 +595,7 @@ master: ## @param master.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param master.serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -709,7 +720,7 @@ replica: ## customReadinessProbe: {} ## Redis® replicas resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param replica.resources.limits The resources limits for the Redis® replicas containers ## @param replica.resources.requests The requested resources for the Redis® replicas containers ## @@ -727,14 +738,21 @@ replica: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.podSecurityContext.enabled Enabled Redis® replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param replica.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param replica.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param replica.podSecurityContext.fsGroup Set Redis® replicas pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.containerSecurityContext.enabled Enabled Redis® replicas containers' Security Context + ## @param replica.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param replica.containerSecurityContext.runAsUser Set Redis® replicas containers' Security Context runAsUser ## @param replica.containerSecurityContext.runAsGroup Set Redis® replicas containers' Security Context runAsGroup ## @param replica.containerSecurityContext.runAsNonRoot Set Redis® replicas containers' Security Context runAsNonRoot @@ -744,6 +762,7 @@ replica: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -776,6 +795,9 @@ replica: ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies ## podManagementPolicy: "" + ## @param replica.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param replica.hostAliases Redis® replicas pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -823,7 +845,7 @@ replica: ## affinity: {} ## @param replica.nodeSelector Node labels for Redis® replicas pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param replica.tolerations Tolerations for Redis® replicas pods assignment @@ -886,7 +908,7 @@ replica: ## initContainers: [] ## Persistence Parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param replica.persistence.enabled Enable persistence on Redis® replicas nodes using Persistent Volume Claims @@ -1037,7 +1059,7 @@ replica: serviceAccount: ## @param replica.serviceAccount.create Specifies whether a ServiceAccount should be created ## - create: false + create: true ## @param replica.serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -1045,7 +1067,7 @@ replica: ## @param replica.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param replica.serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1071,11 +1093,11 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.4-debian-11-r0 + tag: 7.2.4-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1213,7 +1235,7 @@ sentinel: ## customReadinessProbe: {} ## Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param sentinel.persistence.enabled Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) @@ -1265,7 +1287,7 @@ sentinel: whenScaled: Retain whenDeleted: Retain ## Redis® Sentinel resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param sentinel.resources.limits The resources limits for the Redis® Sentinel containers ## @param sentinel.resources.requests The requested resources for the Redis® Sentinel containers ## @@ -1275,6 +1297,7 @@ sentinel: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser ## @param sentinel.containerSecurityContext.runAsGroup Set Redis® Sentinel containers' Security Context runAsGroup ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis® Sentinel containers' Security Context runAsNonRoot @@ -1284,6 +1307,7 @@ sentinel: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1487,7 +1511,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1554,7 +1578,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.56.0-debian-11-r0 + tag: 1.56.0-debian-11-r1 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1641,6 +1665,7 @@ metrics: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.containerSecurityContext.enabled Enabled Redis® exporter containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Redis® exporter containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsGroup Set Redis® exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis® exporter containers' Security Context runAsNonRoot @@ -1650,6 +1675,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1666,7 +1692,7 @@ metrics: ## extraVolumeMounts: [] ## Redis® exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits The resources limits for the Redis® exporter container ## @param metrics.resources.requests The requested resources for the Redis® exporter container ## @@ -1870,7 +1896,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1882,7 +1908,7 @@ volumePermissions: ## pullSecrets: [] ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits The resources limits for the init container ## @param volumePermissions.resources.requests The requested resources for the init container ## @@ -1891,12 +1917,14 @@ volumePermissions: requests: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## init-sysctl container parameters @@ -1918,7 +1946,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1936,7 +1964,7 @@ sysctl: ## mountHostSys: false ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param sysctl.resources.limits The resources limits for the init container ## @param sysctl.resources.requests The requested resources for the init container ## diff --git a/charts/bitnami/spark/Chart.yaml b/charts/bitnami/spark/Chart.yaml index 0777f9ce5..08bc6dcba 100644 --- a/charts/bitnami/spark/Chart.yaml +++ b/charts/bitnami/spark/Chart.yaml @@ -6,7 +6,7 @@ annotations: category: Infrastructure images: | - name: spark - image: docker.io/bitnami/spark:3.5.0-debian-11-r17 + image: docker.io/bitnami/spark:3.5.0-debian-11-r18 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.5.0 @@ -30,4 +30,4 @@ maintainers: name: spark sources: - https://github.com/bitnami/charts/tree/main/bitnami/spark -version: 8.1.8 +version: 8.3.0 diff --git a/charts/bitnami/spark/README.md b/charts/bitnami/spark/README.md index ed541540c..6fb4c7a2a 100644 --- a/charts/bitnami/spark/README.md +++ b/charts/bitnami/spark/README.md @@ -102,6 +102,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.containerPorts.http` | Specify the port where the web interface will listen on the master over HTTP | `8080` | | `master.containerPorts.https` | Specify the port where the web interface will listen on the master over HTTPS | `8480` | | `master.containerPorts.cluster` | Specify the port where the master listens to communicate with workers | `7077` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `master.hostAliases` | Deployment pod host aliases | `[]` | | `master.extraContainerPorts` | Specify the port where the running jobs inside the masters listens | `[]` | | `master.daemonMemoryLimit` | Set the memory limit for the master daemon | `""` | @@ -110,11 +111,15 @@ The command removes all the Kubernetes components associated with the chart and | `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for master nodes | `""` | | `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for master nodes | `""` | | `master.podSecurityContext.enabled` | Enable security context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `master.podSecurityContext.fsGroup` | Set master pod's Security Context Group ID | `1001` | | `master.podSecurityContext.runAsUser` | Set master pod's Security Context User ID | `1001` | | `master.podSecurityContext.runAsGroup` | Set master pod's Security Context Group ID | `0` | | `master.podSecurityContext.seLinuxOptions` | Set master pod's Security Context SELinux options | `{}` | | `master.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `master.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `master.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `master.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -177,6 +182,7 @@ The command removes all the Kubernetes components associated with the chart and | `worker.containerPorts.http` | Specify the port where the web interface will listen on the worker over HTTP | `8080` | | `worker.containerPorts.https` | Specify the port where the web interface will listen on the worker over HTTPS | `8480` | | `worker.containerPorts.cluster` | Specify the port where the worker listens to communicate with workers | `""` | +| `worker.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `worker.hostAliases` | Add deployment host aliases | `[]` | | `worker.extraContainerPorts` | Specify the port where the running jobs inside the workers listens | `[]` | | `worker.daemonMemoryLimit` | Set the memory limit for the worker daemon | `""` | @@ -190,9 +196,13 @@ The command removes all the Kubernetes components associated with the chart and | `worker.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for worker nodes | `""` | | `worker.replicaCount` | Number of spark workers (will be the minimum number when autoscaling is enabled) | `2` | | `worker.podSecurityContext.enabled` | Enable security context | `true` | +| `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `worker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `worker.podSecurityContext.fsGroup` | Group ID for the container | `1001` | | `worker.podSecurityContext.seLinuxOptions` | SELinux options for the container | `{}` | | `worker.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `worker.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | diff --git a/charts/bitnami/spark/templates/statefulset-master.yaml b/charts/bitnami/spark/templates/statefulset-master.yaml index f3630d25f..f317afae2 100644 --- a/charts/bitnami/spark/templates/statefulset-master.yaml +++ b/charts/bitnami/spark/templates/statefulset-master.yaml @@ -47,6 +47,7 @@ spec: podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAntiAffinityPreset "component" "master" "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.master.nodeAffinityPreset.type "key" .Values.master.nodeAffinityPreset.key "values" .Values.master.nodeAffinityPreset.values) | nindent 10 }} {{- end }} + automountServiceAccountToken: {{ .Values.master.automountServiceAccountToken }} {{- if .Values.master.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/spark/templates/statefulset-worker.yaml b/charts/bitnami/spark/templates/statefulset-worker.yaml index c43b25dd5..9edfc8598 100644 --- a/charts/bitnami/spark/templates/statefulset-worker.yaml +++ b/charts/bitnami/spark/templates/statefulset-worker.yaml @@ -48,6 +48,7 @@ spec: podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.worker.podAntiAffinityPreset "component" "worker" "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.worker.nodeAffinityPreset.type "key" .Values.worker.nodeAffinityPreset.key "values" .Values.worker.nodeAffinityPreset.values) | nindent 10 }} {{- end }} + automountServiceAccountToken: {{ .Values.worker.automountServiceAccountToken }} {{- if .Values.worker.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.worker.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/spark/values.yaml b/charts/bitnami/spark/values.yaml index 7d8280ab5..e37cd80c2 100644 --- a/charts/bitnami/spark/values.yaml +++ b/charts/bitnami/spark/values.yaml @@ -95,7 +95,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/spark - tag: 3.5.0-debian-11-r17 + tag: 3.5.0-debian-11-r18 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -136,6 +136,9 @@ master: http: 8080 https: 8480 cluster: 7077 + ## @param master.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param master.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -170,6 +173,9 @@ master: ## Kubernetes Pods Security Context ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param master.podSecurityContext.enabled Enable security context + ## @param master.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param master.podSecurityContext.fsGroup Set master pod's Security Context Group ID ## @param master.podSecurityContext.runAsUser Set master pod's Security Context User ID ## @param master.podSecurityContext.runAsGroup Set master pod's Security Context Group ID @@ -177,6 +183,9 @@ master: ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 runAsUser: 1001 runAsGroup: 0 @@ -184,6 +193,7 @@ master: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param master.containerSecurityContext.enabled Enabled containers' Security Context + ## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param master.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param master.containerSecurityContext.privileged Set container's Security Context privileged @@ -194,6 +204,7 @@ master: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -411,6 +422,9 @@ worker: http: 8080 https: 8480 cluster: "" + ## @param worker.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param worker.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -460,16 +474,23 @@ worker: ## Kubernetes Pods Security Context ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param worker.podSecurityContext.enabled Enable security context + ## @param worker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param worker.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param worker.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param worker.podSecurityContext.fsGroup Group ID for the container ## @param worker.podSecurityContext.seLinuxOptions SELinux options for the container ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 seLinuxOptions: {} ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param worker.containerSecurityContext.enabled Enabled containers' Security Context + ## @param worker.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param worker.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param worker.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param worker.containerSecurityContext.privileged Set container's Security Context privileged @@ -480,6 +501,7 @@ worker: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false diff --git a/charts/bitnami/tomcat/Chart.yaml b/charts/bitnami/tomcat/Chart.yaml index fe0862a20..a78ece135 100644 --- a/charts/bitnami/tomcat/Chart.yaml +++ b/charts/bitnami/tomcat/Chart.yaml @@ -8,7 +8,7 @@ annotations: - name: jmx-exporter image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 - name: tomcat image: docker.io/bitnami/tomcat:10.1.18-debian-11-r0 licenses: Apache-2.0 @@ -38,4 +38,4 @@ maintainers: name: tomcat sources: - https://github.com/bitnami/charts/tree/main/bitnami/tomcat -version: 10.11.11 +version: 10.13.0 diff --git a/charts/bitnami/tomcat/README.md b/charts/bitnami/tomcat/README.md index 6b25191b8..437ab3a37 100644 --- a/charts/bitnami/tomcat/README.md +++ b/charts/bitnami/tomcat/README.md @@ -79,24 +79,25 @@ The command removes all the Kubernetes components associated with the chart and ### Tomcat parameters -| Name | Description | Value | -| ----------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------------ | -| `image.registry` | Tomcat image registry | `REGISTRY_NAME` | -| `image.repository` | Tomcat image repository | `REPOSITORY_NAME/tomcat` | -| `image.digest` | Tomcat image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Tomcat image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `hostAliases` | Deployment pod host aliases | `[]` | -| `tomcatUsername` | Tomcat admin user | `user` | -| `tomcatPassword` | Tomcat admin password | `""` | -| `tomcatAllowRemoteManagement` | Enable remote access to management interface | `0` | -| `catalinaOpts` | Java runtime option used by tomcat JVM | `""` | -| `command` | Override default container command (useful when using custom images) | `[]` | -| `args` | Override default container args (useful when using custom images) | `[]` | -| `extraEnvVars` | Extra environment variables to be set on Tomcat container | `[]` | -| `extraEnvVarsCM` | Name of existing ConfigMap containing extra environment variables | `""` | -| `extraEnvVarsSecret` | Name of existing Secret containing extra environment variables | `""` | +| Name | Description | Value | +| ------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------------ | +| `image.registry` | Tomcat image registry | `REGISTRY_NAME` | +| `image.repository` | Tomcat image repository | `REPOSITORY_NAME/tomcat` | +| `image.digest` | Tomcat image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Tomcat image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `tomcatUsername` | Tomcat admin user | `user` | +| `tomcatPassword` | Tomcat admin password | `""` | +| `tomcatAllowRemoteManagement` | Enable remote access to management interface | `0` | +| `catalinaOpts` | Java runtime option used by tomcat JVM | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on Tomcat container | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra environment variables | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra environment variables | `""` | ### Tomcat deployment parameters @@ -108,8 +109,12 @@ The command removes all the Kubernetes components associated with the chart and | `containerPorts.http` | HTTP port to expose at container level | `8080` | | `containerExtraPorts` | Extra ports to expose at container level | `[]` | | `podSecurityContext.enabled` | Enable Tomcat pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Tomcat pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -170,6 +175,10 @@ The command removes all the Kubernetes components associated with the chart and | `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. | `false` | | `networkPolicy.allowExternal` | Don't require client label for connections | `true` | | `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | +| `serviceAccount.create` | Enable creation of ServiceAccount for Tomcat pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Traffic Exposure parameters @@ -228,6 +237,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.jmx.config` | Configuration file for JMX exporter | `""` | | `metrics.jmx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.jmx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.jmx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | diff --git a/charts/bitnami/tomcat/templates/_helpers.tpl b/charts/bitnami/tomcat/templates/_helpers.tpl index 03ecbece6..eda7739b4 100644 --- a/charts/bitnami/tomcat/templates/_helpers.tpl +++ b/charts/bitnami/tomcat/templates/_helpers.tpl @@ -55,6 +55,17 @@ Check if there are rolling tags in the images {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- end -}} +{{/* + Create the name of the service account to use + */}} +{{- define "tomcat.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Expand the name of the chart. */}} diff --git a/charts/bitnami/tomcat/templates/_pod.tpl b/charts/bitnami/tomcat/templates/_pod.tpl index c3b0564c2..aba36ad8b 100644 --- a/charts/bitnami/tomcat/templates/_pod.tpl +++ b/charts/bitnami/tomcat/templates/_pod.tpl @@ -8,6 +8,7 @@ Pod Spec */}} {{- define "tomcat.pod" -}} {{- include "tomcat.imagePullSecrets" . }} +automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 2 }} {{- end }} @@ -20,6 +21,7 @@ affinity: podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 4 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 4 }} {{- end }} +serviceAccountName: {{ include "tomcat.serviceAccountName" . }} {{- if .Values.schedulerName }} schedulerName: {{ .Values.schedulerName | quote }} {{- end }} diff --git a/charts/bitnami/tomcat/templates/serviceaccount.yaml b/charts/bitnami/tomcat/templates/serviceaccount.yaml new file mode 100644 index 000000000..523ad7212 --- /dev/null +++ b/charts/bitnami/tomcat/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tomcat.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/charts/bitnami/tomcat/values.yaml b/charts/bitnami/tomcat/values.yaml index 1130971d1..581d224f4 100644 --- a/charts/bitnami/tomcat/values.yaml +++ b/charts/bitnami/tomcat/values.yaml @@ -65,7 +65,7 @@ image: digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -79,6 +79,9 @@ image: ## Set to true if you would like to see extra information on logs ## debug: false +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -152,14 +155,21 @@ containerExtraPorts: [] ## Tomcat pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param podSecurityContext.enabled Enable Tomcat pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set Tomcat pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Tomcat containers' SecurityContext ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -170,6 +180,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -180,7 +191,7 @@ containerSecurityContext: seccompProfile: type: "RuntimeDefault" ## Tomcat containers' resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -296,7 +307,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment. Evaluated as a template. -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param schedulerName Alternative scheduler @@ -353,7 +364,7 @@ initContainers: [] ## sidecars: [] ## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable persistence @@ -409,6 +420,26 @@ networkPolicy: ## - {key: role, operator: In, values: [frontend]} ## explicitNamespacesSelector: {} + +## Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for Tomcat pod + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## @section Traffic Exposure parameters ## @@ -487,7 +518,7 @@ ingress: hostname: tomcat.local ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md ## Use this parameter to set the required annotations for cert-manager, see ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## @@ -597,7 +628,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -609,7 +640,7 @@ volumePermissions: ## pullSecrets: [] ## Init container' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -661,7 +692,7 @@ metrics: digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -684,6 +715,7 @@ metrics: ## Prometheus JMX exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.jmx.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged @@ -693,6 +725,7 @@ metrics: ## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -703,7 +736,7 @@ metrics: seccompProfile: type: "RuntimeDefault" ## Prometheus JMX Exporter' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 3549cfe40..5e6b95297 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: memcached repository: oci://registry-1.docker.io/bitnamicharts - version: 6.7.2 + version: 6.9.0 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 15.0.1 + version: 15.2.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.14.1 -digest: sha256:0f019d585184ae51ee203b1fc7b65ad7105ac3499e87a5c23df020b0d79bcdfd -generated: "2024-01-10T22:14:18.371091937Z" +digest: sha256:1dd88de417e6f8cc74a7d360b942207c5bd9045a1e8d7758913c1e7b8ef142a4 +generated: "2024-01-23T15:28:06.176976429Z" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index 02b07b102..672475c45 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: CMS images: | - name: apache-exporter - image: docker.io/bitnami/apache-exporter:1.0.5-debian-11-r1 + image: docker.io/bitnami/apache-exporter:1.0.5-debian-11-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r95 - name: wordpress - image: docker.io/bitnami/wordpress:6.4.2-debian-11-r12 + image: docker.io/bitnami/wordpress:6.4.2-debian-11-r18 licenses: Apache-2.0 apiVersion: v2 appVersion: 6.4.2 @@ -47,4 +47,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 19.0.5 +version: 19.2.1 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index 4c17ec257..267716dc5 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -147,6 +147,7 @@ The command removes all the Kubernetes components associated with the chart and | `terminationGracePeriodSeconds` | In seconds, time given to the WordPress pod to terminate gracefully | `""` | | `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | | `priorityClassName` | Name of the existing priority class to be used by WordPress pods, priority class needs to be created beforehand | `""` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `hostAliases` | WordPress pod host aliases | `[]` | | `extraVolumes` | Optionally specify extra list of additional volumes for WordPress pods | `[]` | | `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WordPress container(s) | `[]` | @@ -169,8 +170,12 @@ The command removes all the Kubernetes components associated with the chart and | `containerPorts.https` | WordPress HTTPS container port | `8443` | | `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | | `podSecurityContext.enabled` | Enabled WordPress pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -237,34 +242,35 @@ The command removes all the Kubernetes components associated with the chart and ### Persistence Parameters -| Name | Description | Value | -| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | -| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | -| `persistence.storageClass` | Persistent Volume storage class | `""` | -| `persistence.accessModes` | Persistent Volume access modes | `[]` | -| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` | -| `persistence.size` | Persistent Volume size | `10Gi` | -| `persistence.dataSource` | Custom PVC data source | `{}` | -| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` | -| `persistence.selector` | Selector to match an existing Persistent Volume for WordPress data PVC | `{}` | -| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- | +| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | +| `persistence.storageClass` | Persistent Volume storage class | `""` | +| `persistence.accessModes` | Persistent Volume access modes | `[]` | +| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` | +| `persistence.size` | Persistent Volume size | `10Gi` | +| `persistence.dataSource` | Custom PVC data source | `{}` | +| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` | +| `persistence.selector` | Selector to match an existing Persistent Volume for WordPress data PVC | `{}` | +| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters | Name | Description | Value | | --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `pdb.create` | Enable a Pod Disruption Budget creation | `false` | | `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `1` | @@ -310,6 +316,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.resources.limits` | The resources limits for the Prometheus exporter container | `{}` | | `metrics.resources.requests` | The requested resources for the Prometheus exporter container | `{}` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index 6fd7a1572..3a51ab5e1 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.2.2-debian-11-r1 + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r3 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r92 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 appVersion: 11.2.2 @@ -33,4 +33,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 15.0.1 +version: 15.2.0 diff --git a/charts/bitnami/wordpress/charts/mariadb/README.md b/charts/bitnami/wordpress/charts/mariadb/README.md index c1e71d02e..37350bf2a 100644 --- a/charts/bitnami/wordpress/charts/mariadb/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/README.md @@ -114,6 +114,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | | `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | | `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `primary.hostAliases` | Add deployment host aliases | `[]` | | `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | | `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | @@ -135,8 +136,12 @@ The command removes all the Kubernetes components associated with the chart and | `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | | `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | | `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | @@ -210,6 +215,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | | `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | | `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `secondary.hostAliases` | Add deployment host aliases | `[]` | | `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | | `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | @@ -231,8 +237,12 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | | `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | | `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | +| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | @@ -333,6 +343,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | @@ -414,7 +425,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/maria ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -567,7 +578,7 @@ kubectl delete statefulset opencart-mariadb --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml index 4b1369b67..40d78eb9f 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml @@ -37,6 +37,7 @@ spec: app.kubernetes.io/component: primary spec: {{- include "mariadb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} {{- if .Values.primary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml index 82d4de9dd..7419178cb 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml @@ -43,6 +43,7 @@ spec: schedulerName: {{ (coalesce .Values.secondary.schedulerName .Values.schedulerName) | quote }} {{- end }} serviceAccountName: {{ template "mariadb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.secondary.automountServiceAccountToken }} {{- if .Values.secondary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index feda971a7..dac39b648 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -90,11 +90,11 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.2.2-debian-11-r1 + tag: 11.2.2-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -185,6 +185,9 @@ primary: ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param primary.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -278,7 +281,7 @@ primary: ## affinity: {} ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param primary.tolerations Tolerations for MariaDB primary pods assignment @@ -313,14 +316,21 @@ primary: ## MariaDB primary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MariaDB primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext + ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged @@ -330,6 +340,7 @@ primary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -339,7 +350,7 @@ primary: seccompProfile: type: "RuntimeDefault" ## MariaDB primary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -446,7 +457,7 @@ primary: ## extraEnvVarsSecret: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir @@ -589,6 +600,9 @@ secondary: ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param secondary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param secondary.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -680,7 +694,7 @@ secondary: ## affinity: {} ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment @@ -715,14 +729,21 @@ secondary: ## MariaDB secondary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods + ## @param secondary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param secondary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param secondary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MariaDB secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext + ## @param secondary.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged @@ -732,6 +753,7 @@ secondary: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -741,7 +763,7 @@ secondary: seccompProfile: type: "RuntimeDefault" ## MariaDB secondary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -848,7 +870,7 @@ secondary: ## extraEnvVarsSecret: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` @@ -1016,7 +1038,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r92 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1052,7 +1074,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r0 + tag: 0.15.1-debian-11-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1116,6 +1138,7 @@ metrics: ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged @@ -1133,6 +1156,7 @@ metrics: enabled: false privileged: false runAsNonRoot: true + seLinuxOptions: {} runAsUser: 1001 allowPrivilegeEscalation: false capabilities: @@ -1140,7 +1164,7 @@ metrics: seccompProfile: type: "RuntimeDefault" ## Mysqld Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/Chart.yaml index 714fbde2b..83cb7db78 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/Chart.yaml @@ -2,14 +2,14 @@ annotations: category: Infrastructure images: | - name: memcached-exporter - image: docker.io/bitnami/memcached-exporter:0.14.2-debian-11-r0 + image: docker.io/bitnami/memcached-exporter:0.14.2-debian-11-r1 - name: memcached - image: docker.io/bitnami/memcached:1.6.22-debian-11-r2 + image: docker.io/bitnami/memcached:1.6.23-debian-11-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 licenses: Apache-2.0 apiVersion: v2 -appVersion: 1.6.22 +appVersion: 1.6.23 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -30,4 +30,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 6.7.2 +version: 6.9.0 diff --git a/charts/bitnami/wordpress/charts/memcached/README.md b/charts/bitnami/wordpress/charts/memcached/README.md index 5e8d1c41a..dfa05e94c 100644 --- a/charts/bitnami/wordpress/charts/memcached/README.md +++ b/charts/bitnami/wordpress/charts/memcached/README.md @@ -129,8 +129,12 @@ The command removes all the Kubernetes components associated with the chart and | `resources.requests.memory` | The requested memory for the Memcached containers | `256Mi` | | `resources.requests.cpu` | The requested cpu for the Memcached containers | `250m` | | `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -138,6 +142,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `hostAliases` | Add deployment host aliases | `[]` | | `podLabels` | Extra labels for Memcached pods | `{}` | | `podAnnotations` | Annotations for Memcached pods | `{}` | @@ -189,9 +194,9 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for Memcached pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for Memcached pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Persistence parameters @@ -218,6 +223,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` | @@ -229,6 +235,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.resources.limits` | Init container volume-permissions resource limits | `{}` | | `metrics.resources.requests` | Init container volume-permissions resource requests | `{}` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -298,7 +305,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/memca ## Configuration and installation details -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -383,7 +390,7 @@ kubectl patch deployment memcached --type=json -p='[{"op": "remove", "path": "/s ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml b/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml index 20359c568..da8277251 100644 --- a/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml +++ b/charts/bitnami/wordpress/charts/memcached/templates/deployment.yaml @@ -36,6 +36,7 @@ spec: {{- end }} spec: {{- include "memcached.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml b/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml index 5ed8716c1..d0819fd1d 100644 --- a/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml @@ -40,6 +40,7 @@ spec: {{- end }} spec: {{- include "memcached.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/wordpress/charts/memcached/values.yaml b/charts/bitnami/wordpress/charts/memcached/values.yaml index 948ce1b27..cdf0bda6b 100644 --- a/charts/bitnami/wordpress/charts/memcached/values.yaml +++ b/charts/bitnami/wordpress/charts/memcached/values.yaml @@ -73,11 +73,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/memcached - tag: 1.6.22-debian-11-r2 + tag: 1.6.23-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -202,7 +202,7 @@ customStartupProbe: {} ## lifecycleHooks: {} ## Memcached resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param resources.limits The resources limits for the Memcached containers ## @param resources.requests.memory The requested memory for the Memcached containers ## @param resources.requests.cpu The requested cpu for the Memcached containers @@ -215,14 +215,21 @@ resources: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled Memcached pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set Memcached pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -233,6 +240,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -242,6 +250,9 @@ containerSecurityContext: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -287,7 +298,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -411,7 +422,7 @@ service: memcached: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: "" ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -426,7 +437,7 @@ service: ## clusterIP: "" ## @param service.loadBalancerIP Memcached service Load Balancer IP - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" ## @param service.loadBalancerSourceRanges Memcached service Load Balancer sources @@ -455,7 +466,7 @@ service: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for Memcached pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -463,7 +474,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -471,7 +482,7 @@ serviceAccount: ## @section Persistence parameters ## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable Memcached data persistence using PVC. If false, use emptyDir @@ -527,7 +538,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -539,7 +550,7 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## @@ -549,9 +560,11 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## Prometheus Exporter / Metrics @@ -572,7 +585,7 @@ metrics: image: registry: docker.io repository: bitnami/memcached-exporter - tag: 0.14.2-debian-11-r0 + tag: 0.14.2-debian-11-r1 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -588,7 +601,7 @@ metrics: containerPorts: metrics: 9150 ## Memcached Prometheus exporter container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits Init container volume-permissions resource limits ## @param metrics.resources.requests Init container volume-permissions resource requests ## @@ -598,6 +611,7 @@ metrics: ## Configure Metrics Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -608,6 +622,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -689,7 +704,7 @@ metrics: clusterIP: "" ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.service.annotations [object] Annotations for the Prometheus metrics service diff --git a/charts/bitnami/wordpress/templates/deployment.yaml b/charts/bitnami/wordpress/templates/deployment.yaml index 58ce25f08..e6843020a 100644 --- a/charts/bitnami/wordpress/templates/deployment.yaml +++ b/charts/bitnami/wordpress/templates/deployment.yaml @@ -39,6 +39,7 @@ spec: {{- end }} spec: {{- include "wordpress.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} # yamllint disable rule:indentation hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index eca0300fd..a8fe72984 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -76,11 +76,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.4.2-debian-11-r12 + tag: 6.4.2-debian-11-r18 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -291,6 +291,9 @@ topologySpreadConstraints: [] ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## priorityClassName: "" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases [array] WordPress pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -366,7 +369,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -374,7 +377,7 @@ nodeSelector: {} ## tolerations: [] ## WordPress containers' resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param resources.limits The resources limits for the WordPress containers ## @param resources.requests.memory The requested memory for the WordPress containers ## @param resources.requests.cpu The requested cpu for the WordPress containers @@ -401,14 +404,21 @@ extraContainerPorts: [] ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled WordPress pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set WordPress pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -419,6 +429,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -558,7 +569,7 @@ service: https: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -620,7 +631,7 @@ ingress: path: / ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md ## Use this parameter to set the required annotations for cert-manager, see ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## @@ -709,7 +720,7 @@ ingress: ## ## Persistence Parameters -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable persistence using Persistent Volume Claims @@ -768,7 +779,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r95 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -780,7 +791,7 @@ volumePermissions: ## pullSecrets: [] ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits The resources limits for the init container ## @param volumePermissions.resources.requests The requested resources for the init container ## @@ -790,9 +801,11 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## @section Other Parameters @@ -804,7 +817,7 @@ volumePermissions: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for WordPress pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -812,7 +825,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -862,7 +875,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 1.0.5-debian-11-r1 + tag: 1.0.5-debian-11-r3 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -931,7 +944,7 @@ metrics: ## customStartupProbe: {} ## Prometheus exporter container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits The resources limits for the Prometheus exporter container ## @param metrics.resources.requests The requested resources for the Prometheus exporter container ## @@ -941,6 +954,7 @@ metrics: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -951,6 +965,7 @@ metrics: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1142,7 +1157,7 @@ mariadb: ## primary: ## MariaDB Primary Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## @param mariadb.primary.persistence.enabled Enable persistence on MariaDB using PVC(s) ## @param mariadb.primary.persistence.storageClass Persistent Volume storage class ## @param mariadb.primary.persistence.accessModes [array] Persistent Volume access modes diff --git a/charts/bitnami/zookeeper/Chart.yaml b/charts/bitnami/zookeeper/Chart.yaml index d1ed86c62..12ba6f632 100644 --- a/charts/bitnami/zookeeper/Chart.yaml +++ b/charts/bitnami/zookeeper/Chart.yaml @@ -6,7 +6,7 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 - name: zookeeper image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 licenses: Apache-2.0 @@ -30,4 +30,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.4.4 +version: 12.6.0 diff --git a/charts/bitnami/zookeeper/README.md b/charts/bitnami/zookeeper/README.md index 70d4850ef..30ae88d15 100644 --- a/charts/bitnami/zookeeper/README.md +++ b/charts/bitnami/zookeeper/README.md @@ -111,8 +111,8 @@ The command removes all the Kubernetes components associated with the chart and | `fourlwCommandsWhitelist` | A list of comma separated Four Letter Words commands that can be executed | `srvr, mntr, ruok` | | `minServerId` | Minimal SERVER_ID value, nodes increment their IDs respectively | `1` | | `listenOnAllIPs` | Allow ZooKeeper to listen for connections from its peers on all available IP addresses | `false` | -| `autopurge.snapRetainCount` | The most recent snapshots amount (and corresponding transaction logs) to retain | `3` | -| `autopurge.purgeInterval` | The time interval (in hours) for which the purge task has to be triggered | `0` | +| `autopurge.snapRetainCount` | The most recent snapshots amount (and corresponding transaction logs) to retain | `10` | +| `autopurge.purgeInterval` | The time interval (in hours) for which the purge task has to be triggered | `1` | | `logLevel` | Log level for the ZooKeeper server. ERROR by default | `ERROR` | | `jvmFlags` | Default JVM flags for the ZooKeeper process | `""` | | `dataLogDir` | Dedicated data log directory | `""` | @@ -161,8 +161,12 @@ The command removes all the Kubernetes components associated with the chart and | `resources.requests.memory` | The requested memory for the ZooKeeper containers | `256Mi` | | `resources.requests.cpu` | The requested cpu for the ZooKeeper containers | `250m` | | `podSecurityContext.enabled` | Enabled ZooKeeper pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -170,6 +174,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `hostAliases` | ZooKeeper pods host aliases | `[]` | | `podLabels` | Extra labels for ZooKeeper pods | `{}` | | `podAnnotations` | Annotations for ZooKeeper pods | `{}` | @@ -251,18 +256,19 @@ The command removes all the Kubernetes components associated with the chart and ### Volume Permissions parameters -| Name | Description | Value | -| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters diff --git a/charts/bitnami/zookeeper/templates/statefulset.yaml b/charts/bitnami/zookeeper/templates/statefulset.yaml index 0aa6ffa34..c09849a4d 100644 --- a/charts/bitnami/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/zookeeper/templates/statefulset.yaml @@ -46,6 +46,7 @@ spec: enableServiceLinks: {{ .Values.enableServiceLinks }} serviceAccountName: {{ template "zookeeper.serviceAccountName" . }} {{- include "zookeeper.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/zookeeper/values.yaml b/charts/bitnami/zookeeper/values.yaml index a14aa2be8..dd9142de3 100644 --- a/charts/bitnami/zookeeper/values.yaml +++ b/charts/bitnami/zookeeper/values.yaml @@ -185,11 +185,11 @@ listenOnAllIPs: false autopurge: ## @param autopurge.snapRetainCount The most recent snapshots amount (and corresponding transaction logs) to retain ## - snapRetainCount: 3 + snapRetainCount: 10 ## @param autopurge.purgeInterval The time interval (in hours) for which the purge task has to be triggered - ## Set to a positive integer to enable the auto purging + ## Set to a positive integer to enable the auto purging. Set to 0 to disable auto purging. ## - purgeInterval: 0 + purgeInterval: 1 ## @param logLevel Log level for the ZooKeeper server. ERROR by default ## Have in mind if you set it to INFO or WARN the ReadinessProve will produce a lot of logs ## @@ -325,14 +325,21 @@ resources: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled ZooKeeper pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set ZooKeeper pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -343,6 +350,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -352,6 +360,9 @@ containerSecurityContext: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases ZooKeeper pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -700,7 +711,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -723,10 +734,12 @@ volumePermissions: ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser ## @param volumePermissions.containerSecurityContext.enabled Enabled init container Security Context + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 0 ## @section Metrics parameters diff --git a/charts/cockroach-labs/cockroachdb/Chart.yaml b/charts/cockroach-labs/cockroachdb/Chart.yaml index 391f738e1..3e456b8ff 100644 --- a/charts/cockroach-labs/cockroachdb/Chart.yaml +++ b/charts/cockroach-labs/cockroachdb/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.8-0' catalog.cattle.io/release-name: cockroachdb apiVersion: v1 -appVersion: 23.1.13 +appVersion: 23.1.14 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. home: https://www.cockroachlabs.com icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png @@ -14,4 +14,4 @@ maintainers: name: cockroachdb sources: - https://github.com/cockroachdb/cockroach -version: 11.2.3 +version: 11.2.4 diff --git a/charts/cockroach-labs/cockroachdb/README.md b/charts/cockroach-labs/cockroachdb/README.md index e363e29dc..513b98b98 100644 --- a/charts/cockroach-labs/cockroachdb/README.md +++ b/charts/cockroach-labs/cockroachdb/README.md @@ -229,10 +229,10 @@ kubectl get pods \ ``` ``` -my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.13 -my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.13 -my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.13 -my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.13 +my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.14 +my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.14 +my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.14 +my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.14 ``` Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade: @@ -316,7 +316,7 @@ For details see the [`values.yaml`](values.yaml) file. | `conf.store.size` | CockroachDB storage size | `""` | | `conf.store.attrs` | CockroachDB storage attributes | `""` | | `image.repository` | Container image name | `cockroachdb/cockroach` | -| `image.tag` | Container image tag | `v23.1.13` | +| `image.tag` | Container image tag | `v23.1.14` | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | | `statefulset.replicas` | StatefulSet replicas number | `3` | diff --git a/charts/cockroach-labs/cockroachdb/values.yaml b/charts/cockroach-labs/cockroachdb/values.yaml index 084c0b8d5..ea1d0ed8a 100644 --- a/charts/cockroach-labs/cockroachdb/values.yaml +++ b/charts/cockroach-labs/cockroachdb/values.yaml @@ -7,7 +7,7 @@ fullnameOverride: "" image: repository: cockroachdb/cockroach - tag: v23.1.13 + tag: v23.1.14 pullPolicy: IfNotPresent credentials: {} # registry: docker.io diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index 720bab9a5..3adfbaffb 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,21 @@ # Datadog changelog +## 3.52.0 + +* Allow configuring CWS security profile features and enable drift events by default + +## 3.51.2 + +* Use correct kpi-telemetry-configmap in Cluster Agent and Trace Agent. + +## 3.51.1 + +* Parametrize the name of kpi-telemetry-configmap. + +## 3.51.0 + +* Add `DD_INSTRUMENTATION_INSTALL_TIME`, `DD_INSTRUMENTATION_INSTALL_ID`, `DD_INSTRUMENTATION_INSTALL_TYPE` env variables to the Trace and Cluster agents to support APM Telemetry KPIs. + ## 3.50.5 * Add option to use containerd snapshotter to generate SBOMs. diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index 723b82b3d..a769d1deb 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.50.5 +version: 3.52.0 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index 0dee0b41d..c2076ce60 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.50.5](https://img.shields.io/badge/Version-3.50.5-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.52.0](https://img.shields.io/badge/Version-3.52.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -783,7 +783,8 @@ helm install \ | datadog.securityAgent.runtime.fimEnabled | bool | `false` | Set to true to enable Cloud Workload Security (CWS) File Integrity Monitoring | | datadog.securityAgent.runtime.network.enabled | bool | `true` | Set to true to enable the collection of CWS network events | | datadog.securityAgent.runtime.policies.configMap | string | `nil` | Contains CWS policies that will be used | -| datadog.securityAgent.runtime.securityProfile.enabled | bool | `false` | Set to true to enable CWS runtime anomaly detection | +| datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled | bool | `true` | Set to true to enable CWS runtime drift events | +| datadog.securityAgent.runtime.securityProfile.enabled | bool | `true` | Set to true to enable CWS runtime security profiles | | datadog.securityAgent.runtime.syscallMonitor.enabled | bool | `false` | Set to true to enable the Syscall monitoring (recommended for troubleshooting only) | | datadog.securityContext | object | `{"runAsUser":0}` | Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment | | datadog.serviceMonitoring.enabled | bool | `false` | Enable Universal Service Monitoring | diff --git a/charts/datadog/datadog/ci/system-probe-activity-dump-values.yaml b/charts/datadog/datadog/ci/system-probe-activity-dump-values.yaml index 0534cf769..cc15afe1f 100644 --- a/charts/datadog/datadog/ci/system-probe-activity-dump-values.yaml +++ b/charts/datadog/datadog/ci/system-probe-activity-dump-values.yaml @@ -7,3 +7,5 @@ datadog: enabled: true activityDump: enabled: true + securityProfile: + enabled: true diff --git a/charts/datadog/datadog/templates/_container-trace-agent.yaml b/charts/datadog/datadog/templates/_container-trace-agent.yaml index af5e5d38d..c14094a09 100644 --- a/charts/datadog/datadog/templates/_container-trace-agent.yaml +++ b/charts/datadog/datadog/templates/_container-trace-agent.yaml @@ -50,6 +50,21 @@ - name: DD_DOGSTATSD_SOCKET value: {{ .Values.datadog.dogstatsd.socketPath | quote }} {{- end }} + - name: DD_INSTRUMENTATION_INSTALL_TIME + valueFrom: + configMapKeyRef: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + key: install_time + - name: DD_INSTRUMENTATION_INSTALL_ID + valueFrom: + configMapKeyRef: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + key: install_id + - name: DD_INSTRUMENTATION_INSTALL_TYPE + valueFrom: + configMapKeyRef: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + key: install_type {{- include "additional-env-entries" .Values.agents.containers.traceAgent.env | indent 4 }} {{- include "additional-env-dict-entries" .Values.agents.containers.traceAgent.envDict | indent 4 }} volumeMounts: diff --git a/charts/datadog/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/datadog/templates/cluster-agent-deployment.yaml index b2ab539ff..636649ee1 100644 --- a/charts/datadog/datadog/templates/cluster-agent-deployment.yaml +++ b/charts/datadog/datadog/templates/cluster-agent-deployment.yaml @@ -328,6 +328,21 @@ spec: value: {{ .Values.datadog.prometheusScrape.version | quote }} {{- end }} {{- end }} + - name: DD_INSTRUMENTATION_INSTALL_TIME + valueFrom: + configMapKeyRef: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + key: install_time + - name: DD_INSTRUMENTATION_INSTALL_ID + valueFrom: + configMapKeyRef: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + key: install_id + - name: DD_INSTRUMENTATION_INSTALL_TYPE + valueFrom: + configMapKeyRef: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + key: install_type {{- include "fips-envvar" . | nindent 10 }} {{- include "additional-env-entries" .Values.clusterAgent.env | indent 10 }} {{- include "additional-env-dict-entries" .Values.clusterAgent.envDict | indent 10 }} diff --git a/charts/datadog/datadog/templates/kpi-telemetry-configmap.yaml b/charts/datadog/datadog/templates/kpi-telemetry-configmap.yaml new file mode 100644 index 000000000..1ab531945 --- /dev/null +++ b/charts/datadog/datadog/templates/kpi-telemetry-configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "datadog.fullname" . }}-kpi-telemetry-configmap + namespace: {{ .Release.Namespace }} + labels: +{{ include "datadog.labels" . | indent 4 }} +data: + install_id: {{ uuidv4 | quote }} + install_type: k8s_manual + install_time: {{ now | unixEpoch | quote }} diff --git a/charts/datadog/datadog/templates/system-probe-configmap.yaml b/charts/datadog/datadog/templates/system-probe-configmap.yaml index c245ecc9e..233e18fda 100644 --- a/charts/datadog/datadog/templates/system-probe-configmap.yaml +++ b/charts/datadog/datadog/templates/system-probe-configmap.yaml @@ -70,6 +70,10 @@ data: {{ end }} security_profile: enabled: {{ $.Values.datadog.securityAgent.runtime.securityProfile.enabled }} + anomaly_detection: + enabled: {{ $.Values.datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled }} + auto_suppression: + enabled: false {{- if eq .Values.datadog.systemProbe.seccomp "localhost/system-probe" }} --- diff --git a/charts/datadog/datadog/values.yaml b/charts/datadog/datadog/values.yaml index b6b636f57..40b116eda 100644 --- a/charts/datadog/datadog/values.yaml +++ b/charts/datadog/datadog/values.yaml @@ -773,8 +773,12 @@ datadog: enabled: false securityProfile: - # datadog.securityAgent.runtime.securityProfile.enabled -- Set to true to enable CWS runtime anomaly detection - enabled: false + # datadog.securityAgent.runtime.securityProfile.enabled -- Set to true to enable CWS runtime security profiles + enabled: true + + anomalyDetection: + # datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled -- Set to true to enable CWS runtime drift events + enabled: true ## Manage NetworkPolicy networkPolicy: diff --git a/charts/f5/f5-bigip-ctlr/Chart.yaml b/charts/f5/f5-bigip-ctlr/Chart.yaml index 3d9453372..b652af4cc 100644 --- a/charts/f5/f5-bigip-ctlr/Chart.yaml +++ b/charts/f5/f5-bigip-ctlr/Chart.yaml @@ -22,4 +22,4 @@ name: f5-bigip-ctlr sources: - https://github.com/F5Networks/k8s-bigip-ctlr - https://github.com/F5Networks/charts -version: 0.0.2701 +version: 0.0.2801 diff --git a/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml index 1ca565976..dcd85c949 100644 --- a/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml +++ b/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml @@ -54,6 +54,9 @@ spec: persistenceProfile: type: string pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + htmlProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' profiles: type: object properties: @@ -322,6 +325,9 @@ spec: type: integer minimum: 0 maximum: 256 + required: + - service + - servicePort virtualServerAddress: type: string pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' @@ -384,7 +390,7 @@ spec: jsonPath: .metadata.creationTimestamp subresources: status: {} - + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -445,6 +451,18 @@ spec: reference: type: string enum: [bigip, secret] + clientSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + serverSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true required: - termination @@ -500,7 +518,7 @@ spec: policyName: type: string pattern: '^([A-z0-9-_+])*([A-z0-9])$' - mode: + mode: type: string enum: [standard, performance] type: @@ -615,25 +633,25 @@ spec: items: type: object properties: - type: - type: string - enum: [ tcp, udp, http, https ] - interval: - type: integer - timeout: - type: integer - targetPort: - type: integer - name: - type: string - pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' - reference: - type: string - enum: [bigip] - send: - type: string - recv: - type: string + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string reselectTries: type: integer minimum: 0 @@ -658,8 +676,8 @@ spec: - type: integer - type: string required: - - service - - servicePort + - service + - servicePort required: - virtualServerPort - pool @@ -674,37 +692,37 @@ spec: type: string default: Pending additionalPrinterColumns: - - name: virtualServerAddress - type: string - description: IP address of virtualServer - jsonPath: .spec.virtualServerAddress - - name: virtualServerPort - type: integer - description: Port of virtualServer - jsonPath: .spec.virtualServerPort - - name: pool - type: string - description: Name of service - jsonPath: .spec.pool.service - - name: poolPort - type: string - description: Port of service - jsonPath: .spec.pool.servicePort - - name: ipamLabel - type: string - description: ipamLabel for transport server - jsonPath: .spec.ipamLabel - - name: IPAMVSAddress - type: string - description: IP address of transport server - jsonPath: .status.vsAddress - - name: STATUS - type: string - description: status of TransportServer - jsonPath: .status.status - - name: Age - type: date - jsonPath: .metadata.creationTimestamp + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp subresources: status: { } --- @@ -1061,6 +1079,9 @@ spec: http: type: string pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + htmlProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' autoLastHop: type: string enum: [ default, auto, disable ] @@ -1089,4 +1110,4 @@ spec: timeOut: type: integer minimum: 1 - default: 180 \ No newline at end of file + default: 180 diff --git a/charts/f5/nginx-ingress/Chart.yaml b/charts/f5/nginx-ingress/Chart.yaml index 345a3e401..05d4d68d1 100644 --- a/charts/f5/nginx-ingress/Chart.yaml +++ b/charts/f5/nginx-ingress/Chart.yaml @@ -4,10 +4,10 @@ annotations: catalog.cattle.io/kube-version: '>= 1.22.0-0' catalog.cattle.io/release-name: nginx-ingress apiVersion: v2 -appVersion: 3.4.0 +appVersion: 3.4.2 description: NGINX Ingress Controller home: https://github.com/nginxinc/kubernetes-ingress -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/charts/nginx-ingress/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/charts/nginx-ingress/chart-icon.png keywords: - ingress - nginx @@ -17,6 +17,6 @@ maintainers: name: nginxinc name: nginx-ingress sources: -- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/charts/nginx-ingress +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress type: application -version: 1.1.0 +version: 1.1.2 diff --git a/charts/f5/nginx-ingress/README.md b/charts/f5/nginx-ingress/README.md index cb0ffdc50..f4ecf5d29 100644 --- a/charts/f5/nginx-ingress/README.md +++ b/charts/f5/nginx-ingress/README.md @@ -79,14 +79,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -101,7 +101,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 ``` ### Uninstalling the Chart @@ -142,7 +142,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.0 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.2 ``` 2. Change your working directory to nginx-ingress: @@ -228,7 +228,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.0` +2. Checkout the latest available tag using `git checkout v3.4.2` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -280,7 +280,7 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.0` +2. Checkout the latest available tag using `git checkout v3.4.2` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -347,7 +347,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.0 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.2 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -375,7 +375,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | -|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. | true | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. | true | |`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | |`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | |`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | diff --git a/charts/f5/nginx-ingress/values-icp.yaml b/charts/f5/nginx-ingress/values-icp.yaml index c2969ed7c..2c2d1f266 100644 --- a/charts/f5/nginx-ingress/values-icp.yaml +++ b/charts/f5/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.4.0" + tag: "3.4.2" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/charts/f5/nginx-ingress/values-plus.yaml b/charts/f5/nginx-ingress/values-plus.yaml index 54d8551ac..d30f65751 100644 --- a/charts/f5/nginx-ingress/values-plus.yaml +++ b/charts/f5/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.4.0" + tag: "3.4.2" diff --git a/charts/f5/nginx-ingress/values.schema.json b/charts/f5/nginx-ingress/values.schema.json index 029211810..ce40e1983 100644 --- a/charts/f5/nginx-ingress/values.schema.json +++ b/charts/f5/nginx-ingress/values.schema.json @@ -305,10 +305,10 @@ }, "tag": { "type": "string", - "default": "3.4.0", + "default": "3.4.2", "title": "The tag of the Ingress Controller image", "examples": [ - "3.4.0" + "3.4.2" ] }, "digest": { @@ -345,7 +345,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "3.4.0", + "tag": "3.4.2", "pullPolicy": "IfNotPresent" } ] @@ -1393,7 +1393,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.0", + "tag": "3.4.2", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1765,7 +1765,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.0", + "tag": "3.4.2", "digest": "", "pullPolicy": "IfNotPresent" }, diff --git a/charts/f5/nginx-ingress/values.yaml b/charts/f5/nginx-ingress/values.yaml index 1d7829266..f0e2c9b2e 100644 --- a/charts/f5/nginx-ingress/values.yaml +++ b/charts/f5/nginx-ingress/values.yaml @@ -78,7 +78,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.4.0" + # tag: "3.4.2" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead @@ -246,7 +246,7 @@ controller: ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. name: nginx - ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. create: true ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index 44c31d73b..93cb25fcb 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,6 +1,6 @@ annotations: artifacthub.io/changes: | - - Remove unneeded initContainers from CRD job (#215) + - Move automountServiceAccountToken flag from pods to ServiceAccount configuration (fixes for #217) catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.22.0-0' @@ -21,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.35.5 +version: 1.36.1 diff --git a/charts/haproxy/haproxy/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/templates/controller-daemonset.yaml index 7d88e8d03..ee20eb2d5 100644 --- a/charts/haproxy/haproxy/templates/controller-daemonset.yaml +++ b/charts/haproxy/haproxy/templates/controller-daemonset.yaml @@ -198,8 +198,13 @@ spec: {{ toYaml .Values.controller.lifecycle | indent 12 }} {{- end }} {{- end }} - {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run {{- if .Values.aws.licenseConfigSecretName }} - name: aws-product-license readOnly: true @@ -210,7 +215,6 @@ spec: {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} {{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} {{- end }} - {{- end}} {{- if .Values.controller.extraContainers }} {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} {{ tpl .Values.controller.extraContainers . | indent 8 }} @@ -218,8 +222,15 @@ spec: {{ toYaml .Values.controller.extraContainers | indent 8 }} {{- end }} {{- end }} - {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} {{- if .Values.aws.licenseConfigSecretName }} - name: aws-product-license secret: @@ -231,7 +242,6 @@ spec: {{- else if gt (len .Values.controller.extraVolumes) 0 }} {{ toYaml .Values.controller.extraVolumes | indent 8 }} {{- end }} - {{- end }} {{- with.Values.controller.initContainers }} initContainers: {{- toYaml . | nindent 8 }} diff --git a/charts/haproxy/haproxy/templates/controller-deployment.yaml b/charts/haproxy/haproxy/templates/controller-deployment.yaml index 03c78de2d..71753220e 100644 --- a/charts/haproxy/haproxy/templates/controller-deployment.yaml +++ b/charts/haproxy/haproxy/templates/controller-deployment.yaml @@ -193,8 +193,13 @@ spec: {{ toYaml .Values.controller.lifecycle | indent 12 }} {{- end }} {{- end }} - {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run {{- if .Values.aws.licenseConfigSecretName }} - name: aws-product-license readOnly: true @@ -205,7 +210,6 @@ spec: {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} {{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} {{- end }} - {{- end}} {{- if .Values.controller.extraContainers }} {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} {{ tpl .Values.controller.extraContainers . | indent 8 }} @@ -213,8 +217,15 @@ spec: {{ toYaml .Values.controller.extraContainers | indent 8 }} {{- end }} {{- end }} - {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} {{- if .Values.aws.licenseConfigSecretName }} - name: aws-product-license secret: @@ -226,7 +237,6 @@ spec: {{- else if gt (len .Values.controller.extraVolumes) 0 }} {{ toYaml .Values.controller.extraVolumes | indent 8 }} {{- end }} - {{- end }} {{- with.Values.controller.initContainers }} initContainers: {{- toYaml . | nindent 8 }} diff --git a/charts/haproxy/haproxy/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/templates/controller-serviceaccount.yaml index a15bded93..70529f7d6 100644 --- a/charts/haproxy/haproxy/templates/controller-serviceaccount.yaml +++ b/charts/haproxy/haproxy/templates/controller-serviceaccount.yaml @@ -26,4 +26,7 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} {{- end -}} diff --git a/charts/haproxy/haproxy/values.yaml b/charts/haproxy/haproxy/values.yaml index 5c95ccb70..0d3f4f431 100644 --- a/charts/haproxy/haproxy/values.yaml +++ b/charts/haproxy/haproxy/values.yaml @@ -43,6 +43,7 @@ namespace: serviceAccount: create: true name: + automountServiceAccountToken: true ## Namespace override ## Allow the release namespace to be overridden for multi-namespace deployments in combined charts diff --git a/charts/inaccel/fpga-operator/Chart.lock b/charts/inaccel/fpga-operator/Chart.lock index 69b8feab2..3fb2313cf 100644 --- a/charts/inaccel/fpga-operator/Chart.lock +++ b/charts/inaccel/fpga-operator/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://kubernetes-sigs.github.io/node-feature-discovery/charts version: 0.10.0 digest: sha256:828293429b90cc2aee21bb9d617e9c70644f2d1a31ace67d07ff6931d4dc4f94 -generated: "2022-12-01T10:10:52.115270886Z" +generated: "2024-01-17T18:01:07.998664399Z" diff --git a/charts/inaccel/fpga-operator/Chart.yaml b/charts/inaccel/fpga-operator/Chart.yaml index b03f99252..c9e3ec697 100644 --- a/charts/inaccel/fpga-operator/Chart.yaml +++ b/charts/inaccel/fpga-operator/Chart.yaml @@ -52,4 +52,4 @@ sources: - https://docs.inaccel.com - https://github.com/inaccel/helm type: application -version: 2.8.1 +version: 2.8.2 diff --git a/charts/inaccel/fpga-operator/values.yaml b/charts/inaccel/fpga-operator/values.yaml index 336ef0ade..0580df21b 100644 --- a/charts/inaccel/fpga-operator/values.yaml +++ b/charts/inaccel/fpga-operator/values.yaml @@ -40,6 +40,9 @@ fpga-discovery: custom: - matchOn: # intel-fpga + - pciId: + device: ["0070", "0071"] + vendor: ["12ba"] - pciId: device: ["09c4", "0b2b"] vendor: ["8086"] diff --git a/charts/instana/instana-agent/Chart.yaml b/charts/instana/instana-agent/Chart.yaml index 511e40209..4b2c732fc 100644 --- a/charts/instana/instana-agent/Chart.yaml +++ b/charts/instana/instana-agent/Chart.yaml @@ -9,7 +9,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: instana-agent apiVersion: v2 -appVersion: 1.262.0 +appVersion: 1.264.0 description: Instana Agent for Kubernetes home: https://www.instana.com/ icon: https://agents.instana.io/helm/stan-logo-2020.png @@ -23,4 +23,4 @@ maintainers: name: instana-agent sources: - https://github.com/instana/instana-agent-docker -version: 1.2.66 +version: 1.2.67 diff --git a/charts/instana/instana-agent/README.md b/charts/instana/instana-agent/README.md index 3673baf6e..c77114ef5 100644 --- a/charts/instana/instana-agent/README.md +++ b/charts/instana/instana-agent/README.md @@ -99,7 +99,7 @@ The following table lists the configurable parameters of the Instana chart and t | `agent.instanaMvnRepoUrl` | Override for the Maven repository URL when the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required | | `agent.instanaMvnRepoFeaturesPath` | Override for the Maven repository features path the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required | | `agent.instanaMvnRepoSharedPath` | Override for the Maven repository shared path when the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required | -| `agent.updateStrategy.type` | [DaemonSet update strategy type](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/); valid values are `OnDelete` and `RollingUpdate` | `RollingUpdate` | +| `agent.updateStrategy.type` | [DaemonSet update strategy type](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/); valid values are `OnDelete` and `RollingUpdate` | `RollingUpdate` | | `agent.updateStrategy.rollingUpdate.maxUnavailable` | How many agent pods can be updated at once; this value is ignored if `agent.updateStrategy.type` is different than `RollingUpdate` | `1` | | `agent.pod.annotations` | Additional annotations to apply to the pod | `{}` | | `agent.pod.labels` | Additional labels to apply to the Agent pod | `{}` | @@ -119,18 +119,14 @@ The following table lists the configurable parameters of the Instana chart and t | `agent.env` | Additional environment variables for the agent | `{}` | | `agent.redactKubernetesSecrets` | Enable additional secrets redaction for selected Kubernetes resources | `nil` See [Kubernetes secrets](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#secrets) for more details. | | `cluster.name` | Display name of the monitored cluster | Value of `zone.name` | -| `leaderElector.port` | Instana leader elector sidecar port | `42655` | -| `leaderElector.image.name` | The elector image name to pull. _Note: leader-elector is deprecated and will no longer be updated._ | `instana/leader-elector` | -| `leaderElector.image.digest` | The image digest to pull; if specified, it causes `leaderElector.image.tag` to be ignored. _Note: leader-elector is deprecated and will no longer be updated._ | `nil` | -| `leaderElector.image.tag` | The image tag to pull; this property is ignored if `leaderElector.image.digest` is specified. _Note: leader-elector is deprecated and will no longer be updated._ | `latest` | | `k8s_sensor.deployment.enabled` | Isolate k8sensor with a deployment | `true` | | `k8s_sensor.image.name` | The k8sensor image name to pull | `gcr.io/instana/k8sensor` | | `k8s_sensor.image.digest` | The image digest to pull; if specified, it causes `k8s_sensor.image.tag` to be ignored | `nil` | | `k8s_sensor.image.tag` | The image tag to pull; this property is ignored if `k8s_sensor.image.digest` is specified | `latest` | -| `k8s_sensor.deployment.pod.limits.cpu` | CPU request for the `k8sensor` pods | `4` | -| `k8s_sensor.deployment.pod.limits.memory` | Memory request limits for the `k8sensor` pods | `6144Mi` | -| `k8s_sensor.deployment.pod.requests.cpu` | CPU limit for the `k8sensor` pods | `1.5` | -| `k8s_sensor.deployment.pod.requests.memory` | Memory limit for the `k8sensor` pods | `1024Mi` | +| `k8s_sensor.deployment.pod.limits.cpu` | CPU request for the `k8sensor` pods | `4` | +| `k8s_sensor.deployment.pod.limits.memory` | Memory request limits for the `k8sensor` pods | `6144Mi` | +| `k8s_sensor.deployment.pod.requests.cpu` | CPU limit for the `k8sensor` pods | `1.5` | +| `k8s_sensor.deployment.pod.requests.memory` | Memory limit for the `k8sensor` pods | `1024Mi` | | `podSecurityPolicy.enable` | Whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to be `true` as well and it is available until Kubernetes version v1.25. | `false` See [PodSecurityPolicy](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#podsecuritypolicy) for more details. | | `podSecurityPolicy.name` | Name of an _existing_ PodSecurityPolicy to authorize for the Instana Agent pods. If not provided and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created for you. | `nil` | | `rbac.create` | Whether RBAC resources should be created | `true` | @@ -143,8 +139,8 @@ The following table lists the configurable parameters of the Instana chart and t | `serviceAccount.name` | Name of the ServiceAccount to use | `instana-agent` | | `zone.name` | Zone that detected technologies will be assigned to | `nil` You must provide either `zone.name` or `cluster.name`, see [above](#installation) for details | | `zones` | Multi-zone daemonset configuration. | `nil` see [below](#multiple-zones) for details | -| `k8s_sensor.podDisruptionBudget.enabled` | Whether to create DisruptionBudget for k8sensor to limit the number of concurrent disruptions | `false` | -| `k8s_sensor.deployment.pod.affinity` | `k8sensor` deployment affinity format | `podAntiAffinity` defined in `values.yaml` | +| `k8s_sensor.podDisruptionBudget.enabled` | Whether to create DisruptionBudget for k8sensor to limit the number of concurrent disruptions | `false` | +| `k8s_sensor.deployment.pod.affinity` | `k8sensor` deployment affinity format | `podAntiAffinity` defined in `values.yaml` | ### Agent Modes @@ -229,13 +225,33 @@ _Note:_ There is no hard limitation on the number of backends an Instana agent c If your infrastructure uses a proxy, you should ensure that you set values for: -* `agent.pod.proxyHost` +* `agent.proxyHost` * `agent.pod.proxyPort` * `agent.pod.proxyProtocol` * `agent.pod.proxyUser` * `agent.pod.proxyPassword` * `agent.pod.proxyUseDNS` +#### Same Proxy for Repository and the Instana backend + +If the same proxy is utilized for both backend and repository, configure only the 'Agent' proxy settings using the following parameter: + ``` + --set agent.proxyHost='' + ``` + +#### Separate Proxies for Repository and the Instana backend + +In scenarios where distinct proxy settings are employed for the backend and repository, both proxies must be configured separately. The key is to ensure that `INSTANA_REPOSITORY_PROXY_ENABLED=true` is set. + +To use this variant, execute helm install with the following additional parameters: + +``` +--set agent.proxyHost='Hostname/address of a proxy' +--set agent.env.INSTANA_REPOSITORY_PROXY_ENABLED='true' +--set agent.env.INSTANA_REPOSITORY_PROXY_HOST='Hostname/address of a proxy' +``` +Make sure to replace 'Hostname/address of a proxy' with the actual hostname or address of your proxy. + ### Configuring which Networks the Instana Agent should listen on If your infrastructure has multiple networks defined, you might need to allow the agent to listen on all addresses (typically with value set to `*`): @@ -343,6 +359,11 @@ zones: ## Changelog +### 1.2.67 + +* Fix variable name in the K8s deployment +* Remove deprecated leader-elector from helm chart configuration + ### 1.2.66 * Allign the default Memory requests to 768Mi for the Agent container. diff --git a/charts/instana/instana-agent/templates/_helpers.tpl b/charts/instana/instana-agent/templates/_helpers.tpl index 6f866ecfd..23c08d888 100644 --- a/charts/instana/instana-agent/templates/_helpers.tpl +++ b/charts/instana/instana-agent/templates/_helpers.tpl @@ -183,8 +183,6 @@ Composes a container image from a dict containing a "name" field (required), "ta {{- define "instana-agent.commonEnv" -}} -- name: INSTANA_AGENT_LEADER_ELECTOR_PORT - value: {{ .Values.leaderElector.port | quote }} {{- if .Values.zone.name }} - name: INSTANA_ZONE value: {{ .Values.zone.name | quote }} @@ -314,35 +312,6 @@ periodSeconds: 10 failureThreshold: 3 {{- end -}} -{{- define "leader-elector.container" -}} -- name: leader-elector - image: {{ include "image" .Values.leaderElector.image | quote }} - env: - - name: INSTANA_AGENT_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - command: - - "/busybox/sh" - - "-c" - - "sleep 12 && /app/server --election=instana --http=localhost:{{ .Values.leaderElector.port }} --id=$(INSTANA_AGENT_POD_NAME)" - resources: - requests: - cpu: 0.1 - memory: "64Mi" - livenessProbe: - httpGet: # Leader elector /health endpoint expects version 0.5.8 minimum, otherwise always returns 200 OK - host: 127.0.0.1 # localhost because Pod has hostNetwork=true - path: /health - port: {{ .Values.leaderElector.port }} - initialDelaySeconds: 30 - timeoutSeconds: 3 - periodSeconds: 3 - failureThreshold: 3 - ports: - - containerPort: {{ .Values.leaderElector.port }} -{{- end -}} - {{- define "instana-agent.tls-volume" -}} - name: {{ include "instana-agent.fullname" . }}-tls secret: diff --git a/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml b/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml index e1af0c7e4..16096f776 100644 --- a/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml +++ b/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml @@ -39,9 +39,11 @@ spec: {{- if $.Values.agent.pod.annotations }} {{- toYaml $.Values.agent.pod.annotations | nindent 8 }} {{- end }} + {{- if not $.Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ $.Values.agent.configuration_yaml | cat ";" | cat ( join "," $.Values.agent.additionalBackends ) | sha1sum }} + {{- end }} spec: serviceAccountName: {{ template "instana-agent.serviceAccountName" $ }} {{- if $.Values.agent.pod.nodeSelector }} @@ -152,9 +154,6 @@ spec: {{- include "instana-agent.resources" $.Values.agent.pod.limits | nindent 14 }} ports: - containerPort: 42699 - {{- if and (not $.Values.kubernetes.deployment.enabled) (not $.Values.k8s_sensor.deployment.enabled) }} - {{- include "leader-elector.container" $ | nindent 8 }} - {{- end }} {{ if $tolerations -}} tolerations: diff --git a/charts/instana/instana-agent/templates/agent-daemonset.yaml b/charts/instana/instana-agent/templates/agent-daemonset.yaml index 95270d49e..d5be2dacd 100644 --- a/charts/instana/instana-agent/templates/agent-daemonset.yaml +++ b/charts/instana/instana-agent/templates/agent-daemonset.yaml @@ -32,9 +32,11 @@ spec: {{- if .Values.agent.pod.annotations }} {{- toYaml .Values.agent.pod.annotations | nindent 8 }} {{- end }} + {{- if not .Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ .Values.agent.configuration_yaml | cat ";" | cat ( join "," .Values.agent.additionalBackends ) | sha1sum }} + {{- end }} spec: serviceAccountName: {{ template "instana-agent.serviceAccountName" . }} {{- if .Values.agent.pod.nodeSelector }} @@ -143,9 +145,6 @@ spec: {{- include "instana-agent.resources" .Values.agent.pod.limits | nindent 14 }} ports: - containerPort: 42699 - {{- if and (not .Values.kubernetes.deployment.enabled) (not .Values.k8s_sensor.deployment.enabled) }} - {{- include "leader-elector.container" . | nindent 8 }} - {{- end }} {{- if .Values.agent.pod.tolerations }} tolerations: {{- toYaml .Values.agent.pod.tolerations | nindent 8 }} diff --git a/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml b/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml index f92acfa0b..1b0efb1fb 100644 --- a/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml +++ b/charts/instana/instana-agent/templates/k8s-sensor-deployment.yaml @@ -4,7 +4,7 @@ {{- $user_name_password := "" -}} {{ if .Values.agent.proxyUser }} - {{- $user_name_password = print .Values.agent.proxyUser ":" .Values.agent.proxyPass "@" -}} + {{- $user_name_password = print .Values.agent.proxyUser ":" .Values.agent.proxyPassword "@" -}} {{ end}} apiVersion: apps/v1 @@ -32,9 +32,11 @@ spec: {{- if .Values.agent.pod.annotations }} {{- toYaml .Values.agent.pod.annotations | nindent 8 }} {{- end }} + {{- if not .Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }} + {{- end }} spec: serviceAccountName: k8sensor {{- if .Values.k8s_sensor.deployment.pod.nodeSelector }} diff --git a/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml b/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml index 7bfe7be5b..0ab579fec 100644 --- a/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml +++ b/charts/instana/instana-agent/templates/kubernetes-sensor-deployment.yaml @@ -25,9 +25,11 @@ spec: {{- if .Values.agent.pod.annotations }} {{- toYaml .Values.agent.pod.annotations | nindent 8 }} {{- end }} + {{- if not .Values.templating }} # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2 instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }} + {{- end }} spec: serviceAccountName: {{ template "instana-agent.serviceAccountName" . }} {{- if .Values.kubernetes.deployment.pod.nodeSelector }} @@ -73,23 +75,6 @@ spec: {{- include "instana-agent.resources" .Values.kubernetes.deployment.pod.limits | nindent 14 }} ports: - containerPort: 42699 - - name: leader-elector - image: {{ include "image" .Values.leaderElector.image | quote }} - env: - - name: INSTANA_AGENT_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - command: - - "/busybox/sh" - - "-c" - - "sleep 12 && /app/server --election=instana --http=localhost:{{ .Values.leaderElector.port }} --id=$(INSTANA_AGENT_POD_NAME)" - resources: - requests: - cpu: 0.1 - memory: "64Mi" - ports: - - containerPort: {{ .Values.leaderElector.port }} {{- if .Values.kubernetes.deployment.pod.tolerations }} tolerations: {{- toYaml .Values.kubernetes.deployment.pod.tolerations | nindent 8 }} diff --git a/charts/instana/instana-agent/values.yaml b/charts/instana/instana-agent/values.yaml index 98e1244ba..9dcaeacb3 100644 --- a/charts/instana/instana-agent/values.yaml +++ b/charts/instana/instana-agent/values.yaml @@ -175,16 +175,6 @@ cluster: # cluster.name represents the name that will be assigned to this cluster in Instana name: null -leaderElector: - image: - # leaderElector.image.name is the name of the container image of the leader elector. - name: icr.io/instana/leader-elector - # leaderElector.image.digest is the digest (a.k.a. Image ID) of the leader elector container image; if specified, it has priority over leaderElector.image.digest, which will be ignored. - #digest: - # leaderElector.image.tag is the tag name of the agent container image; if leaderElector.image.digest is specified, this property is ignored. - tag: 0.5.18 - port: 42655 - # openshift specifies whether the cluster role should include openshift permissions and other tweaks to the YAML. # The chart will try to auto-detect if the cluster is OpenShift, so you will likely not even need to set this explicitly. # openshift: true diff --git a/charts/jaeger/jaeger-operator/COMPATIBILITY.md b/charts/jaeger/jaeger-operator/COMPATIBILITY.md index bc6e17151..95218d8ad 100644 --- a/charts/jaeger/jaeger-operator/COMPATIBILITY.md +++ b/charts/jaeger/jaeger-operator/COMPATIBILITY.md @@ -2,6 +2,7 @@ The following table shows the compatibility of `Jaeger Operator helm chart` with | Chart version | Jaeger Operator | Kubernetes | Strimzi Operator | Cert-Manager | |---------------------------|-----------------|-----------------|--------------------|--------------| +| 2.50.0 | v1.52.x | v1.19 to v1.28 | v0.32 | v1.6.1+ | | 2.49.0 | v1.49.x | v1.19 to v1.28 | v0.32 | v1.6.1+ | | 2.47.0 | v1.47.x | v1.19 to v1.26 | v0.23 | v1.6.1+ | | 2.46.0 | v1.46.x | v1.19 to v1.26 | v0.23 | v1.6.1+ | diff --git a/charts/jaeger/jaeger-operator/Chart.yaml b/charts/jaeger/jaeger-operator/Chart.yaml index 8503692e2..abc962d0b 100644 --- a/charts/jaeger/jaeger-operator/Chart.yaml +++ b/charts/jaeger/jaeger-operator/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: Jaeger Operator catalog.cattle.io/release-name: jaeger-operator apiVersion: v1 -appVersion: 1.49.0 +appVersion: 1.52.0 description: jaeger-operator Helm chart for Kubernetes home: https://www.jaegertracing.io/ icon: https://www.jaegertracing.io/img/jaeger-icon-reverse-color.svg @@ -15,4 +15,4 @@ maintainers: name: jaeger-operator sources: - https://github.com/jaegertracing/jaeger-operator -version: 2.49.0 +version: 2.50.1 diff --git a/charts/jaeger/jaeger-operator/README.md b/charts/jaeger/jaeger-operator/README.md index a9db594cc..ffac4e3e8 100644 --- a/charts/jaeger/jaeger-operator/README.md +++ b/charts/jaeger/jaeger-operator/README.md @@ -55,11 +55,11 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the jaeger-operator chart and their default values. | Parameter | Description | Default | -| :------------------------- | :---------------------------------------------------------------------------------------------------------- | :------------------------------ | +| :------------------------- | :---------------------------------------------------------------------------------------------------------- |:--------------------------------| | `serviceExtraLabels` | Additional labels to jaeger-operator service | `{}` | | `extraLabels` | Additional labels to jaeger-operator deployment | `{}` | | `image.repository` | Controller container image repository | `jaegertracing/jaeger-operator` | -| `image.tag` | Controller container image tag | `1.49.0` | +| `image.tag` | Controller container image tag | `1.52.0` | | `image.pullPolicy` | Controller container image pull policy | `IfNotPresent` | | `jaeger.create` | Jaeger instance will be created | `false` | | `jaeger.spec` | Jaeger instance specification | `{}` | diff --git a/charts/jaeger/jaeger-operator/values.yaml b/charts/jaeger/jaeger-operator/values.yaml index ff30781ef..77fc3bfc7 100644 --- a/charts/jaeger/jaeger-operator/values.yaml +++ b/charts/jaeger/jaeger-operator/values.yaml @@ -4,7 +4,7 @@ image: repository: jaegertracing/jaeger-operator - tag: 1.49.0 + tag: 1.52.0 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/charts/jenkins/jenkins/CHANGELOG.md b/charts/jenkins/jenkins/CHANGELOG.md index 4e5c1d477..bf1415bd7 100644 --- a/charts/jenkins/jenkins/CHANGELOG.md +++ b/charts/jenkins/jenkins/CHANGELOG.md @@ -12,6 +12,14 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 4.12.0 + +Add support for [generic ephemeral storage](https://github.com/jenkinsci/kubernetes-plugin/pull/1489) in `agent.volumes` and `agents.workspaceVolume`. + +| plugin | old version | new version | +|------------|---------------------|--------------------| +| kubernetes | 4029.v5712230ccb_f8 | 4174.v4230d0ccd951 | + ## 4.11.2 Fixed documentation for controller.initScripts. diff --git a/charts/jenkins/jenkins/Chart.yaml b/charts/jenkins/jenkins/Chart.yaml index bf3e7b854..43c738094 100644 --- a/charts/jenkins/jenkins/Chart.yaml +++ b/charts/jenkins/jenkins/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Fixed documentation for controller.initScripts. + - Add support for [generic ephemeral storage](https://github.com/jenkinsci/kubernetes-plugin/pull/1489) in `agent.volumes` and `agents.workspaceVolume`. artifacthub.io/images: | - name: jenkins image: jenkins/jenkins:2.426.2-jdk17 @@ -51,4 +51,4 @@ sources: - https://github.com/jenkinsci/docker-inbound-agent - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin -version: 4.11.2 +version: 4.12.0 diff --git a/charts/jenkins/jenkins/templates/_helpers.tpl b/charts/jenkins/jenkins/templates/_helpers.tpl index 6790904b2..1b416c805 100644 --- a/charts/jenkins/jenkins/templates/_helpers.tpl +++ b/charts/jenkins/jenkins/templates/_helpers.tpl @@ -462,6 +462,7 @@ Returns kubernetes pod template configuration as code {{- range $index, $volume := .Values.agent.volumes }} -{{- if (eq $volume.type "ConfigMap") }} configMapVolume: {{- else if (eq $volume.type "EmptyDir") }} emptyDirVolume: + {{- else if (eq $volume.type "EphemeralVolume") }} genericEphemeralVolume: {{- else if (eq $volume.type "HostPath") }} hostPathVolume: {{- else if (eq $volume.type "Nfs") }} nfsVolume: {{- else if (eq $volume.type "PVC") }} persistentVolumeClaim: @@ -481,6 +482,8 @@ Returns kubernetes pod template configuration as code dynamicPVC: {{- else if (eq .Values.agent.workspaceVolume.type "EmptyDir") }} emptyDirWorkspaceVolume: + {{- else if (eq .Values.agent.workspaceVolume.type "EphemeralVolume") }} + genericEphemeralVolume: {{- else if (eq .Values.agent.workspaceVolume.type "HostPath") }} hostPathWorkspaceVolume: {{- else if (eq .Values.agent.workspaceVolume.type "Nfs") }} diff --git a/charts/jenkins/jenkins/values.yaml b/charts/jenkins/jenkins/values.yaml index e9cfd9949..cc6e6626d 100644 --- a/charts/jenkins/jenkins/values.yaml +++ b/charts/jenkins/jenkins/values.yaml @@ -247,7 +247,7 @@ controller: # List of plugins to be install during Jenkins controller start installPlugins: - - kubernetes:4029.v5712230ccb_f8 + - kubernetes:4174.v4230d0ccd951 - workflow-aggregator:596.v8c21c963d92d - git:5.1.0 - configuration-as-code:1670.v564dc8b_982d0 @@ -678,7 +678,7 @@ agent: # or simply to clean up the output to make it easier to read. showRawYaml: true # You can define the volumes that you want to mount for this container - # Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret + # Allowed types are: ConfigMap, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC, Secret # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes volumes: [] @@ -688,6 +688,11 @@ agent: # - type: EmptyDir # mountPath: /var/myapp/myemptydir # memory: false + # - type: EphemeralVolume + # mountPath: /var/myapp/myephemeralvolume + # accessModes: ReadWriteOnce + # requestsSize: 10Gi + # storageClassName: mystorageclass # - type: HostPath # hostPath: /var/lib/containers # mountPath: /var/myapp/myhostpath @@ -707,7 +712,7 @@ agent: # Pod-wide environment, these vars are visible to any container in the agent pod # You can define the workspaceVolume that you want to mount for this container - # Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC + # Allowed types are: DynamicPVC, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace workspaceVolume: {} @@ -717,6 +722,11 @@ agent: ## EmptyDir example # type: EmptyDir # memory: false + ## EphemeralVolume example + # type: EphemeralVolume + # accessModes: ReadWriteOnce + # requestsSize: 10Gi + # storageClassName: mystorageclass ## HostPath example # type: HostPath # hostPath: /var/lib/containers diff --git a/charts/kasten/k10/Chart.lock b/charts/kasten/k10/Chart.lock index ce810c3f9..3dbb3a72a 100644 --- a/charts/kasten/k10/Chart.lock +++ b/charts/kasten/k10/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: grafana repository: "" - version: 7.0.6 + version: 7.1.0 - name: prometheus repository: "" - version: 23.3.0 -digest: sha256:f0a8952e14595bf46c26937938cbe5f2df6cbf508060eb0744d8644f89901430 -generated: "2023-11-28T06:24:21.825604594Z" + version: 25.8.0 +digest: sha256:965a5b858b9f5cb82e571ace5fad6e131a05ab8db434e6ccb7bd7795f0eded54 +generated: "2024-01-13T02:44:31.65822822Z" diff --git a/charts/kasten/k10/Chart.yaml b/charts/kasten/k10/Chart.yaml index 74838134e..5f34a95e5 100644 --- a/charts/kasten/k10/Chart.yaml +++ b/charts/kasten/k10/Chart.yaml @@ -4,16 +4,16 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 6.5.0 +appVersion: 6.5.2 dependencies: - condition: grafana.enabled name: grafana repository: file://./charts/grafana - version: 7.0.6 + version: 7.1.0 - condition: prometheus.server.enabled name: prometheus repository: file://./charts/prometheus - version: 23.3.0 + version: 25.8.0 description: Kasten’s K10 Data Management Platform home: https://kasten.io/ icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png @@ -21,4 +21,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 6.5.1 +version: 6.5.201 diff --git a/charts/kasten/k10/README.md b/charts/kasten/k10/README.md index b70cfc2c6..d5cddf826 100644 --- a/charts/kasten/k10/README.md +++ b/charts/kasten/k10/README.md @@ -220,7 +220,7 @@ Parameter | Description | Default `prometheus.server.prefixURL` | (optional) K10 Prometheus prefix slug at which the server can be accessed | `/k10/prometheus/` `prometheus.server.serviceAccounts.server.create` | DEPRECATED: (optional) Set true to create ServiceAccount for Prometheus server service | `true` `grafana.enabled` | (optional) If false Grafana will not be available | `true` -`resources...[requests\|limits].[cpu\|memory]` | Overwrite default K10 [container resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | varies by container +`resources...[requests\|limits].[cpu\|memory]` | Overwriting the default K10 [container resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | varies depending on the container `route.enabled` | Specifies whether the K10 dashboard should be exposed via route | `false` `route.host` | FQDN (e.g., `.k10.example.com`) for name-based virtual host | `""` `route.path` | URL path for K10 Dashboard (e.g., `/k10`) | `/` @@ -258,6 +258,7 @@ Parameter | Description | Default `kanisterPodMetricSidecar.metricLifetime` | Check periodically for metrics that should be removed | `2m` `kanisterPodMetricSidecar.pushGatewayInterval` | Set the interval for sending metrics into the Prometheus | `30s` `maxJobWaitDuration` | Set a maximum duration of waiting for child jobs. If the execution of the subordinate jobs exceeds this value, the parent job will be canceled. If no value is set, a default of 10 hours will be used | `None` +`forceRootInKanisterHooks` | Forces Kanister Execution Hooks to run with root privileges | `true` ## Helm tips and tricks diff --git a/charts/kasten/k10/charts/grafana/Chart.yaml b/charts/kasten/k10/charts/grafana/Chart.yaml index 7564e410c..9eaae7a61 100644 --- a/charts/kasten/k10/charts/grafana/Chart.yaml +++ b/charts/kasten/k10/charts/grafana/Chart.yaml @@ -6,10 +6,10 @@ annotations: - name: Upstream Project url: https://github.com/grafana/grafana apiVersion: v2 -appVersion: 10.1.5 +appVersion: 10.2.3 description: The leading tool for querying and visualizing time series and metrics. -home: https://grafana.net -icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png +home: https://grafana.com +icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116 keywords: - monitoring - metric @@ -30,4 +30,4 @@ sources: - https://github.com/grafana/grafana - https://github.com/grafana/helm-charts type: application -version: 7.0.6 +version: 7.1.0 diff --git a/charts/kasten/k10/charts/grafana/README.md b/charts/kasten/k10/charts/grafana/README.md index 81e5360b9..6f645c564 100644 --- a/charts/kasten/k10/charts/grafana/README.md +++ b/charts/kasten/k10/charts/grafana/README.md @@ -48,7 +48,7 @@ This version requires Helm >= 3.1.0. ### To 7.0.0 -For consistency with other Helm charts, the `global.image.registry` parameter was renamed +For consistency with other Helm charts, the `global.image.registry` parameter was renamed to `global.imageRegistry`. If you were not previously setting `global.image.registry`, no action is required on upgrade. If you were previously setting `global.image.registry`, you will need to instead set `global.imageRegistry`. @@ -136,6 +136,7 @@ need to instead set `global.imageRegistry`. | `enableServiceLinks` | Inject Kubernetes services as environment variables. | `true` | | `extraSecretMounts` | Additional grafana server secret mounts | `[]` | | `extraVolumeMounts` | Additional grafana server volume mounts | `[]` | +| `extraVolumes` | Additional Grafana server volumes | `[]` | | `createConfigmap` | Enable creating the grafana configmap | `true` | | `extraConfigmapMounts` | Additional grafana server configMap volume mounts (values are templated) | `[]` | | `extraEmptyDirMounts` | Additional grafana server emptyDir volume mounts | `[]` | @@ -174,7 +175,7 @@ need to instead set `global.imageRegistry`. | `sidecar.alerts.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | | `sidecar.alerts.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/alerting/reload"` | | `sidecar.alerts.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | -| `sidecar.alerts.initDatasources` | Set to true to deploy the datasource sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` | +| `sidecar.alerts.initAlerts` | Set to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` | | `sidecar.alerts.extraMounts` | Additional alerts sidecar volume mounts. | `[]` | | `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | | `sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` | @@ -315,24 +316,35 @@ ingress: path: "/grafana" ``` -### Example of extraVolumeMounts +### Example of extraVolumeMounts and extraVolumes -Volume can be type persistentVolumeClaim or hostPath but not both at same time. -If neither existingClaim or hostPath argument is given then type is emptyDir. +Configure additional volumes with `extraVolumes` and volume mounts with `extraVolumeMounts`. + +Example for `extraVolumeMounts` and corresponding `extraVolumes`: ```yaml -- extraVolumeMounts: +extraVolumeMounts: - name: plugins mountPath: /var/lib/grafana/plugins subPath: configs/grafana/plugins - existingClaim: existing-grafana-claim readOnly: false - name: dashboards mountPath: /var/lib/grafana/dashboards hostPath: /usr/shared/grafana/dashboards readOnly: false + +extraVolumes: + - name: plugins + existingClaim: existing-grafana-claim + - name: dashboards + hostPath: /usr/shared/grafana/dashboards ``` +Volumes default to `emptyDir`. Set to `persistentVolumeClaim`, +`hostPath`, `csi`, or `configMap` for other types. For a +`persistentVolumeClaim`, specify an existing claim name with +`existingClaim`. + ## Import dashboards There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method: @@ -544,9 +556,61 @@ delete_notifiers: # default org_id: 1 ``` -## Provision alert rules, contact points, notification policies and notification templates +## Sidecar for alerting resources -There are two methods to provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method: +If the parameter `sidecar.alerts.enabled` is set, a sidecar container is deployed in the grafana +pod. This container watches all configmaps (or secrets) in the cluster (namespace defined by `sidecar.alerts.searchNamespace`) and filters out the ones with +a label as defined in `sidecar.alerts.label` (default is `grafana_alert`). The files defined in those configmaps are written +to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported alerting resources are updated, however, deletions are a little more complicated (see below). + +This sidecar can be used to provision alert rules, contact points, notification policies, notification templates and mute timings as shown in [Grafana Documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/). + +To fetch the alert config which will be provisioned, use the alert provisioning API ([Grafana Documentation](https://grafana.com/docs/grafana/next/developers/http_api/alerting_provisioning/)). +You can use either JSON or YAML format. + +Example config for an alert rule: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-grafana-alert + labels: + grafana_alert: "1" +data: + k8s-alert.yml: |- + apiVersion: 1 + groups: + - orgId: 1 + name: k8s-alert + [...] +``` + +To delete provisioned alert rules is a two step process, you need to delete the configmap which defined the alert rule +and then create a configuration which deletes the alert rule. + +Example deletion configuration: +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: delete-sample-grafana-alert + namespace: monitoring + labels: + grafana_alert: "1" +data: + delete-k8s-alert.yml: |- + apiVersion: 1 + deleteRules: + - orgId: 1 + uid: 16624780-6564-45dc-825c-8bded4ad92d3 +``` + +## Statically provision alerting resources +If you don't need to change alerting resources (alert rules, contact points, notification policies and notification templates) regularly you could use the `alerting` config option instead of the sidecar option above. +This will grab the alerting config and apply it statically at build time for the helm file. + +There are two methods to statically provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method: ```yaml alerting: @@ -576,13 +640,14 @@ alerting: title: '{{ `{{ template "default.title" . }}` }}' ``` -There are two possibilities: +The two possibilities for static alerting resource provisioning are: -* Inlining the file contents as described in the example `values.yaml` and the official [Grafana documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/). -* Importing a file using a relative path starting from the chart root directory. +* Inlining the file contents as shown for contact points in the above example. +* Importing a file using a relative path starting from the chart root directory as shown for the alert rules in the above example. ### Important notes on file provisioning +* The format of the files is defined in the [Grafana documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/) on file provisioning. * The chart supports importing YAML and JSON files. * The filename must be unique, otherwise one volume mount will overwrite the other. * In case of inlining, double curly braces that arise from the Grafana configuration format and are not intended as templates for the chart must be escaped. diff --git a/charts/kasten/k10/charts/grafana/templates/_config.tpl b/charts/kasten/k10/charts/grafana/templates/_config.tpl new file mode 100644 index 000000000..19df19cd2 --- /dev/null +++ b/charts/kasten/k10/charts/grafana/templates/_config.tpl @@ -0,0 +1,171 @@ +{{/* + Generate config map data + */}} +{{- define "grafana.configData" -}} +{{ include "grafana.assertNoLeakedSecrets" . }} +{{- $files := .Files }} +{{- $root := . -}} +{{- with .Values.plugins }} +plugins: {{ join "," . }} +{{- end }} +grafana.ini: | +{{- range $elem, $elemVal := index .Values "grafana.ini" }} + {{- if not (kindIs "map" $elemVal) }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} +{{- end }} +{{- range $key, $value := index .Values "grafana.ini" }} + {{- if kindIs "map" $value }} + [{{ $key }}] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- range $key, $value := .Values.datasources }} +{{- if not (hasKey $value "secret") }} +{{ $key }}: | + {{- tpl (toYaml $value | nindent 2) $root }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.notifiers }} +{{- if not (hasKey $value "secret") }} +{{ $key }}: | + {{- toYaml $value | nindent 2 }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.alerting }} +{{- if (hasKey $value "file") }} +{{ $key }}: +{{- toYaml ( $files.Get $value.file ) | nindent 2 }} +{{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}} +{{/* will be stored inside secret generated by "configSecret.yaml"*/}} +{{- else }} +{{ $key }}: | + {{- tpl (toYaml $value | nindent 2) $root }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.dashboardProviders }} +{{ $key }}: | + {{- toYaml $value | nindent 2 }} +{{- end }} + +{{- if .Values.dashboards }} +download_dashboards.sh: | + #!/usr/bin/env sh + set -euf + {{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{- range $value.providers }} + mkdir -p {{ .options.path }} + {{- end }} + {{- end }} + {{- end }} +{{ $dashboardProviders := .Values.dashboardProviders }} +{{- range $provider, $dashboards := .Values.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} + curl -skf \ + --connect-timeout 60 \ + --max-time 60 \ + {{- if not $value.b64content }} + {{- if not $value.acceptHeader }} + -H "Accept: application/json" \ + {{- else }} + -H "Accept: {{ $value.acceptHeader }}" \ + {{- end }} + {{- if $value.token }} + -H "Authorization: token {{ $value.token }}" \ + {{- end }} + {{- if $value.bearerToken }} + -H "Authorization: Bearer {{ $value.bearerToken }}" \ + {{- end }} + {{- if $value.basic }} + -H "Authorization: Basic {{ $value.basic }}" \ + {{- end }} + {{- if $value.gitlabToken }} + -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ + {{- end }} + -H "Content-Type: application/json;charset=UTF-8" \ + {{- end }} + {{- $dpPath := "" -}} + {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }} + {{- if eq $kd.name $provider }} + {{- $dpPath = $kd.options.path }} + {{- end }} + {{- end }} + {{- if $value.url }} + "{{ $value.url }}" \ + {{- else }} + "https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \ + {{- end }} + {{- if $value.datasource }} + {{- if kindIs "string" $value.datasource }} + | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \ + {{- end }} + {{- if kindIs "slice" $value.datasource }} + {{- range $value.datasource }} + | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \ + {{- end }} + {{- end }} + {{- end }} + {{- if $value.b64content }} + | base64 -d \ + {{- end }} + > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" + {{ end }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Generate dashboard json config map data + */}} +{{- define "grafana.configDashboardProviderData" -}} +provider.yaml: |- + apiVersion: 1 + providers: + - name: '{{ .Values.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.sidecar.dashboards.provider.orgid }} + {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.sidecar.dashboards.provider.folder }}' + {{- end }} + type: {{ .Values.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end -}} + +{{- define "grafana.secretsData" -}} +{{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} +admin-user: {{ .Values.adminUser | b64enc | quote }} +{{- if .Values.adminPassword }} +admin-password: {{ .Values.adminPassword | b64enc | quote }} +{{- else }} +admin-password: {{ include "grafana.password" . }} +{{- end }} +{{- end }} +{{- if not .Values.ldap.existingSecret }} +ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }} +{{- end }} +{{- end -}} diff --git a/charts/kasten/k10/charts/grafana/templates/_helpers.tpl b/charts/kasten/k10/charts/grafana/templates/_helpers.tpl index ead2449e3..44c00f357 100644 --- a/charts/kasten/k10/charts/grafana/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/grafana/templates/_helpers.tpl @@ -225,3 +225,52 @@ Formats imagePullSecrets. Input is (dict "root" . "imagePullSecrets" .{specific {{- end }} {{- $secretFound}} {{- end -}} + +{{/* + Checks whether the user is attempting to store secrets in plaintext + in the grafana.ini configmap +*/}} +{{/* grafana.assertNoLeakedSecrets checks for sensitive keys in values */}} +{{- define "grafana.assertNoLeakedSecrets" -}} + {{- $sensitiveKeysYaml := ` +sensitiveKeys: +- path: ["database", "password"] +- path: ["smtp", "password"] +- path: ["security", "secret_key"] +- path: ["security", "admin_password"] +- path: ["auth.basic", "password"] +- path: ["auth.ldap", "bind_password"] +- path: ["auth.google", "client_secret"] +- path: ["auth.github", "client_secret"] +- path: ["auth.gitlab", "client_secret"] +- path: ["auth.generic_oauth", "client_secret"] +- path: ["auth.okta", "client_secret"] +- path: ["auth.azuread", "client_secret"] +- path: ["auth.grafana_com", "client_secret"] +- path: ["auth.grafananet", "client_secret"] +- path: ["azure", "user_identity_client_secret"] +- path: ["unified_alerting", "ha_redis_password"] +- path: ["metrics", "basic_auth_password"] +- path: ["external_image_storage.s3", "secret_key"] +- path: ["external_image_storage.webdav", "password"] +- path: ["external_image_storage.azure_blob", "account_key"] +` | fromYaml -}} + {{- if $.Values.assertNoLeakedSecrets -}} + {{- $grafanaIni := index .Values "grafana.ini" -}} + {{- range $_, $secret := $sensitiveKeysYaml.sensitiveKeys -}} + {{- $currentMap := $grafanaIni -}} + {{- $shouldContinue := true -}} + {{- range $index, $elem := $secret.path -}} + {{- if and $shouldContinue (hasKey $currentMap $elem) -}} + {{- if eq (len $secret.path) (add1 $index) -}} + {{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead." (join "." $secret.path)) -}} + {{- else -}} + {{- $currentMap = index $currentMap $elem -}} + {{- end -}} + {{- else -}} + {{- $shouldContinue = false -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/charts/grafana/templates/_pod.tpl b/charts/kasten/k10/charts/grafana/templates/_pod.tpl index dd93679b9..29bd83cfa 100644 --- a/charts/kasten/k10/charts/grafana/templates/_pod.tpl +++ b/charts/kasten/k10/charts/grafana/templates/_pod.tpl @@ -14,6 +14,13 @@ securityContext: hostAliases: {{- toYaml . | nindent 2 }} {{- end }} +{{- if .Values.dnsPolicy }} +dnsPolicy: {{ .Values.dnsPolicy }} +{{- end }} +{{- with .Values.dnsConfig }} +dnsConfig: + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.priorityClassName }} priorityClassName: {{ . }} {{- end }} @@ -411,7 +418,7 @@ containers: mountPath: "/etc/grafana/provisioning/alerting" {{- with .Values.sidecar.alerts.extraMounts }} {{- toYaml . | trim | nindent 6 }} - {{- end }} + {{- end }} {{- end}} {{- if .Values.sidecar.dashboards.enabled }} - name: {{ include "grafana.name" . }}-sc-dashboard @@ -898,26 +905,47 @@ containers: {{- end }} {{- end }} {{- with .Values.datasources }} + {{- $datasources := . }} {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $datasources .) "secret")) }} {{/*check if current datasource should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/grafana/provisioning/datasources/{{ . }}" + subPath: {{ . | quote }} + {{- else }} - name: config mountPath: "/etc/grafana/provisioning/datasources/{{ . }}" subPath: {{ . | quote }} {{- end }} {{- end }} + {{- end }} {{- with .Values.notifiers }} + {{- $notifiers := . }} {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $notifiers .) "secret")) }} {{/*check if current notifier should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} + {{- else }} - name: config mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" subPath: {{ . | quote }} {{- end }} {{- end }} + {{- end }} {{- with .Values.alerting }} + {{- $alertingmap := .}} {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $.Values.alerting .) "secret") (hasKey (index $.Values.alerting .) "secretFile")) }} {{/*check if current alerting entry should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/grafana/provisioning/alerting/{{ . }}" + subPath: {{ . | quote }} + {{- else }} - name: config mountPath: "/etc/grafana/provisioning/alerting/{{ . }}" subPath: {{ . | quote }} {{- end }} {{- end }} + {{- end }} {{- with .Values.dashboardProviders }} {{- range (keys . | sortAlpha) }} - name: config @@ -1097,6 +1125,12 @@ volumes: - name: config configMap: name: {{ include "grafana.fullname" . }} + {{- $createConfigSecret := eq (include "grafana.shouldCreateConfigSecret" .) "true" -}} + {{- if and .Values.createConfigmap $createConfigSecret }} + - name: config-secret + secret: + secretName: {{ include "grafana.fullname" . }}-config-secret + {{- end }} {{- range .Values.extraConfigmapMounts }} - name: {{ tpl .name $root }} configMap: @@ -1230,7 +1264,7 @@ volumes: {{ toYaml .hostPath | nindent 6 }} {{- else if .csi }} csi: - {{- toYaml .data | nindent 6 }} + {{- toYaml .csi | nindent 6 }} {{- else if .configMap }} configMap: {{- toYaml .configMap | nindent 6 }} @@ -1246,4 +1280,3 @@ volumes: {{- tpl (toYaml .) $root | nindent 2 }} {{- end }} {{- end }} - diff --git a/charts/kasten/k10/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/kasten/k10/charts/grafana/templates/configmap-dashboard-provider.yaml index 1f706a8bb..b412c4d1f 100644 --- a/charts/kasten/k10/charts/grafana/templates/configmap-dashboard-provider.yaml +++ b/charts/kasten/k10/charts/grafana/templates/configmap-dashboard-provider.yaml @@ -11,19 +11,5 @@ metadata: name: {{ include "grafana.fullname" . }}-config-dashboards namespace: {{ include "grafana.namespace" . }} data: - provider.yaml: |- - apiVersion: 1 - providers: - - name: '{{ .Values.sidecar.dashboards.provider.name }}' - orgId: {{ .Values.sidecar.dashboards.provider.orgid }} - {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} - folder: '{{ .Values.sidecar.dashboards.provider.folder }}' - {{- end }} - type: {{ .Values.sidecar.dashboards.provider.type }} - disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} - allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} - updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} - options: - foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} - path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} + {{- include "grafana.configDashboardProviderData" . | nindent 2 }} {{- end }} diff --git a/charts/kasten/k10/charts/grafana/templates/configmap.yaml b/charts/kasten/k10/charts/grafana/templates/configmap.yaml index 7b837d90b..7d7428be5 100644 --- a/charts/kasten/k10/charts/grafana/templates/configmap.yaml +++ b/charts/kasten/k10/charts/grafana/templates/configmap.yaml @@ -1,6 +1,4 @@ {{- if .Values.createConfigmap }} -{{- $files := .Files }} -{{- $root := . -}} apiVersion: v1 kind: ConfigMap metadata: @@ -13,132 +11,5 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} data: - {{- with .Values.plugins }} - plugins: {{ join "," . }} - {{- end }} - grafana.ini: | - {{- range $elem, $elemVal := index .Values "grafana.ini" }} - {{- if not (kindIs "map" $elemVal) }} - {{- if kindIs "invalid" $elemVal }} - {{ $elem }} = - {{- else if kindIs "string" $elemVal }} - {{ $elem }} = {{ tpl $elemVal $ }} - {{- else }} - {{ $elem }} = {{ $elemVal }} - {{- end }} - {{- end }} - {{- end }} - {{- range $key, $value := index .Values "grafana.ini" }} - {{- if kindIs "map" $value }} - [{{ $key }}] - {{- range $elem, $elemVal := $value }} - {{- if kindIs "invalid" $elemVal }} - {{ $elem }} = - {{- else if kindIs "string" $elemVal }} - {{ $elem }} = {{ tpl $elemVal $ }} - {{- else }} - {{ $elem }} = {{ $elemVal }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - - {{- range $key, $value := .Values.datasources }} - {{- if not (hasKey $value "secret") }} - {{- $key | nindent 2 }}: | - {{- tpl (toYaml $value | nindent 4) $root }} - {{- end }} - {{- end }} - - {{- range $key, $value := .Values.notifiers }} - {{- if not (hasKey $value "secret") }} - {{- $key | nindent 2 }}: | - {{- toYaml $value | nindent 4 }} - {{- end }} - {{- end }} - - {{- range $key, $value := .Values.alerting }} - {{- if (hasKey $value "file") }} - {{- $key | nindent 2 }}: - {{- toYaml ( $files.Get $value.file ) | nindent 4}} - {{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}} - {{/* will be stored inside secret generated by "configSecret.yaml"*/}} - {{- else }} - {{- $key | nindent 2 }}: | - {{- tpl (toYaml $value | nindent 4) $root }} - {{- end }} - {{- end }} - - {{- range $key, $value := .Values.dashboardProviders }} - {{- $key | nindent 2 }}: | - {{- toYaml $value | nindent 4 }} - {{- end }} - -{{- if .Values.dashboards }} - download_dashboards.sh: | - #!/usr/bin/env sh - set -euf - {{- if .Values.dashboardProviders }} - {{- range $key, $value := .Values.dashboardProviders }} - {{- range $value.providers }} - mkdir -p {{ .options.path }} - {{- end }} - {{- end }} - {{- end }} - {{ $dashboardProviders := .Values.dashboardProviders }} - {{- range $provider, $dashboards := .Values.dashboards }} - {{- range $key, $value := $dashboards }} - {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} - curl -skf \ - --connect-timeout 60 \ - --max-time 60 \ - {{- if not $value.b64content }} - {{- if not $value.acceptHeader }} - -H "Accept: application/json" \ - {{- else }} - -H "Accept: {{ $value.acceptHeader }}" \ - {{- end }} - {{- if $value.token }} - -H "Authorization: token {{ $value.token }}" \ - {{- end }} - {{- if $value.bearerToken }} - -H "Authorization: Bearer {{ $value.bearerToken }}" \ - {{- end }} - {{- if $value.basic }} - -H "Authorization: Basic {{ $value.basic }}" \ - {{- end }} - {{- if $value.gitlabToken }} - -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ - {{- end }} - -H "Content-Type: application/json;charset=UTF-8" \ - {{- end }} - {{- $dpPath := "" -}} - {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }} - {{- if eq $kd.name $provider }} - {{- $dpPath = $kd.options.path }} - {{- end }} - {{- end }} - {{- if $value.url }} - "{{ $value.url }}" \ - {{- else }} - "https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \ - {{- end }} - {{- if $value.datasource }} - {{- if kindIs "string" $value.datasource }} - | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \ - {{- end }} - {{- if kindIs "slice" $value.datasource }} - {{- range $value.datasource }} - | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \ - {{- end }} - {{- end }} - {{- end }} - {{- if $value.b64content }} - | base64 -d \ - {{- end }} - > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" - {{ end }} - {{- end }} - {{- end }} -{{- end }} + {{- include "grafana.configData" . | nindent 2 }} {{- end }} diff --git a/charts/kasten/k10/charts/grafana/templates/deployment.yaml b/charts/kasten/k10/charts/grafana/templates/deployment.yaml index bfa26bb40..46c016faa 100644 --- a/charts/kasten/k10/charts/grafana/templates/deployment.yaml +++ b/charts/kasten/k10/charts/grafana/templates/deployment.yaml @@ -33,14 +33,16 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include "grafana.configData" . | sha256sum }} + {{- if .Values.dashboards }} checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} - checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} + {{- end }} + checksum/sc-dashboard-provider-config: {{ include "grafana.configDashboardProviderData" . | sha256sum }} {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + checksum/secret: {{ include "grafana.secretsData" . | sha256sum }} {{- end }} {{- if .Values.envRenderSecret }} - checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} + checksum/secret-env: {{ tpl (toYaml .Values.envRenderSecret) . | sha256sum }} {{- end }} kubectl.kubernetes.io/default-container: {{ .Chart.Name }} {{- with .Values.podAnnotations }} diff --git a/charts/kasten/k10/charts/grafana/templates/ingress.yaml b/charts/kasten/k10/charts/grafana/templates/ingress.yaml index 063cdfaa5..b2ffd8109 100644 --- a/charts/kasten/k10/charts/grafana/templates/ingress.yaml +++ b/charts/kasten/k10/charts/grafana/templates/ingress.yaml @@ -34,7 +34,7 @@ spec: rules: {{- if .Values.ingress.hosts }} {{- range .Values.ingress.hosts }} - - host: {{ tpl . $ }} + - host: {{ tpl . $ | quote }} http: paths: {{- with $extraPaths }} diff --git a/charts/kasten/k10/charts/grafana/templates/networkpolicy.yaml b/charts/kasten/k10/charts/grafana/templates/networkpolicy.yaml index ea4578bec..4cd3ed697 100644 --- a/charts/kasten/k10/charts/grafana/templates/networkpolicy.yaml +++ b/charts/kasten/k10/charts/grafana/templates/networkpolicy.yaml @@ -27,8 +27,17 @@ spec: {{- if .Values.networkPolicy.egress.enabled }} egress: + {{- if not .Values.networkPolicy.egress.blockDNSResolution }} + - ports: + - port: 53 + protocol: UDP + {{- end }} - ports: {{ .Values.networkPolicy.egress.ports | toJson }} + {{- with .Values.networkPolicy.egress.to }} + to: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.networkPolicy.ingress }} ingress: diff --git a/charts/kasten/k10/charts/grafana/templates/secret.yaml b/charts/kasten/k10/charts/grafana/templates/secret.yaml index 5cbd52744..fd2ca50f4 100644 --- a/charts/kasten/k10/charts/grafana/templates/secret.yaml +++ b/charts/kasten/k10/charts/grafana/templates/secret.yaml @@ -12,15 +12,5 @@ metadata: {{- end }} type: Opaque data: - {{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} - admin-user: {{ .Values.adminUser | b64enc | quote }} - {{- if .Values.adminPassword }} - admin-password: {{ .Values.adminPassword | b64enc | quote }} - {{- else }} - admin-password: {{ include "grafana.password" . }} - {{- end }} - {{- end }} - {{- if not .Values.ldap.existingSecret }} - ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }} - {{- end }} + {{- include "grafana.secretsData" . | nindent 2 }} {{- end }} diff --git a/charts/kasten/k10/charts/grafana/templates/service.yaml b/charts/kasten/k10/charts/grafana/templates/service.yaml index 9102c1eec..e9396a15c 100644 --- a/charts/kasten/k10/charts/grafana/templates/service.yaml +++ b/charts/kasten/k10/charts/grafana/templates/service.yaml @@ -21,10 +21,13 @@ spec: clusterIP: {{ . }} {{- end }} {{- else if eq .Values.service.type "LoadBalancer" }} - type: {{ .Values.service.type }} + type: LoadBalancer {{- with .Values.service.loadBalancerIP }} loadBalancerIP: {{ . }} {{- end }} + {{- with .Values.service.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end }} {{- with .Values.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{- toYaml . | nindent 4 }} diff --git a/charts/kasten/k10/charts/grafana/templates/servicemonitor.yaml b/charts/kasten/k10/charts/grafana/templates/servicemonitor.yaml index 72396828f..035901352 100644 --- a/charts/kasten/k10/charts/grafana/templates/servicemonitor.yaml +++ b/charts/kasten/k10/charts/grafana/templates/servicemonitor.yaml @@ -12,7 +12,7 @@ metadata: labels: {{- include "grafana.labels" . | nindent 4 }} {{- with .Values.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml . | nindent 4) $ }} {{- end }} spec: endpoints: diff --git a/charts/kasten/k10/charts/grafana/values.yaml b/charts/kasten/k10/charts/grafana/values.yaml index ab259791a..7820d3de9 100644 --- a/charts/kasten/k10/charts/grafana/values.yaml +++ b/charts/kasten/k10/charts/grafana/values.yaml @@ -116,6 +116,16 @@ testFramework: imagePullPolicy: IfNotPresent securityContext: {} +# dns configuration for pod +dnsPolicy: ~ +dnsConfig: {} + # nameservers: + # - 8.8.8.8 + # options: + # - name: ndots + # value: "2" + # - name: edns0 + securityContext: runAsNonRoot: true runAsUser: 472 @@ -197,6 +207,9 @@ gossipPortName: gossip service: enabled: true type: ClusterIP + loadBalancerIP: "" + loadBalancerClass: "" + loadBalancerSourceRanges: [] port: 80 targetPort: 3000 # targetPort: 4181 To be used with a proxy extraContainer @@ -530,15 +543,22 @@ extraVolumeMounts: [] # - name: extra-volume-0 # mountPath: /mnt/volume0 # readOnly: true - # existingClaim: volume-claim # - name: extra-volume-1 # mountPath: /mnt/volume1 # readOnly: true - # hostPath: /usr/shared/ # - name: grafana-secrets # mountPath: /mnt/volume2 - # csi: true - # data: + +## Additional Grafana server volumes +extraVolumes: [] + # - name: extra-volume-0 + # existingClaim: volume-claim + # - name: extra-volume-1 + # hostPath: + # path: /usr/shared/ + # type: "" + # - name: grafana-secrets + # csi: # driver: secrets-store.csi.k8s.io # readOnly: true # volumeAttributes: @@ -975,8 +995,8 @@ sidecar: # Absolute path to shell script to execute after a datasource got reloaded script: null skipReload: false - # Deploy the datasource sidecar as an initContainer in addition to a container. # This is needed if skipReload is true, to load any datasources defined at startup time. + # Deploy the datasources sidecar as an initContainer. initDatasources: false # Sets the size limit of the datasource sidecar emptyDir volume sizeLimit: {} @@ -1241,14 +1261,25 @@ networkPolicy: ## created allowing grafana to connect to external data sources from kubernetes cluster. enabled: false ## + ## @param networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked + ## for all pods in the grafana namespace. + blockDNSResolution: false + ## ## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress ports: [] ## Add ports to the egress by specifying - port: ## E.X. - ## ports: - ## - port: 80 - ## - port: 443 - ## + ## - port: 80 + ## - port: 443 + ## + ## @param networkPolicy.egress.to Allow egress traffic to specific destinations + to: [] + ## Add destinations to the egress by specifying - ipBlock: + ## E.X. + ## to: + ## - namespaceSelector: + ## matchExpressions: + ## - {key: role, operator: In, values: [grafana]} ## ## ## @@ -1269,3 +1300,13 @@ extraObjects: [] # data: # - key: grafana-admin-password # name: adminPassword + +# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret +# values are not exposed in the rendered grafana.ini configmap. It is enabled by default. +# +# To pass values into grafana.ini without exposing them in a configmap, use variable expansion: +# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion +# +# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap, +# you can disable this check by setting assertNoLeakedSecrets to false. +assertNoLeakedSecrets: true diff --git a/charts/kasten/k10/charts/prometheus/.helmignore b/charts/kasten/k10/charts/prometheus/.helmignore new file mode 100644 index 000000000..825c00779 --- /dev/null +++ b/charts/kasten/k10/charts/prometheus/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/charts/kasten/k10/charts/prometheus/Chart.yaml b/charts/kasten/k10/charts/prometheus/Chart.yaml index ad7c43d42..2de86f50a 100644 --- a/charts/kasten/k10/charts/prometheus/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/Chart.yaml @@ -6,20 +6,20 @@ annotations: - name: Upstream Project url: https://github.com/prometheus/prometheus apiVersion: v2 -appVersion: v2.46.0 +appVersion: v2.48.0 dependencies: - condition: alertmanager.enabled name: alertmanager repository: https://prometheus-community.github.io/helm-charts - version: 0.33.* + version: 1.7.* - condition: kube-state-metrics.enabled name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts - version: 5.10.* + version: 5.15.* - condition: prometheus-node-exporter.enabled name: prometheus-node-exporter repository: https://prometheus-community.github.io/helm-charts - version: 4.21.* + version: 4.24.* - condition: prometheus-pushgateway.enabled name: prometheus-pushgateway repository: https://prometheus-community.github.io/helm-charts @@ -30,7 +30,7 @@ icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/a keywords: - monitoring - prometheus -kubeVersion: '>=1.16.0-0' +kubeVersion: '>=1.19.0-0' maintainers: - email: gianrubio@gmail.com name: gianrubio @@ -50,4 +50,4 @@ sources: - https://github.com/prometheus/node_exporter - https://github.com/kubernetes/kube-state-metrics type: application -version: 23.3.0 +version: 25.8.0 diff --git a/charts/kasten/k10/charts/prometheus/README.md b/charts/kasten/k10/charts/prometheus/README.md index 51d422977..2cb744ce8 100644 --- a/charts/kasten/k10/charts/prometheus/README.md +++ b/charts/kasten/k10/charts/prometheus/README.md @@ -6,7 +6,7 @@ This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Ku ## Prerequisites -- Kubernetes 1.16+ +- Kubernetes 1.19+ - Helm 3.7+ ## Get Repository Info @@ -65,6 +65,19 @@ helm upgrade [RELEASE_NAME] prometheus-community/prometheus --install _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ +### To 25.0 + +The `server.remoteRead[].url` and `server.remoteWrite[].url` fields now support templating. Allowing for `url` values such as `https://{{ .Release.Name }}.example.com`. + +Any entries in these which previously included `{{` or `}}` must be escaped with `{{ "{{" }}` and `{{ "}}" }}` respectively. Entries which did not previously include the template-like syntax will not be affected. + +### To 24.0 + +Require Kubernetes 1.19+ + +Release 1.0.0 of the _alertmanager_ replaced [configmap-reload](https://github.com/jimmidyson/configmap-reload) with [prometheus-config-reloader](https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader). +Extra command-line arguments specified via `configmapReload.prometheus.extraArgs` are not compatible and will break with the new prometheus-config-reloader. Please, refer to the [sources](https://github.com/prometheus-operator/prometheus-operator/blob/main/cmd/prometheus-config-reloader/main.go) in order to make the appropriate adjustment to the extra command-line arguments. + ### To 23.0 Release 5.0.0 of the _kube-state-metrics_ chart introduced a separation of the `image.repository` value in two distinct values: @@ -73,7 +86,7 @@ Release 5.0.0 of the _kube-state-metrics_ chart introduced a separation of the ` image: registry: registry.k8s.io repository: kube-state-metrics/kube-state-metrics - ``` +``` If a custom values file or CLI flags set `kube-state.metrics.image.repository`, please, set the new values accordingly. diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/Chart.yaml index ac4c4b0d3..08fdd03c6 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/Chart.yaml @@ -1,16 +1,17 @@ annotations: + artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Chart Source url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: v0.25.0 +appVersion: v0.26.0 description: The Alertmanager handles alerts sent by client applications such as the Prometheus server. home: https://prometheus.io/ icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png keywords: - monitoring -kubeVersion: '>=1.16.0-0' +kubeVersion: '>=1.19.0-0' maintainers: - email: monotek23@gmail.com name: monotek @@ -20,4 +21,4 @@ name: alertmanager sources: - https://github.com/prometheus/alertmanager type: application -version: 0.33.1 +version: 1.7.0 diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/README.md b/charts/kasten/k10/charts/prometheus/charts/alertmanager/README.md index 5cfa65e64..d3f4df73a 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/README.md +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/README.md @@ -47,6 +47,12 @@ helm upgrade [RELEASE_NAME] [CHART] --install _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ +### To 1.0 + +The [configmap-reload](https://github.com/jimmidyson/configmap-reload) container was replaced by the [prometheus-config-reloader](https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader). +Extra command-line arguments specified via configmapReload.prometheus.extraArgs are not compatible and will break with the new prometheus-config-reloader, refer to the [sources](https://github.com/prometheus-operator/prometheus-operator/blob/main/cmd/prometheus-config-reloader/main.go) in order to make the appropriate adjustment to the extea command-line arguments. +The `networking.k8s.io/v1beta1` is no longer supported. use [`networking.k8s.io/v1`](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingressclass-v122). + ## Configuration See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl index 5ce4db73d..86cca2607 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl @@ -86,13 +86,7 @@ Create the name of the service account to use Define Ingress apiVersion */}} {{- define "alertmanager.ingress.apiVersion" -}} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} {{- printf "networking.k8s.io/v1" }} -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} -{{- printf "networking.k8s.io/v1beta1" }} -{{- else }} -{{- printf "extensions/v1beta1" }} -{{- end }} {{- end }} {{/* diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/configmap.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/configmap.yaml index 9ed6c02a2..9e5882dc8 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/configmap.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.config }} +{{- if .Values.config.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,8 @@ metadata: namespace: {{ include "alertmanager.namespace" . }} data: alertmanager.yml: | - {{- toYaml .Values.config | default "{}" | nindent 4 }} + {{- $config := omit .Values.config "enabled" }} + {{- toYaml $config | default "{}" | nindent 4 }} {{- range $key, $value := .Values.templates }} {{ $key }}: |- {{- $value | nindent 4 }} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingress.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingress.yaml index 8de79d7c2..e729a8ad3 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingress.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingress.yaml @@ -1,11 +1,6 @@ {{- if .Values.ingress.enabled }} {{- $fullName := include "alertmanager.fullname" . }} {{- $svcPort := .Values.service.port }} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} -{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} -{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} -{{- end }} -{{- end }} apiVersion: {{ include "alertmanager.ingress.apiVersion" . }} kind: Ingress metadata: @@ -18,7 +13,7 @@ metadata: {{- end }} namespace: {{ include "alertmanager.namespace" . }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + {{- if .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }} {{- end }} {{- if .Values.ingress.tls }} @@ -38,19 +33,12 @@ spec: paths: {{- range .paths }} - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: {{ .pathType }} - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: name: {{ $fullName }} port: number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingressperreplica.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingressperreplica.yaml new file mode 100644 index 000000000..6f5a02350 --- /dev/null +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/ingressperreplica.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.servicePerReplica.enabled .Values.ingressPerReplica.enabled }} +{{- $pathType := .Values.ingressPerReplica.pathType }} +{{- $count := .Values.replicaCount | int -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressValues := .Values.ingressPerReplica -}} +{{- $fullName := include "alertmanager.fullname" . }} +apiVersion: v1 +kind: List +metadata: + name: {{ $fullName }}-ingressperreplica + namespace: {{ include "alertmanager.namespace" . }} +items: +{{- range $i, $e := until $count }} + - kind: Ingress + apiVersion: {{ include "alertmanager.ingress.apiVersion" $ }} + metadata: + name: {{ $fullName }}-{{ $i }} + namespace: {{ include "alertmanager.namespace" $ }} + labels: + {{- include "alertmanager.labels" $ | nindent 8 }} + {{- if $ingressValues.labels }} +{{ toYaml $ingressValues.labels | indent 8 }} + {{- end }} + {{- if $ingressValues.annotations }} + annotations: +{{ toYaml $ingressValues.annotations | indent 8 }} + {{- end }} + spec: + {{- if $ingressValues.className }} + ingressClassName: {{ $ingressValues.className }} + {{- end }} + rules: + - host: {{ $ingressValues.hostPrefix }}-{{ $i }}.{{ $ingressValues.hostDomain }} + http: + paths: + {{- range $p := $ingressValues.paths }} + - path: {{ tpl $p $ }} + pathType: {{ $pathType }} + backend: + service: + name: {{ $fullName }}-{{ $i }} + port: + name: http + {{- end -}} + {{- if or $ingressValues.tlsSecretName $ingressValues.tlsSecretPerReplica.enabled }} + tls: + - hosts: + - {{ $ingressValues.hostPrefix }}-{{ $i }}.{{ $ingressValues.hostDomain }} + {{- if $ingressValues.tlsSecretPerReplica.enabled }} + secretName: {{ $ingressValues.tlsSecretPerReplica.prefix }}-{{ $i }} + {{- else }} + secretName: {{ $ingressValues.tlsSecretName }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/serviceperreplica.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/serviceperreplica.yaml new file mode 100644 index 000000000..faa75b3ba --- /dev/null +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/serviceperreplica.yaml @@ -0,0 +1,44 @@ +{{- if and .Values.servicePerReplica.enabled }} +{{- $count := .Values.replicaCount | int -}} +{{- $serviceValues := .Values.servicePerReplica -}} +apiVersion: v1 +kind: List +metadata: + name: {{ include "alertmanager.fullname" . }}-serviceperreplica + namespace: {{ include "alertmanager.namespace" . }} +items: +{{- range $i, $e := until $count }} + - apiVersion: v1 + kind: Service + metadata: + name: {{ include "alertmanager.fullname" $ }}-{{ $i }} + namespace: {{ include "alertmanager.namespace" $ }} + labels: + {{- include "alertmanager.labels" $ | nindent 8 }} + {{- if $serviceValues.annotations }} + annotations: +{{ toYaml $serviceValues.annotations | indent 8 }} + {{- end }} + spec: + {{- if $serviceValues.clusterIP }} + clusterIP: {{ $serviceValues.clusterIP }} + {{- end }} + {{- if $serviceValues.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := $serviceValues.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} + {{- end }} + {{- if ne $serviceValues.type "ClusterIP" }} + externalTrafficPolicy: {{ $serviceValues.externalTrafficPolicy }} + {{- end }} + ports: + - name: http + port: {{ $.Values.service.port }} + targetPort: http + selector: + {{- include "alertmanager.selectorLabels" $ | nindent 8 }} + statefulset.kubernetes.io/pod-name: {{ include "alertmanager.fullname" $ }}-{{ $i }} + type: "{{ $serviceValues.type }}" +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/services.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/services.yaml index ce0876c77..9637ae758 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/services.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/services.yaml @@ -4,6 +4,9 @@ metadata: name: {{ include "alertmanager.fullname" . }} labels: {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.service.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -28,6 +31,9 @@ spec: {{- if (and (eq .Values.service.type "NodePort") .Values.service.nodePort) }} nodePort: {{ .Values.service.nodePort }} {{- end }} + {{- with .Values.service.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} selector: {{- include "alertmanager.selectorLabels" . | nindent 4 }} --- @@ -37,6 +43,9 @@ metadata: name: {{ include "alertmanager.fullname" . }}-headless labels: {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} namespace: {{ include "alertmanager.namespace" . }} spec: clusterIP: None @@ -47,13 +56,16 @@ spec: name: http {{- if or (gt (int .Values.replicaCount) 1) (.Values.additionalPeers) }} - port: {{ .Values.service.clusterPort }} - targetPort: {{ .Values.service.clusterPort }} + targetPort: clusterpeer-tcp protocol: TCP name: cluster-tcp - port: {{ .Values.service.clusterPort }} - targetPort: {{ .Values.service.clusterPort }} + targetPort: clusterpeer-udp protocol: UDP name: cluster-udp {{- end }} + {{- with .Values.service.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} selector: {{- include "alertmanager.selectorLabels" . | nindent 4 }} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml index 0c4733a1b..8b0af0633 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml @@ -12,6 +12,7 @@ metadata: namespace: {{ include "alertmanager.namespace" . }} spec: replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "alertmanager.selectorLabels" . | nindent 6 }} @@ -97,18 +98,36 @@ spec: - name: {{ .Chart.Name }}-{{ .Values.configmapReload.name }} image: "{{ .Values.configmapReload.image.repository }}:{{ .Values.configmapReload.image.tag }}" imagePullPolicy: "{{ .Values.configmapReload.image.pullPolicy }}" + {{- with .Values.configmapReload.extraEnv }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} args: - - --volume-dir=/etc/alertmanager - - --webhook-url=http://127.0.0.1:9093/-/reload + {{- if and (hasKey .Values.configmapReload.extraArgs "config-file" | not) (hasKey .Values.configmapReload.extraArgs "watched-dir" | not) }} + - --watched-dir=/etc/alertmanager + {{- end }} + {{- if not (hasKey .Values.configmapReload.extraArgs "reload-url") }} + - --reload-url=http://127.0.0.1:9093/-/reload + {{- end }} + {{- range $key, $value := .Values.configmapReload.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} resources: {{- toYaml .Values.configmapReload.resources | nindent 12 }} {{- with .Values.configmapReload.containerPort }} ports: - containerPort: {{ . }} {{- end }} + {{- with .Values.configmapReload.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config mountPath: /etc/alertmanager + {{- if .Values.configmapReload.extraVolumeMounts }} + {{- toYaml .Values.configmapReload.extraVolumeMounts | nindent 12 }} + {{- end }} {{- end }} - name: {{ .Chart.Name }} securityContext: @@ -130,7 +149,9 @@ spec: {{- end }} args: - --storage.path=/alertmanager + {{- if not (hasKey .Values.extraArgs "config.file") }} - --config.file=/etc/alertmanager/alertmanager.yml + {{- end }} {{- if or (gt (int .Values.replicaCount) 1) (.Values.additionalPeers) }} - --cluster.advertise-address=[$(POD_IP)]:{{ $svcClusterPort }} - --cluster.listen-address=0.0.0.0:{{ $svcClusterPort }} @@ -153,6 +174,14 @@ spec: - name: http containerPort: 9093 protocol: TCP + {{- if or (gt (int .Values.replicaCount) 1) (.Values.additionalPeers) }} + - name: clusterpeer-tcp + containerPort: {{ $svcClusterPort }} + protocol: TCP + - name: clusterpeer-udp + containerPort: {{ $svcClusterPort }} + protocol: UDP + {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: @@ -160,7 +189,7 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - {{- if .Values.config }} + {{- if .Values.config.enabled }} - name: config mountPath: /etc/alertmanager {{- end }} @@ -179,7 +208,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if .Values.config }} + {{- if .Values.config.enabled }} - name: config configMap: name: {{ include "alertmanager.fullname" . }} @@ -201,24 +230,24 @@ spec: name: storage spec: accessModes: - {{- toYaml .Values.persistence.accessModes | nindent 10 }} + {{- toYaml .Values.persistence.accessModes | nindent 10 }} resources: requests: storage: {{ .Values.persistence.size }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: {{ .Values.persistence.storageClass }} - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} {{- end }} - {{- end }} - {{- else }} - - name: storage - emptyDir: {} - {{- end }} + {{- else }} + - name: storage + emptyDir: { } + {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.schema.json b/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.schema.json index dea5bc69e..172dbcf3e 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.schema.json +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.schema.json @@ -807,6 +807,10 @@ "description": "Alertmanager configuration.", "type": "object", "properties": { + "enabled": { + "description": "Whether to create alermanager configmap or not.", + "type": "boolean" + }, "global": { "description": "Global configuration options.", "type": "object" diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml index f70040f22..5dcbfc1bd 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml @@ -12,6 +12,10 @@ enabled: false replicaCount: 1 +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + image: repository: quay.io/prometheus/alertmanager pullPolicy: IfNotPresent @@ -109,6 +113,7 @@ readinessProbe: service: annotations: {} + labels: {} type: ClusterIP port: 9093 clusterPort: 9094 @@ -117,6 +122,27 @@ service: # if you want to force a specific nodePort. Must be use with service.type=NodePort # nodePort: + # Optionally specify extra list of additional ports exposed on both services + extraPorts: [] + +# Configuration for creating a separate Service for each statefulset Alertmanager replica +# +servicePerReplica: + enabled: false + annotations: {} + + # Loadbalancer source IP ranges + # Only used if servicePerReplica.type is "LoadBalancer" + loadBalancerSourceRanges: [] + + # Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + # + externalTrafficPolicy: Cluster + + # Service type + # + type: ClusterIP + ingress: enabled: false className: "" @@ -133,6 +159,50 @@ ingress: # hosts: # - alertmanager.domain.com +# Configuration for creating an Ingress that will map to each Alertmanager replica service +# alertmanager.servicePerReplica must be enabled +# +ingressPerReplica: + enabled: false + + # className for the ingresses + # + className: "" + + annotations: {} + labels: {} + + # Final form of the hostname for each per replica ingress is + # {{ ingressPerReplica.hostPrefix }}-{{ $replicaNumber }}.{{ ingressPerReplica.hostDomain }} + # + # Prefix for the per replica ingress that will have `-$replicaNumber` + # appended to the end + hostPrefix: "alertmanager" + # Domain that will be used for the per replica ingress + hostDomain: "domain.com" + + # Paths to use for ingress rules + # + paths: + - / + + # PathType for ingress rules + # + pathType: ImplementationSpecific + + # Secret name containing the TLS certificate for alertmanager per replica ingress + # Secret must be manually created in the namespace + tlsSecretName: "" + + # Separated secret for each per replica Ingress. Can be used together with cert-manager + # + tlsSecretPerReplica: + enabled: false + # Final form of the secret for each per replica ingress is + # {{ tlsSecretPerReplica.prefix }}-{{ $replicaNumber }} + # + prefix: "alertmanager" + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -211,6 +281,7 @@ configAnnotations: {} # slack_api_url: '${vault:secret/data/slack-hook-alerts#URL}' config: + enabled: true global: {} # slack_api_url: '' @@ -230,7 +301,7 @@ config: repeat_interval: 3h ## Monitors ConfigMap changes and POSTs to a URL -## Ref: https://github.com/jimmidyson/configmap-reload +## Ref: https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader ## configmapReload: ## If false, the configmap-reload container will not be deployed @@ -244,8 +315,8 @@ configmapReload: ## configmap-reload container image ## image: - repository: jimmidyson/configmap-reload - tag: v0.8.0 + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.66.0 pullPolicy: IfNotPresent # containerPort: 9533 @@ -255,6 +326,28 @@ configmapReload: ## resources: {} + extraArgs: {} + + ## Optionally specify extra list of additional volumeMounts + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + + ## Optionally specify extra environment variables to add to alertmanager container + extraEnv: [] + # - name: FOO + # value: BAR + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsUser: 65534 + # runAsNonRoot: true + # runAsGroup: 65534 + templates: {} # alertmanager.tmpl: |- diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml index 4361a8afd..4342ac861 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/Chart.yaml @@ -4,7 +4,7 @@ annotations: - name: Chart Source url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: 2.9.2 +appVersion: 2.10.1 description: Install kube-state-metrics to generate and expose cluster-level metrics home: https://github.com/kubernetes/kube-state-metrics/ keywords: @@ -23,4 +23,4 @@ name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 5.10.1 +version: 5.15.2 diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml index 72986a607..d38a75a51 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml @@ -3,6 +3,13 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} data: config.yaml: | {{- toYaml .Values.customResourceState.config | nindent 4 }} diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml index 1ee76bd59..2aedc9201 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml @@ -18,6 +18,11 @@ spec: matchLabels: {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} replicas: {{ .Values.replicas }} + {{- if not .Values.autosharding.enabled }} + strategy: + type: {{ .Values.updateStrategy | default "RollingUpdate" }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.autosharding.enabled }} serviceName: {{ template "kube-state-metrics.fullname" . }} volumeClaimTemplates: [] @@ -39,6 +44,10 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} + {{- end }} containers: {{- $httpPort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}} {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} @@ -235,6 +244,9 @@ spec: {{- end }} {{- end }} {{- end }} + {{- with .Values.containers }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.imagePullSecrets) | indent 8 }} diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml index 39ed577c1..671dc9d66 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml @@ -4,6 +4,12 @@ kind: ConfigMap metadata: name: {{ template "kube-state-metrics.fullname" . }}-rbac-config namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} data: config-file.yaml: |+ authorization: diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml index f98b3f36a..e2cde649a 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -7,11 +7,11 @@ metadata: labels: {{- include "kube-state-metrics.labels" . | indent 4 }} {{- with .Values.prometheus.monitor.additionalLabels }} - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml . | nindent 4) $ }} {{- end }} {{- with .Values.prometheus.monitor.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- tpl (toYaml . | nindent 4) $ }} {{- end }} spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} @@ -24,6 +24,13 @@ spec: {{- toYaml . | trim | nindent 4 }} {{- end }} {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }} + {{- if .Values.prometheus.monitor.namespaceSelector }} + namespaceSelector: + matchNames: + {{- with .Values.prometheus.monitor.namespaceSelector }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} selector: matchLabels: {{- with .Values.prometheus.monitor.selectorOverride }} @@ -42,6 +49,9 @@ spec: {{- if .Values.prometheus.monitor.proxyUrl }} proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} {{- end }} + {{- if .Values.prometheus.monitor.enableHttp2 }} + enableHttp2: {{ .Values.prometheus.monitor.enableHttp2}} + {{- end }} {{- if .Values.prometheus.monitor.honorLabels }} honorLabels: true {{- end }} @@ -78,6 +88,9 @@ spec: {{- if .Values.prometheus.monitor.proxyUrl }} proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} {{- end }} + {{- if .Values.prometheus.monitor.enableHttp2 }} + enableHttp2: {{ .Values.prometheus.monitor.enableHttp2}} + {{- end }} {{- if .Values.prometheus.monitor.honorLabels }} honorLabels: true {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml index 011f14c09..ee6e1a9f7 100644 --- a/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/kube-state-metrics/values.yaml @@ -37,6 +37,13 @@ autosharding: replicas: 1 +# Change the deployment strategy when autosharding is disabled +# updateStrategy: Recreate + +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + # List of additional cli arguments to configure kube-state-metrics # for example: --enable-gzip-encoding, --log-file, etc. # all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md @@ -142,6 +149,7 @@ prometheus: annotations: {} additionalLabels: {} namespace: "" + namespaceSelector: [] jobLabel: "" targetLabels: [] podTargetLabels: [] @@ -167,6 +175,8 @@ prometheus: labelValueLengthLimit: 0 scrapeTimeout: "" proxyUrl: "" + ## Whether to enable HTTP2 for servicemonitor + # enableHttp2: false selectorOverride: {} honorLabels: false metricRelabelings: [] @@ -434,3 +444,13 @@ extraManifests: [] # name: prometheus-extra # data: # extra-data: "value" + +## Containers allows injecting additional containers. +containers: [] + # - name: crd-init + # image: kiwigrid/k8s-sidecar:latest + +## InitContainers allows injecting additional initContainers. +initContainers: [] + # - name: crd-sidecar + # image: kiwigrid/k8s-sidecar:latest diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml index 9825e857d..ae934c9fb 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml @@ -4,7 +4,7 @@ annotations: - name: Chart Source url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: 1.6.0 +appVersion: 1.7.0 description: A Helm chart for prometheus node-exporter home: https://github.com/prometheus/node_exporter/ keywords: @@ -22,4 +22,4 @@ name: prometheus-node-exporter sources: - https://github.com/prometheus/node_exporter/ type: application -version: 4.21.0 +version: 4.24.0 diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/README.md b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/README.md index 5dbfa3289..ef8384410 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/README.md +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/README.md @@ -1,18 +1,18 @@ -# Prometheus `Node Exporter` +# Prometheus Node Exporter Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. -This chart bootstraps a prometheus [`Node Exporter`](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps a Prometheus [Node Exporter](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. ## Get Repository Info - + ```console helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update ``` -_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + ## Install Chart ```console @@ -36,15 +36,11 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc ## Upgrading Chart ```console -helm upgrade [RELEASE_NAME] [CHART] --install +helm upgrade [RELEASE_NAME] prometheus-community/prometheus-node-exporter --install ``` _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ -### 4.16 to 4.17+ - -`containerSecurityContext.readOnlyRootFilesystem` is set to `true` by default. - ### 3.x to 4.x Starting from version 4.0.0, the `node exporter` chart is using the [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). Therefore you have to delete the daemonset before you upgrade. diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl index bf20a5433..b67bc0e84 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl @@ -79,6 +79,7 @@ component: node-exporter release: {{ .Release.Name }} {{- end }} + {{/* Create the name of the service account to use */}} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml index 1fd91150f..c256dba73 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml @@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "prometheus-node-exporter.fullname" . }} - namespace: {{ include "prometheus-node-exporter.namespace" . }} labels: {{- include "prometheus-node-exporter.labels" . | nindent 4 }} rules: diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml index c8a71add1..a5116a89e 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml @@ -13,6 +13,7 @@ spec: selector: matchLabels: {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- with .Values.updateStrategy }} updateStrategy: {{- toYaml . | nindent 4 }} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml index 567f7bf32..2b21b7106 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml @@ -1,4 +1,4 @@ {{ range .Values.extraManifests }} --- -{{ tpl (toYaml .) $ }} +{{ tpl . $ }} {{ end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml index 3936cbdf9..814e11033 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml @@ -13,4 +13,4 @@ data: resource: services subresource: {{ template "prometheus-node-exporter.fullname" . }} name: {{ template "prometheus-node-exporter.fullname" . }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml index 068a6bc71..a065e46e3 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.service.enabled }} apiVersion: v1 kind: Service metadata: @@ -25,3 +26,4 @@ spec: name: {{ .Values.service.portName }} selector: {{- include "prometheus-node-exporter.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml index 22aeb59cc..db0972040 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml @@ -21,6 +21,10 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + global: # To help compatibility with other charts which use global.imagePullSecrets. # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). @@ -45,7 +49,7 @@ kubeRBACProxy: image: registry: quay.io repository: brancz/kube-rbac-proxy - tag: v0.14.0 + tag: v0.15.0 sha: "" pullPolicy: IfNotPresent @@ -72,6 +76,7 @@ kubeRBACProxy: # memory: 32Mi service: + enabled: true type: ClusterIP port: 9100 targetPort: 9100 @@ -477,7 +482,8 @@ verticalPodAutoscaler: # Extra manifests to deploy as an array extraManifests: [] - # - apiVersion: v1 + # - | + # apiVersion: v1 # kind: ConfigMap # metadata: # name: prometheus-extra diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml index 39b280230..3351215cb 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml @@ -4,7 +4,7 @@ annotations: - name: Chart Source url: https://github.com/prometheus-community/helm-charts apiVersion: v2 -appVersion: v1.6.0 +appVersion: v1.6.2 description: A Helm chart for prometheus pushgateway home: https://github.com/prometheus/pushgateway keywords: @@ -21,4 +21,4 @@ name: prometheus-pushgateway sources: - https://github.com/prometheus/pushgateway type: application -version: 2.4.0 +version: 2.4.2 diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml index 0d52a8dc9..431c15748 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml @@ -25,31 +25,31 @@ spec: {{- if .Values.persistentVolume.enabled }} volumeClaimTemplates: - metadata: - {{- with .Values.persistentVolume.annotations }} + {{- with .Values.persistentVolume.annotations }} annotations: - {{- toYaml . | nindent 10 }} - {{- end }} + {{- toYaml . | nindent 10 }} + {{- end }} labels: - {{- include "prometheus-pushgateway.defaultLabels" . | nindent 10 }} + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 10 }} name: storage-volume spec: accessModes: - {{ toYaml .Values.persistentVolume.accessModes }} - {{- if .Values.persistentVolume.storageClass }} - {{- if (eq "-" .Values.persistentVolume.storageClass) }} + {{ toYaml .Values.persistentVolume.accessModes }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.persistentVolume.storageClass }}" - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} {{- end }} - {{- end }} resources: requests: storage: "{{ .Values.persistentVolume.size }}" + {{- end }} {{- end }} -{{- end }} diff --git a/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl index 289e4ec91..0436fa9e4 100644 --- a/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl @@ -53,36 +53,6 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{- end -}} -{{- define "prometheus.alertmanager.labels" -}} -{{ include "prometheus.alertmanager.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.alertmanager.matchLabels" -}} -app.kubernetes.io/component: {{ .Values.alertmanager.name }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{- define "prometheus.nodeExporter.labels" -}} -{{ include "prometheus.nodeExporter.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.nodeExporter.matchLabels" -}} -app.kubernetes.io/component: {{ .Values.nodeExporter.name }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{- define "prometheus.pushgateway.labels" -}} -{{ include "prometheus.pushgateway.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.pushgateway.matchLabels" -}} -app.kubernetes.io/component: {{ .Values.pushgateway.name }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - {{- define "prometheus.server.labels" -}} {{ include "prometheus.server.matchLabels" . }} {{ include "prometheus.common.metaLabels" . }} @@ -143,31 +113,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{/* -Create a fully qualified alertmanager name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +Create a fully qualified alertmanager name for communicating with the user via NOTES.txt */}} - {{- define "prometheus.alertmanager.fullname" -}} {{- template "alertmanager.fullname" .Subcharts.alertmanager -}} {{- end -}} -{{/* -Create a fully qualified node-exporter name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.nodeExporter.fullname" -}} -{{- if .Values.nodeExporter.fullnameOverride -}} -{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - {{/* Create a fully qualified Prometheus server name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -185,23 +136,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} -{{/* -Create a fully qualified pushgateway name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.pushgateway.fullname" -}} -{{- if .Values.pushgateway.fullnameOverride -}} -{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - {{/* Get KubeVersion removing pre-release information. */}} @@ -215,12 +149,7 @@ Return the appropriate apiVersion for deployment. {{- define "prometheus.deployment.apiVersion" -}} {{- print "apps/v1" -}} {{- end -}} -{{/* -Return the appropriate apiVersion for daemonset. -*/}} -{{- define "prometheus.daemonset.apiVersion" -}} -{{- print "apps/v1" -}} -{{- end -}} + {{/* Return the appropriate apiVersion for networkpolicy. */}} @@ -238,6 +167,7 @@ Return the appropriate apiVersion for poddisruptionbudget. {{- print "policy/v1beta1" -}} {{- end -}} {{- end -}} + {{/* Return the appropriate apiVersion for rbac. */}} @@ -248,6 +178,7 @@ Return the appropriate apiVersion for rbac. {{- print "rbac.authorization.k8s.io/v1beta1" -}} {{- end -}} {{- end -}} + {{/* Return the appropriate apiVersion for ingress. */}} @@ -274,6 +205,7 @@ Return if ingress supports ingressClassName. {{- define "ingress.supportsIngressClassName" -}} {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} {{- end -}} + {{/* Return if ingress supports pathType. */}} @@ -281,28 +213,6 @@ Return if ingress supports pathType. {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} {{- end -}} -{{/* -Create the name of the service account to use for the nodeExporter component -*/}} -{{- define "prometheus.serviceAccountName.nodeExporter" -}} -{{- if .Values.serviceAccounts.nodeExporter.create -}} - {{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.nodeExporter.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use for the pushgateway component -*/}} -{{- define "prometheus.serviceAccountName.pushgateway" -}} -{{- if .Values.serviceAccounts.pushgateway.create -}} - {{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.pushgateway.name }} -{{- end -}} -{{- end -}} - {{/* Create the name of the service account to use for the server component */}} @@ -321,6 +231,46 @@ Define the prometheus.namespace template if set with forceNamespace or .Release. {{- default .Release.Namespace .Values.forceNamespace -}} {{- end }} +{{/* +Define template prometheus.namespaces producing a list of namespaces to monitor +*/}} +{{- define "prometheus.namespaces" -}} +{{- $namespaces := list }} +{{- if and .Values.rbac.create .Values.server.useExistingClusterRoleName }} + {{- if .Values.server.namespaces -}} + {{- range $ns := join "," .Values.server.namespaces | split "," }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end -}} + {{- end -}} + {{- if .Values.server.releaseNamespace -}} + {{- $namespaces = append $namespaces (include "prometheus.namespace" .) }} + {{- end -}} +{{- end -}} +{{ mustToJson $namespaces }} +{{- end -}} + +{{/* +Define prometheus.server.remoteWrite producing a list of remoteWrite configurations with URL templating +*/}} +{{- define "prometheus.server.remoteWrite" -}} +{{- $remoteWrites := list }} +{{- range $remoteWrite := .Values.server.remoteWrite }} + {{- $remoteWrites = tpl $remoteWrite.url $ | set $remoteWrite "url" | append $remoteWrites }} +{{- end -}} +{{ toYaml $remoteWrites }} +{{- end -}} + +{{/* +Define prometheus.server.remoteRead producing a list of remoteRead configurations with URL templating +*/}} +{{- define "prometheus.server.remoteRead" -}} +{{- $remoteReads := list }} +{{- range $remoteRead := .Values.server.remoteRead }} + {{- $remoteReads = tpl $remoteRead.url $ | set $remoteRead "url" | append $remoteReads }} +{{- end -}} +{{ toYaml $remoteReads }} +{{- end -}} + {{/* ==================================================================== */}} {{/* ================ Kasten added code lives below here ================ */}} {{/* ==================================================================== */}} diff --git a/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml b/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml index da620c0b8..e17438810 100644 --- a/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml @@ -41,6 +41,14 @@ rules: - get - list - watch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch - nonResourceURLs: - "/metrics" verbs: diff --git a/charts/kasten/k10/charts/prometheus/templates/cm.yaml b/charts/kasten/k10/charts/prometheus/templates/cm.yaml index a702b527e..c67066663 100644 --- a/charts/kasten/k10/charts/prometheus/templates/cm.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/cm.yaml @@ -22,11 +22,11 @@ data: {{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} {{- if $root.Values.server.remoteWrite }} remote_write: -{{ $root.Values.server.remoteWrite | toYaml | indent 4 }} +{{- include "prometheus.server.remoteWrite" $root | nindent 4 }} {{- end }} {{- if $root.Values.server.remoteRead }} remote_read: -{{ $root.Values.server.remoteRead | toYaml | indent 4 }} +{{- include "prometheus.server.remoteRead" $root | nindent 4 }} {{- end }} {{- if or $root.Values.server.tsdb $root.Values.server.exemplars }} storage: @@ -39,6 +39,10 @@ data: {{ $root.Values.server.exemplars | toYaml | indent 8 }} {{- end }} {{- end }} +{{- if $root.Values.scrapeConfigFiles }} + scrape_config_files: +{{ toYaml $root.Values.scrapeConfigFiles | indent 4 }} +{{- end }} {{- end }} {{- if eq $key "alerts" }} {{- if and (not (empty $value)) (empty $value.groups) }} diff --git a/charts/kasten/k10/charts/prometheus/templates/deploy.yaml b/charts/kasten/k10/charts/prometheus/templates/deploy.yaml index ccebb404c..59790a8f0 100644 --- a/charts/kasten/k10/charts/prometheus/templates/deploy.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/deploy.yaml @@ -47,6 +47,9 @@ spec: {{- end }} {{- end }} serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} +{{- if kindIs "bool" .Values.server.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }} +{{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | indent 8 }} @@ -81,8 +84,10 @@ spec: ports: - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} {{- end }} + {{- with .Values.configmapReload.prometheus.resources }} resources: -{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config-volume mountPath: /etc/config @@ -115,6 +120,9 @@ spec: {{- else }} {{- if .Values.server.retention }} - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + {{- if .Values.server.retentionSize }} + - --storage.tsdb.retention.size={{ .Values.server.retentionSize }} {{- end }} - --config.file={{ .Values.server.configPath }} {{- if .Values.server.storagePath }} @@ -139,6 +147,9 @@ spec: {{- end }} ports: - containerPort: 9090 + {{- if .Values.server.portName }} + name: {{ .Values.server.portName }} + {{- end }} {{- if .Values.server.hostPort }} hostPort: {{ .Values.server.hostPort }} {{- end }} @@ -202,8 +213,10 @@ spec: periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} {{- end }} + {{- with .Values.server.resources }} resources: -{{ toYaml .Values.server.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config-volume mountPath: /etc/config diff --git a/charts/kasten/k10/charts/prometheus/templates/ingress.yaml b/charts/kasten/k10/charts/prometheus/templates/ingress.yaml index fc2468d8b..84341a9c2 100644 --- a/charts/kasten/k10/charts/prometheus/templates/ingress.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/ingress.yaml @@ -4,7 +4,7 @@ {{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} {{- $releaseName := .Release.Name -}} {{- $serviceName := include "prometheus.server.fullname" . }} -{{- $servicePort := .Values.server.service.servicePort -}} +{{- $servicePort := .Values.server.ingress.servicePort | default .Values.server.service.servicePort -}} {{- $ingressPath := .Values.server.ingress.path -}} {{- $ingressPathType := .Values.server.ingress.pathType -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} diff --git a/charts/kasten/k10/charts/prometheus/templates/pdb.yaml b/charts/kasten/k10/charts/prometheus/templates/pdb.yaml index 852f1bb8f..7ffe67307 100644 --- a/charts/kasten/k10/charts/prometheus/templates/pdb.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/pdb.yaml @@ -1,4 +1,5 @@ {{- if .Values.server.podDisruptionBudget.enabled }} +{{- $pdbSpec := omit .Values.server.podDisruptionBudget "enabled" }} apiVersion: {{ template "prometheus.podDisruptionBudget.apiVersion" . }} kind: PodDisruptionBudget metadata: @@ -7,8 +8,8 @@ metadata: labels: {{- include "prometheus.server.labels" . | nindent 4 }} spec: - maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} selector: matchLabels: {{- include "prometheus.server.matchLabels" . | nindent 6 }} + {{- toYaml $pdbSpec | nindent 2 }} {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/templates/pvc.yaml b/charts/kasten/k10/charts/prometheus/templates/pvc.yaml index 5a30a1bce..a91114cc7 100644 --- a/charts/kasten/k10/charts/prometheus/templates/pvc.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/pvc.yaml @@ -10,6 +10,9 @@ metadata: {{- end }} labels: {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.server.persistentVolume.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "prometheus.server.fullname" . }} namespace: {{ include "prometheus.namespace" . }} spec: diff --git a/charts/kasten/k10/charts/prometheus/templates/rolebinding.yaml b/charts/kasten/k10/charts/prometheus/templates/rolebinding.yaml index bc112a3dd..721b38816 100644 --- a/charts/kasten/k10/charts/prometheus/templates/rolebinding.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/rolebinding.yaml @@ -1,5 +1,4 @@ -{{- if and .Values.rbac.create .Values.server.useExistingClusterRoleName .Values.server.namespaces -}} -{{ range $.Values.server.namespaces -}} +{{- range include "prometheus.namespaces" . | fromJsonArray }} --- apiVersion: {{ template "rbac.apiVersion" $ }} kind: RoleBinding @@ -17,4 +16,3 @@ roleRef: kind: ClusterRole name: {{ $.Values.server.useExistingClusterRoleName }} {{ end -}} -{{ end -}} diff --git a/charts/kasten/k10/charts/prometheus/templates/service.yaml b/charts/kasten/k10/charts/prometheus/templates/service.yaml index 1aa384eb0..069f3270d 100644 --- a/charts/kasten/k10/charts/prometheus/templates/service.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/service.yaml @@ -47,6 +47,9 @@ spec: nodePort: {{ .Values.server.service.gRPC.nodePort }} {{- end }} {{- end }} +{{- if .Values.server.service.additionalPorts }} +{{ toYaml .Values.server.service.additionalPorts | indent 4 }} +{{- end }} selector: {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} diff --git a/charts/kasten/k10/charts/prometheus/templates/serviceaccount.yaml b/charts/kasten/k10/charts/prometheus/templates/serviceaccount.yaml index 273aa7eed..6d5ab0c7d 100644 --- a/charts/kasten/k10/charts/prometheus/templates/serviceaccount.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/serviceaccount.yaml @@ -8,4 +8,9 @@ metadata: namespace: {{ include "prometheus.namespace" . }} annotations: {{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} +{{- if kindIs "bool" .Values.server.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }} +{{- else if kindIs "bool" .Values.serviceAccounts.server.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.serviceAccounts.server.automountServiceAccountToken }} +{{- end }} {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/templates/sts.yaml b/charts/kasten/k10/charts/prometheus/templates/sts.yaml index ac11ab2a1..61099ffde 100644 --- a/charts/kasten/k10/charts/prometheus/templates/sts.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/sts.yaml @@ -14,6 +14,11 @@ metadata: name: {{ template "prometheus.server.fullname" . }} namespace: {{ include "prometheus.namespace" . }} spec: + {{- if semverCompare ">= 1.27.x" (include "prometheus.kubeVersion" .) }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ ternary "Delete" "Retain" .Values.server.statefulSet.pvcDeleteOnStsDelete }} + whenScaled: {{ ternary "Delete" "Retain" .Values.server.statefulSet.pvcDeleteOnStsScale }} + {{- end }} serviceName: {{ template "prometheus.server.fullname" . }}-headless selector: matchLabels: @@ -47,6 +52,9 @@ spec: {{- end }} {{- end }} serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} +{{- if kindIs "bool" .Values.server.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }} +{{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | indent 8 }} @@ -81,8 +89,10 @@ spec: ports: - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} {{- end }} + {{- with .Values.configmapReload.prometheus.resources }} resources: -{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config-volume mountPath: /etc/config @@ -115,6 +125,9 @@ spec: {{- end }} {{- if .Values.server.retention }} - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + {{- if .Values.server.retentionSize }} + - --storage.tsdb.retention.size={{ .Values.server.retentionSize }} {{- end }} - --config.file={{ .Values.server.configPath }} {{- if .Values.server.storagePath }} @@ -136,6 +149,9 @@ spec: {{- end }} ports: - containerPort: 9090 + {{- if .Values.server.portName }} + name: {{ .Values.server.portName }} + {{- end }} {{- if .Values.server.hostPort }} hostPort: {{ .Values.server.hostPort }} {{- end }} @@ -199,8 +215,10 @@ spec: periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} {{- end }} + {{- with .Values.server.resources }} resources: -{{ toYaml .Values.server.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: config-volume mountPath: /etc/config @@ -341,30 +359,30 @@ spec: {{- end }} spec: accessModes: -{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + {{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} resources: requests: storage: "{{ .Values.server.persistentVolume.size }}" - {{- if .Values.server.persistentVolume.storageClass }} - {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.global.persistence.storageClass }}" - {{- end }} + {{- end }} + {{- end }} + {{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + { } + {{- end -}} + {{- end }} {{- end }} -{{- else }} - - name: storage-volume - emptyDir: - {{- if .Values.server.emptyDir.sizeLimit }} - sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} - {{- else }} - {} - {{- end -}} -{{- end }} -{{- end }} diff --git a/charts/kasten/k10/charts/prometheus/values.schema.json b/charts/kasten/k10/charts/prometheus/values.schema.json index 926a735ee..1828064ed 100644 --- a/charts/kasten/k10/charts/prometheus/values.schema.json +++ b/charts/kasten/k10/charts/prometheus/values.schema.json @@ -62,6 +62,9 @@ "extraVolumeDirs": { "type": "array" }, + "extraVolumeMounts": { + "type": "array" + }, "image": { "type": "object", "properties": { @@ -397,7 +400,10 @@ "type": "boolean" }, "maxUnavailable": { - "type": "integer" + "type": [ + "string", + "integer" + ] } } }, @@ -412,6 +418,9 @@ } } }, + "portName": { + "type": "string" + }, "prefixURL": { "type": "string" }, @@ -439,6 +448,9 @@ "readinessProbeTimeout": { "type": "integer" }, + "releaseNamespace": { + "type": "boolean" + }, "remoteRead": { "type": "array" }, @@ -454,6 +466,12 @@ "retention": { "type": "string" }, + "retentionSize": { + "type": "string" + }, + "revisionHistoryLimit": { + "type": "integer" + }, "securityContext": { "type": "object", "properties": { @@ -474,6 +492,9 @@ "service": { "type": "object", "properties": { + "additionalPorts": { + "type": "array" + }, "annotations": { "type": "object" }, @@ -590,6 +611,12 @@ }, "podManagementPolicy": { "type": "string" + }, + "pvcDeleteOnStsDelete": { + "type": "boolean" + }, + "pvcDeleteOnStsScale": { + "type": "boolean" } } }, @@ -629,6 +656,9 @@ } } }, + "scrapeConfigFiles": { + "type": "array" + }, "serverFiles": { "type": "object", "properties": { @@ -696,6 +726,9 @@ }, "name": { "type": "string" + }, + "automountServiceAccountToken": { + "type": "boolean" } } } diff --git a/charts/kasten/k10/charts/prometheus/values.yaml b/charts/kasten/k10/charts/prometheus/values.yaml index 91fc46855..535de34e4 100644 --- a/charts/kasten/k10/charts/prometheus/values.yaml +++ b/charts/kasten/k10/charts/prometheus/values.yaml @@ -1,3 +1,8 @@ +# yaml-language-server: $schema=values.schema.json +# Default values for prometheus. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + rbac: create: true @@ -15,6 +20,13 @@ serviceAccounts: name: "" annotations: {} + ## Opt out of automounting Kubernetes API credentials. + ## It will be overriden by server.automountServiceAccountToken value, if set. + # automountServiceAccountToken: false + +## Additional labels to attach to all resources +commonMetaLabels: {} + ## Monitors ConfigMap changes and POSTs to a URL ## Ref: https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader ## @@ -89,6 +101,10 @@ server: ## name: server + ## Opt out of automounting Kubernetes API credentials. + ## If set it will override serviceAccounts.server.automountServiceAccountToken value for ServiceAccount. + # automountServiceAccountToken: false + ## Use a ClusterRole (and ClusterRoleBinding) ## - If set to false - we define a RoleBinding in the defined namespaces ONLY ## @@ -103,6 +119,10 @@ server: ## clusterRoleNameOverride: "" + # Enable only the release namespace for monitoring. By default all namespaces are monitored. + # If releaseNamespace and namespaces are both set a merged list will be monitored. + releaseNamespace: false + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. # namespaces: # - yournamespace @@ -113,6 +133,19 @@ server: # sidecarContainers: # webserver: # image: nginx + # OR for adding OAuth authentication to Prometheus + # sidecarContainers: + # oauth-proxy: + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.2 + # args: + # - --upstream=http://127.0.0.1:9090 + # - --http-address=0.0.0.0:8081 + # - ... + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} sidecarContainers: {} # sidecarTemplateValues - context to be used in template for sidecarContainers @@ -180,6 +213,7 @@ server: # List of flags to override default parameters, e.g: # - --enable-feature=agent # - --storage.agent.retention.max-time=30m + # - --config.file=/etc/config/prometheus.yml defaultFlagsOverride: [] extraFlags: @@ -306,6 +340,9 @@ server: ## extraLabels: {} + ## Redirect ingress to an additional defined port on the service + # servicePort: 8081 + ## Prometheus server Ingress hostnames with optional path ## Must be provided if Ingress is enabled ## @@ -344,7 +381,7 @@ server: # - "example.com" ## Node tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ ## tolerations: [] # - key: "key" @@ -353,7 +390,7 @@ server: # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" ## Node labels for Prometheus server pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} @@ -371,6 +408,10 @@ server: podDisruptionBudget: enabled: false maxUnavailable: 1 + # minAvailable: 1 + ## unhealthyPodEvictionPolicy is available since 1.27.0 (beta) + ## https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy + # unhealthyPodEvictionPolicy: IfHealthyBudget ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ @@ -519,6 +560,15 @@ server: servicePort: 10901 # nodePort: 10901 + ## Statefulset's persistent volume claim retention policy + ## pvcDeleteOnStsDelete and pvcDeleteOnStsScale determine whether + ## statefulset's PVCs are deleted (true) or retained (false) on scaling down + ## and deleting statefulset, respectively. Requires 1.27.0+. + ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + ## + pvcDeleteOnStsDelete: false + pvcDeleteOnStsScale: false + ## Prometheus server readiness and liveness probe initial delay and timeout ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ ## @@ -562,6 +612,9 @@ server: # Use hostPort # hostPort: 9090 + # Use portName + portName: "" + ## Vertical Pod Autoscaler config ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler verticalAutoscaler: @@ -628,6 +681,13 @@ server: enabled: false replica: 0 + ## Additional port to define in the Service + additionalPorts: [] + # additionalPorts: + # - name: authenticated + # port: 8081 + # targetPort: 8081 + ## Prometheus server pod termination grace period ## terminationGracePeriodSeconds: 300 @@ -636,9 +696,18 @@ server: ## retention: "15d" + ## Prometheus' data retention size. Supported units: B, KB, MB, GB, TB, PB, EB. + ## + retentionSize: "" + ## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation) ruleFiles: {} +## Prometheus server ConfigMap entries for scrape_config_files +## (allows scrape configs defined in additional files) +## +scrapeConfigFiles: [] + ## Prometheus server ConfigMap entries ## serverFiles: @@ -1159,7 +1228,7 @@ kube-state-metrics: ## enabled: false -## promtheus-node-exporter sub-chart configurable values +## prometheus-node-exporter sub-chart configurable values ## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter ## prometheus-node-exporter: @@ -1173,7 +1242,7 @@ prometheus-node-exporter: containerSecurityContext: allowPrivilegeEscalation: false -## pprometheus-pushgateway sub-chart configurable values +## prometheus-pushgateway sub-chart configurable values ## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway ## prometheus-pushgateway: diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index eb9deb309..d9b94c36a 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -4,7 +4,7 @@ Therefore, fetching of a list or yaml with service names should be done with the For example, the k10.restServices list can be fetched with get.enabledRestServices */}} {{- define "k10.additionalServices" -}}frontend kanister{{- end -}} {{- define "k10.restServices" -}}admin auth bloblifecyclemanager catalog controllermanager crypto dashboardbff events executor garbagecollector jobs logging metering repositories state vbrintegrationapi{{- end -}} -{{- define "k10.services" -}}aggregatedapis{{- end -}} +{{- define "k10.services" -}}aggregatedapis gateway{{- end -}} {{- define "k10.exposedServices" -}}auth dashboardbff vbrintegrationapi{{- end -}} {{- define "k10.statelessServices" -}}admin aggregatedapis auth bloblifecyclemanager controllermanager crypto dashboardbff events executor garbagecollector repositories gateway state vbrintegrationapi{{- end -}} {{- define "k10.colocatedServices" -}} @@ -212,5 +212,8 @@ state-svc: {{- define "k10.aggAuditPolicyFile" -}}agg-audit-policy.yaml{{- end -}} {{- define "k10.siemAuditLogFilePath" -}}-{{- end -}} {{- define "k10.siemAuditLogFileSize" -}}100{{- end -}} -{{- define "k10.kanisterToolsImageTag" -}}0.100.0{{- end -}} +{{- define "k10.kanisterToolsImageTag" -}}0.104.0{{- end -}} {{- define "k10.disabledServicesEnvVar" -}}K10_DISABLED_SERVICES{{- end -}} +{{- define "k10.gatewayPrefixVarName" -}}GATEWAY_PREFIX{{- end -}} +{{- define "k10.gatewayRequestHeadersVarName" -}}GATEWAY_REQUEST_HEADERS{{- end -}} +{{- define "k10.gatewayAuthHeadersVarName" -}}GATEWAY_AUTH_HEADERS{{- end -}} diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 6c71dae53..7263237b3 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -990,26 +990,6 @@ running in the same cluster. {{- printf "init" }} {{- end -}} -{{- define "k10.cephtool.getImage" -}} - {{- (get .Values.global.images (include "k10.cephtool.ImageName" .)) | default (include "k10.cephtool.Image" .) }} -{{- end -}} - -{{- define "k10.cephtool.Image" -}} - {{- printf "%s:%s" (include "k10.cephtool.ImageRepo" .) (include "get.k10ImageTag" .) }} -{{- end -}} - -{{- define "k10.cephtool.ImageRepo" -}} - {{- if .Values.global.airgapped.repository }} - {{- printf "%s/%s" .Values.global.airgapped.repository (include "k10.cephtool.ImageName" .) }} - {{- else }} - {{- printf "%s/%s" .Values.global.image.registry (include "k10.cephtool.ImageName" .) }} - {{- end }} -{{- end -}} - -{{- define "k10.cephtool.ImageName" -}} - {{- printf "cephtool" }} -{{- end -}} - {{- define "k10.splitImage" -}} {{- $split_repo_tag_and_hash := .image | splitList "@" -}} {{- $split_repo_and_tag := $split_repo_tag_and_hash | first | splitList ":" -}} diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index 97ca424b0..707c60e85 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -500,6 +500,11 @@ stating that types are not same for the equality check name: k10-config key: k10JobMaxWaitDuration {{- end }} + - name: K10_FORCE_ROOT_IN_KANISTER_HOOKS + valueFrom: + configMapKeyRef: + name: k10-config + key: k10ForceRootInKanisterHooks {{- end }} {{- if and (eq $service "executor") (.Values.awsConfig.efsBackupVaultName) }} - name: EFS_BACKUP_VAULT_NAME @@ -625,6 +630,12 @@ stating that types are not same for the equality check - name: K10_GRAFANA_ENABLED value: {{ .Values.grafana.enabled | quote }} {{- end }} +{{- if eq $service "gateway" }} + envFrom: + - configMapRef: + name: k10-gateway +{{- end -}} + {{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} volumeMounts: {{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} @@ -697,16 +708,6 @@ stating that types are not same for the equality check subPath: {{ include "k10.aggAuditPolicyFile" .}} readOnly: true {{- end}} -{{- if .Values.toolsImage.enabled }} -{{- if eq $service "executor" }} - - name: tools - imagePullPolicy: {{ .Values.toolsImage.pullPolicy }} - {{- dict "main" . "k10_service" "cephtool" | include "serviceImage" | indent 8 }} - command: ["tail", "-f", "/dev/null"] -{{- $podName := (printf "%s-svc" $service) }} -{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "tools" | include "k10.resource.request" | indent 8}} -{{- end }} -{{- end }} {{/* .Values.toolsImage.enabled */}} {{- if and (eq $service "catalog") $.stateful }} - name: kanister-sidecar image: {{ include "get.kanisterToolsImage" .}} diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index 648c89ded..594504dce 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}6.5.0{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}6.5.2{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_metering.tpl b/charts/kasten/k10/templates/_k10_metering.tpl index 7572b793e..d40c47412 100644 --- a/charts/kasten/k10/templates/_k10_metering.tpl +++ b/charts/kasten/k10/templates/_k10_metering.tpl @@ -151,11 +151,9 @@ spec: - name: {{ $service }}-svc {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} -{{- if eq .Release.Namespace "default" }} {{- $podName := (printf "%s-svc" $service) }} {{- $containerName := (printf "%s-svc" $service) }} {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} -{{- end }} ports: - containerPort: {{ .Values.service.externalPort }} livenessProbe: diff --git a/charts/kasten/k10/templates/_k10_serviceimage.tpl b/charts/kasten/k10/templates/_k10_serviceimage.tpl index 6010243b8..7a42fb9b2 100644 --- a/charts/kasten/k10/templates/_k10_serviceimage.tpl +++ b/charts/kasten/k10/templates/_k10_serviceimage.tpl @@ -19,9 +19,6 @@ value that is specified. {{- $serviceImage = (include "get.k10ImageTag" .main) | print .main.Values.global.airgapped.repository "/" .k10_service ":" }} {{- else }} {{- $serviceImage = (include "get.k10ImageTag" .main) | print .main.Values.global.image.registry "/" .k10_service ":" }} -{{- if eq .k10_service "cephtool"}} -{{- $serviceImage = include "k10.cephtool.getImage" .main }} -{{- end }} {{- end }}{{/* if .main.Values.global.airgapped.repository */}} {{- $serviceImageKey := print (replace "-" "" .k10_service) "Image" }} {{- if eq $serviceImageKey "dexImage" }} diff --git a/charts/kasten/k10/templates/k10-config.yaml b/charts/kasten/k10/templates/k10-config.yaml index 1f38b0b57..b8a4953ba 100644 --- a/charts/kasten/k10/templates/k10-config.yaml +++ b/charts/kasten/k10/templates/k10-config.yaml @@ -60,6 +60,8 @@ data: k10JobMaxWaitDuration: {{ .Values.maxJobWaitDuration | quote }} + k10ForceRootInKanisterHooks: {{ .Values.forceRootInKanisterHooks | quote }} + {{- if .Values.awsConfig.efsBackupVaultName }} efsBackupVaultName: {{ quote .Values.awsConfig.efsBackupVaultName }} {{- end }} @@ -254,3 +256,21 @@ binaryData: {{ $files.Get . | b64enc }} {{- end }} {{ end }} +{{ if .Values.gateway.next_gen }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k10-gateway + namespace: {{ .Release.Namespace }} +data: + {{ include "k10.gatewayPrefixVarName" . }}: {{ include "k10.prefixPath" . }} + + {{- if .Values.gateway.requestHeaders }} + {{ include "k10.gatewayRequestHeadersVarName" .}}: {{ (.Values.gateway.requestHeaders | default list) | join " " }} + {{- end }} + + {{- if .Values.gateway.authHeaders }} + {{ include "k10.gatewayAuthHeadersVarName" .}}: {{ (.Values.gateway.authHeaders | default list) | join " " }} + {{- end }} +{{ end }} diff --git a/charts/kasten/k10/templates/{values}/grafana/values/grafana_values.tpl b/charts/kasten/k10/templates/{values}/grafana/values/grafana_values.tpl index 01124fc06..1c5ef752a 100644 --- a/charts/kasten/k10/templates/{values}/grafana/values/grafana_values.tpl +++ b/charts/kasten/k10/templates/{values}/grafana/values/grafana_values.tpl @@ -97,7 +97,7 @@ "isDefault" true "name" "Prometheus" "type" "prometheus" - "url" (printf "http://prometheus-server-exp%s/prometheus" (include "k10.prefixPath" $)) + "url" (printf "http://%s-exp%s" (include "k10.prometheus.service.name" $) .Values.prometheus.server.baseURL) "jsonData" (dict "timeInterval" "1m" ) diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index 53f8ff168..7ffd9e819 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -254,12 +254,6 @@ "title": "Catalog service container image", "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" }, - "cephtool": { - "type": "string", - "default": "", - "title": "Cephtool service container image", - "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" - }, "configmap-reload": { "type": "string", "title": "Configmap-reload service container image", @@ -550,30 +544,6 @@ } } }, - "toolsImage": { - "type": "object", - "title": "Tools image config", - "description": "Set tools image settings", - "properties": { - "enabled": { - "type": "boolean", - "default": true, - "title": "Enable tools image", - "description": "Whether to enable tools image" - }, - "pullPolicy": { - "type": "string", - "default": "Always", - "title": "Tools image pullPolicy", - "description": "Change tools image pullPolicy", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - } - } - }, "dexImage": { "type": "object", "title": "Dex image config", @@ -2464,6 +2434,12 @@ "default": "", "title": "Maximum duration for jobs in minutes", "description": "Set a maximum duration of waiting for child jobs. If the execution of the subordinate jobs exceeds this value, the parent job will be canceled. If no value is set, a default of 10 hours will be used" + }, + "forceRootInKanisterHooks": { + "type": "boolean", + "default": true, + "title": "Run Kanister Hooks as root", + "description": "Forces Kanister Execution Hooks to run with root privileges" } } } diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index e6a369651..43ac83d4a 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -64,7 +64,6 @@ global: auth: '' bloblifecyclemanager: '' catalog: '' - cephtool: '' configmap-reload: '' controllermanager: '' crypto: '' @@ -123,10 +122,6 @@ route: # Where this TLS configuration should terminate termination: "edge" -toolsImage: - enabled: true - pullPolicy: Always - dexImage: registry: ghcr.io repository: dexidp @@ -471,3 +466,5 @@ reporting: pdfReports: true maxJobWaitDuration: "" + +forceRootInKanisterHooks: true diff --git a/charts/kong/kong/CHANGELOG.md b/charts/kong/kong/CHANGELOG.md index fecec34c5..1db82392b 100644 --- a/charts/kong/kong/CHANGELOG.md +++ b/charts/kong/kong/CHANGELOG.md @@ -1,5 +1,21 @@ # Changelog +## Unreleased + +Nothing yet. + +## 2.34.0 + +### Added + +* The `envFrom` and `ingressController.envFrom` values.yaml keys now populate + the container field of the same name. This loads environment variables from + ConfigMap or Secret resource keys in bulk: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables + [#987](https://github.com/Kong/charts/pull/987) +* Kong listens now use both IPv4 and IPv6 addresses. + [#986](https://github.com/Kong/charts/pull/986) + ## 2.33.3 ### Fixed diff --git a/charts/kong/kong/Chart.yaml b/charts/kong/kong/Chart.yaml index c59a59fb6..740598e2c 100644 --- a/charts/kong/kong/Chart.yaml +++ b/charts/kong/kong/Chart.yaml @@ -18,4 +18,4 @@ maintainers: name: kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.33.3 +version: 2.34.0 diff --git a/charts/kong/kong/README.md b/charts/kong/kong/README.md index 3c1cdbd5b..48483e7aa 100644 --- a/charts/kong/kong/README.md +++ b/charts/kong/kong/README.md @@ -613,10 +613,11 @@ directory. | image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | | | image.pullPolicy | Image pull policy | `IfNotPresent` | | image.pullSecrets | Image pull secrets | `null` | -| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` | +| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` | | plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` | | env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | | -| customEnv | Custom Environment variables without `KONG_` prefix | | +| customEnv | Custom Environment variables without `KONG_` prefix | | +| envFrom | Populate environment variables from ConfigMap or Secret keys | | | migrations.preUpgrade | Run "kong migrations up" jobs | `true` | | migrations.postUpgrade | Run "kong migrations finish" jobs | `true` | | migrations.annotations | Annotations for migration job pods | `{"sidecar.istio.io/inject": "false" | @@ -741,6 +742,7 @@ section of `values.yaml` file: | installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false | | env | Specify Kong Ingress Controller configuration via environment variables | | | customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | | +| envFrom | Populate environment variables from ConfigMap or Secret keys | | | ingressClass | The name of this controller's ingressClass | kong | | ingressClassAnnotations | The ingress-class value for controller | kong | | args | List of ingress-controller cli arguments | [] | diff --git a/charts/kong/kong/ci/.chartsnap.yaml b/charts/kong/kong/ci/.chartsnap.yaml new file mode 100644 index 000000000..110e0b269 --- /dev/null +++ b/charts/kong/kong/ci/.chartsnap.yaml @@ -0,0 +1,26 @@ +# It's a configuration file used by helm-chartsnap to ignore dynamically generated fields +# when comparing the chart's snapshot with the rendered chart. +# See https://github.com/jlandowner/helm-chartsnap?tab=readme-ov-file#handling-dynamic-values-. +dynamicFields: + - apiVersion: v1 + kind: Secret + name: chartsnap-postgresql + jsonPath: + - /data/postgres-password + - apiVersion: v1 + kind: Secret + name: chartsnap-kong-validation-webhook-keypair + jsonPath: + - /data/tls.crt + - /data/tls.key + - apiVersion: v1 + kind: Secret + name: chartsnap-kong-validation-webhook-ca-keypair + jsonPath: + - /data/tls.crt + - /data/tls.key + - apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + name: chartsnap-kong-validations + jsonPath: + - /webhooks/0/clientConfig/caBundle diff --git a/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap b/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap new file mode 100644 index 000000000..632ec8342 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap @@ -0,0 +1,375 @@ +[admin-api-service-clusterip-values] +SnapShot = """ +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + checksum/dbless.config: 626be043e4a43b0d55af934d06216254abe132b29af82450379439ecd927219a + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_DECLARATIVE_CONFIG + value: /kong_dbless/kong.yml + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8444 + name: admin-tls + protocol: TCP + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /kong_dbless/ + name: kong-custom-dbless-config-volume + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_DECLARATIVE_CONFIG + value: /kong_dbless/kong.yml + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /kong_dbless/ + name: kong-custom-dbless-config-volume + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + name: chartsnap-kong-custom-dbless-config + name: kong-custom-dbless-config-volume +- object: + apiVersion: v1 + data: + kong.yml: | + _format_version: \"1.1\" + services: + - name: example.com + url: http://example.com + routes: + - name: example + paths: + - \"/example\" + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-custom-dbless-config + namespace: default +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-admin + namespace: default + spec: + ports: + - name: kong-admin-tls + port: 8444 + protocol: TCP + targetPort: 8444 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: ClusterIP +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap new file mode 100644 index 000000000..8e7ca98c6 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap @@ -0,0 +1,889 @@ +[custom-labels-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + acme.com/some-key: some-value + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + acme.com/some-key: some-value + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + acme.com/some-key: some-value + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/default-values.snap b/charts/kong/kong/ci/__snapshots__/default-values.snap new file mode 100644 index 000000000..d4ad6f81b --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/default-values.snap @@ -0,0 +1,881 @@ +[default-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ANONYMOUS_REPORTS + value: \"false\" + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap new file mode 100644 index 000000000..e7116c127 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap @@ -0,0 +1,910 @@ +[kong-ingress-1-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: kong.proxy.example.secret +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap new file mode 100644 index 000000000..abecc1a2c --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap @@ -0,0 +1,912 @@ +[kong-ingress-2-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - host: proxy.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - proxy.kong.example + secretName: kong.proxy.example.secret +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap new file mode 100644 index 000000000..4553dcf6a --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap @@ -0,0 +1,899 @@ +[kong-ingress-3-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - host: proxy.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap new file mode 100644 index 000000000..0ccaf3766 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap @@ -0,0 +1,952 @@ +[kong-ingress-4-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - host: proxy.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific + - host: proxy2.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: /foo + pathType: Prefix + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: /bar + pathType: Prefix + - host: proxy3.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: /baz + pathType: Prefix + tls: + - hosts: + - proxy.kong.example + secretName: proxy.kong.example.secret + - hosts: + - proxy2.kong.example + - proxy3.kong.example + secretName: proxy.kong.example.secret2 +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + kind: Secret + metadata: + name: kong.proxy.example.secret2 + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/service-account.snap b/charts/kong/kong/ci/__snapshots__/service-account.snap new file mode 100644 index 000000000..0f47778a8 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/service-account.snap @@ -0,0 +1,875 @@ +[service-account] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: my-kong-sa-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: my-kong-sa-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: my-kong-sa + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: my-kong-sa-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: my-kong-sa + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: my-kong-sa + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: my-kong-sa + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap b/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap new file mode 100644 index 000000000..29857465e --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap @@ -0,0 +1,881 @@ +[single-image-default-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ANONYMOUS_REPORTS + value: \"false\" + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.4.1 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.4.1 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap b/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap new file mode 100644 index 000000000..3acef92f5 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap @@ -0,0 +1,315 @@ +['test-enterprise-version-3.4.0.0-values'] +SnapShot = """ +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong/kong-gateway:3.4.0.0 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong/kong-gateway:3.4.0.0 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/test1-values.snap b/charts/kong/kong/ci/__snapshots__/test1-values.snap new file mode 100644 index 000000000..c714105a3 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/test1-values.snap @@ -0,0 +1,968 @@ +[test1-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + environment: test + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ANONYMOUS_REPORTS + value: \"false\" + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_HEADER + value: foo:bar + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - mountPath: /tmp/foo + name: tmpdir + readOnly: true + - mountPath: /tmp/controller + name: controllerdir + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http://admin.kong.example + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http://admin.kong.example + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /tmp/foo + name: tmpdir + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http://admin.kong.example + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http://admin.kong.example + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - command: + - /bin/sh + - -c + - \"true\" + image: bash:latest + name: bash + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - mountPath: /tmp/foo + name: tmpdir + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair + - emptyDir: {} + name: tmpdir + - emptyDir: {} + name: controllerdir +- object: + apiVersion: autoscaling/v2 + kind: HorizontalPodAutoscaler + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 2 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: chartsnap-kong +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - host: proxy.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/test2-values.snap b/charts/kong/kong/ci/__snapshots__/test2-values.snap new file mode 100644 index 000000000..ae0195d80 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/test2-values.snap @@ -0,0 +1,2118 @@ +[test2-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None + timeoutSeconds: 5 +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ANONYMOUS_REPORTS + value: \"false\" + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + - name: CONTROLLER_WATCH_NAMESPACE + value: default + - name: TZ + value: Europe/Berlin + envFrom: + - configMapRef: + name: env-config + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 9000 + name: stream-9000 + protocol: TCP + - containerPort: 9001 + name: stream-9001 + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - command: + - /bin/sh + - -c + - \"true\" + image: bash:latest + name: bash + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + - args: + - /bin/bash + - -c + - export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-db + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: apps/v1 + kind: StatefulSet + metadata: + annotations: null + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + serviceName: chartsnap-postgresql-hl + template: + metadata: + annotations: null + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + spec: + affinity: + nodeAffinity: null + podAffinity: null + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + namespaces: + - default + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - env: + - name: BITNAMI_DEBUG + value: \"false\" + - name: POSTGRESQL_PORT_NUMBER + value: \"5432\" + - name: POSTGRESQL_VOLUME_DIR + value: /bitnami/postgresql + - name: PGDATA + value: /bitnami/postgresql/data + - name: POSTGRES_USER + value: kong + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: postgres-password + name: chartsnap-postgresql + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: POSTGRES_DB + value: kong + - name: POSTGRESQL_ENABLE_LDAP + value: \"no\" + - name: POSTGRESQL_ENABLE_TLS + value: \"no\" + - name: POSTGRESQL_LOG_HOSTNAME + value: \"false\" + - name: POSTGRESQL_LOG_CONNECTIONS + value: \"false\" + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: \"false\" + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: \"off\" + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: error + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: pgaudit + image: docker.io/bitnami/postgresql:13.11.0-debian-11-r20 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432 + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: tcp-postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432 + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: {} + requests: + cpu: 250m + memory: 256Mi + securityContext: + runAsUser: 1001 + volumeMounts: + - mountPath: /dev/shm + name: dshm + - mountPath: /bitnami/postgresql + name: data + hostIPC: false + hostNetwork: false + initContainers: null + securityContext: + fsGroup: 1001 + serviceAccountName: default + volumes: + - emptyDir: + medium: Memory + name: dshm + updateStrategy: + rollingUpdate: {} + type: RollingUpdate + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi +- object: + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + labels: + app.kubernetes.io/component: init-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-init-migrations + namespace: default + spec: + backoffLimit: null + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + sidecar.istio.io/inject: \"false\" + labels: + app.kubernetes.io/component: init-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: kong-init-migrations + spec: + automountServiceAccountToken: false + containers: + - args: + - kong + - migrations + - bootstrap + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: kong-migrations + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - /bin/sh + - -c + - \"true\" + image: bash:latest + name: bash + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + - command: + - bash + - /wait_postgres/wait.sh + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-postgres + resources: {} + volumeMounts: + - mountPath: /wait_postgres + name: chartsnap-kong-bash-wait-for-postgres + restartPolicy: OnFailure + securityContext: {} + serviceAccountName: chartsnap-kong + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + labels: + app.kubernetes.io/component: post-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-post-upgrade-migrations + namespace: default + spec: + backoffLimit: null + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + sidecar.istio.io/inject: \"false\" + labels: + app.kubernetes.io/component: post-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: kong-post-upgrade-migrations + spec: + automountServiceAccountToken: false + containers: + - args: + - kong + - migrations + - finish + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: kong-post-upgrade-migrations + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - /bin/sh + - -c + - \"true\" + image: bash:latest + name: bash + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + - command: + - bash + - /wait_postgres/wait.sh + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-postgres + resources: {} + volumeMounts: + - mountPath: /wait_postgres + name: chartsnap-kong-bash-wait-for-postgres + restartPolicy: OnFailure + securityContext: {} + serviceAccountName: chartsnap-kong + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation + labels: + app.kubernetes.io/component: pre-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-pre-upgrade-migrations + namespace: default + spec: + backoffLimit: null + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + sidecar.istio.io/inject: \"false\" + labels: + app.kubernetes.io/component: pre-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: kong-pre-upgrade-migrations + spec: + automountServiceAccountToken: false + containers: + - args: + - kong + - migrations + - up + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: kong-upgrade-migrations + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - /bin/sh + - -c + - \"true\" + image: bash:latest + name: bash + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + - command: + - bash + - /wait_postgres/wait.sh + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + envFrom: + - configMapRef: + name: env-config + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-postgres + resources: {} + volumeMounts: + - mountPath: /wait_postgres + name: chartsnap-kong-bash-wait-for-postgres + restartPolicy: OnFailure + securityContext: {} + serviceAccountName: chartsnap-kong + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - host: proxy.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-default + namespace: default + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-default + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong-default + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + wait.sh: | + until timeout 2 bash -c \"9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}\" + do echo \"waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}\" + sleep 2 + done + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-bash-wait-for-postgres + namespace: default +- object: + apiVersion: v1 + data: + test-env: test + kind: ConfigMap + metadata: + name: env-config +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + password: a29uZw== + postgres-password: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default + type: Opaque +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + - name: stream-9000 + port: 9000 + protocol: TCP + targetPort: 9000 + - name: stream-9001 + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default + spec: + ports: + - name: tcp-postgresql + nodePort: null + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + sessionAffinity: None + type: ClusterIP +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + service.alpha.kubernetes.io/tolerate-unready-endpoints: \"true\" + name: chartsnap-postgresql-hl + namespace: default + spec: + clusterIP: None + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + type: ClusterIP +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/test3-values.snap b/charts/kong/kong/ci/__snapshots__/test3-values.snap new file mode 100644 index 000000000..e61683608 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/test3-values.snap @@ -0,0 +1,373 @@ +[test3-values] +SnapShot = """ +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + checksum/dbless.config: 95c0309e6b27de23d64edae3a3602472635243f133fba88af3034ed4d5703d4a + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_DECLARATIVE_CONFIG + value: /kong_dbless/kong.yml + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /kong_dbless/ + name: kong-custom-dbless-config-volume + - mountPath: /opt/tmp + name: tmpdir + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_DECLARATIVE_CONFIG + value: /kong_dbless/kong.yml + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /kong_dbless/ + name: kong-custom-dbless-config-volume + - command: + - /bin/sh + - -c + - \"true\" + image: bash:latest + name: bash + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - mountPath: /opt/tmp + name: tmpdir + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + name: chartsnap-kong-custom-dbless-config + name: kong-custom-dbless-config-volume + - emptyDir: {} + name: tmpdir +- object: + apiVersion: v1 + data: + kong.yml: | + _format_version: \"1.1\" + services: + - name: example.com + url: http://example.com + routes: + - name: example + paths: + - \"/example\" + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-custom-dbless-config + namespace: default +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/test4-values.snap b/charts/kong/kong/ci/__snapshots__/test4-values.snap new file mode 100644 index 000000000..49e0a1a6a --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/test4-values.snap @@ -0,0 +1,390 @@ +[test4-values] +SnapShot = """ +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + checksum/dbless.config: 95c0309e6b27de23d64edae3a3602472635243f133fba88af3034ed4d5703d4a + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_DECLARATIVE_CONFIG + value: /kong_dbless/kong.yml + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 9000 + name: stream-9000 + protocol: TCP + - containerPort: 9001 + name: stream-9001 + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /kong_dbless/ + name: kong-custom-dbless-config-volume + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: \"off\" + - name: KONG_DECLARATIVE_CONFIG + value: /kong_dbless/kong.yml + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - mountPath: /kong_dbless/ + name: kong-custom-dbless-config-volume + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + name: chartsnap-kong-custom-dbless-config + name: kong-custom-dbless-config-volume +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific +- object: + apiVersion: v1 + data: + kong.yml: | + _format_version: \"1.1\" + services: + - name: example.com + url: http://example.com + routes: + - name: example + paths: + - \"/example\" + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-custom-dbless-config + namespace: default +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + - name: stream-9000 + port: 9000 + protocol: TCP + targetPort: 9000 + - name: stream-9001 + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/__snapshots__/test5-values.snap b/charts/kong/kong/ci/__snapshots__/test5-values.snap new file mode 100644 index 000000000..48c83a7a6 --- /dev/null +++ b/charts/kong/kong/ci/__snapshots__/test5-values.snap @@ -0,0 +1,1998 @@ +[test5-values] +SnapShot = """ +- object: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validations + namespace: default + webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - \"\" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None +- object: + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: \"\" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + version: \"3.5\" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ANONYMOUS_REPORTS + value: \"false\" + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: \"true\" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/kubernetes-ingress-controller:3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status/ready + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + - args: + - /bin/bash + - -c + - export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-db + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: apps/v1 + kind: StatefulSet + metadata: + annotations: null + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + serviceName: chartsnap-postgresql-hl + template: + metadata: + annotations: null + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + spec: + affinity: + nodeAffinity: null + podAffinity: null + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + namespaces: + - default + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - env: + - name: BITNAMI_DEBUG + value: \"false\" + - name: POSTGRESQL_PORT_NUMBER + value: \"5432\" + - name: POSTGRESQL_VOLUME_DIR + value: /bitnami/postgresql + - name: PGDATA + value: /bitnami/postgresql/data + - name: POSTGRES_USER + value: kong + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: postgres-password + name: chartsnap-postgresql + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: POSTGRES_DB + value: kong + - name: POSTGRESQL_ENABLE_LDAP + value: \"no\" + - name: POSTGRESQL_ENABLE_TLS + value: \"no\" + - name: POSTGRESQL_LOG_HOSTNAME + value: \"false\" + - name: POSTGRESQL_LOG_CONNECTIONS + value: \"false\" + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: \"false\" + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: \"off\" + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: error + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: pgaudit + image: docker.io/bitnami/postgresql:13.11.0-debian-11-r20 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432 + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: tcp-postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U \"kong\" -d \"dbname=kong\" -h 127.0.0.1 -p 5432 + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: {} + requests: + cpu: 250m + memory: 256Mi + securityContext: + runAsUser: 1001 + volumeMounts: + - mountPath: /dev/shm + name: dshm + - mountPath: /bitnami/postgresql + name: data + hostIPC: false + hostNetwork: false + initContainers: null + securityContext: + fsGroup: 1001 + serviceAccountName: default + volumes: + - emptyDir: + medium: Memory + name: dshm + updateStrategy: + rollingUpdate: {} + type: RollingUpdate + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi +- object: + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + labels: + app.kubernetes.io/component: init-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-init-migrations + namespace: default + spec: + backoffLimit: null + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + sidecar.istio.io/inject: \"false\" + labels: + app.kubernetes.io/component: init-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: kong-init-migrations + spec: + automountServiceAccountToken: false + containers: + - args: + - kong + - migrations + - bootstrap + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: kong-migrations + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - bash + - /wait_postgres/wait.sh + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-postgres + resources: {} + volumeMounts: + - mountPath: /wait_postgres + name: chartsnap-kong-bash-wait-for-postgres + restartPolicy: OnFailure + securityContext: {} + serviceAccountName: chartsnap-kong + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + labels: + app.kubernetes.io/component: post-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-post-upgrade-migrations + namespace: default + spec: + backoffLimit: null + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + sidecar.istio.io/inject: \"false\" + labels: + app.kubernetes.io/component: post-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: kong-post-upgrade-migrations + spec: + automountServiceAccountToken: false + containers: + - args: + - kong + - migrations + - finish + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: kong-post-upgrade-migrations + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - bash + - /wait_postgres/wait.sh + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-postgres + resources: {} + volumeMounts: + - mountPath: /wait_postgres + name: chartsnap-kong-bash-wait-for-postgres + restartPolicy: OnFailure + securityContext: {} + serviceAccountName: chartsnap-kong + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation + labels: + app.kubernetes.io/component: pre-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-pre-upgrade-migrations + namespace: default + spec: + backoffLimit: null + template: + metadata: + annotations: + kuma.io/service-account-token-volume: chartsnap-kong-token + sidecar.istio.io/inject: \"false\" + labels: + app.kubernetes.io/component: pre-upgrade-migrations + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: kong-pre-upgrade-migrations + spec: + automountServiceAccountToken: false + containers: + - args: + - kong + - migrations + - up + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: kong-upgrade-migrations + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - bash + - /wait_postgres/wait.sh + env: + - name: CLIENT_ID + value: exampleId + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_API_URI + value: http:// + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_API_URL + value: http:// + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: \"off\" + - name: KONG_CLUSTER_LISTEN + value: \"off\" + - name: KONG_DATABASE + value: postgres + - name: KONG_KIC + value: \"on\" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: \"2\" + - name: KONG_PG_HOST + value: chartsnap-postgresql + - name: KONG_PG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: chartsnap-postgresql + - name: KONG_PG_PORT + value: \"5432\" + - name: KONG_PLUGINS + value: bundled + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: \"off\" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: \"off\" + - name: KONG_NGINX_DAEMON + value: \"off\" + image: kong:3.5 + imagePullPolicy: IfNotPresent + name: wait-for-postgres + resources: {} + volumeMounts: + - mountPath: /wait_postgres + name: chartsnap-kong-bash-wait-for-postgres + restartPolicy: OnFailure + securityContext: {} + serviceAccountName: chartsnap-kong + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - configMap: + defaultMode: 493 + name: chartsnap-kong-bash-wait-for-postgres + name: chartsnap-kong-bash-wait-for-postgres + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +- object: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + rules: + - host: proxy.kong.example + http: + paths: + - backend: + service: + name: chartsnap-kong-proxy + port: + number: 443 + path: / + pathType: ImplementationSpecific +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - \"\" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + rules: + - apiGroups: + - \"\" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - \"\" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - \"\" + resources: + - configmaps + verbs: + - create + - apiGroups: + - \"\" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - \"\" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - \"\" + resources: + - services + verbs: + - get +- object: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong + subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +- object: + apiVersion: v1 + data: + wait.sh: | + until timeout 2 bash -c \"9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}\" + do echo \"waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}\" + sleep 2 + done + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-bash-wait-for-postgres + namespace: default +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default + type: kubernetes.io/tls +- object: + apiVersion: v1 + data: + password: a29uZw== + postgres-password: '###DYNAMIC_FIELD###' + kind: Secret + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default + type: Opaque +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-manager + namespace: default + spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + enable-metrics: \"true\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-proxy + namespace: default + spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong-validation-webhook + namespace: default + spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 +- object: + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default + spec: + ports: + - name: tcp-postgresql + nodePort: null + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + sessionAffinity: None + type: ClusterIP +- object: + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + service.alpha.kubernetes.io/tolerate-unready-endpoints: \"true\" + name: chartsnap-postgresql-hl + namespace: default + spec: + clusterIP: None + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: primary + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: postgresql + type: ClusterIP +- object: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: \"3.5\" + helm.sh/chart: kong-2.34.0 + name: chartsnap-kong + namespace: default +""" diff --git a/charts/kong/kong/ci/test2-values.yaml b/charts/kong/kong/ci/test2-values.yaml index b635642ca..ba77b5cb7 100644 --- a/charts/kong/kong/ci/test2-values.yaml +++ b/charts/kong/kong/ci/test2-values.yaml @@ -11,6 +11,9 @@ ingressController: timeoutSeconds: 5 env: anonymous_reports: "false" + envFrom: + - configMapRef: + name: env-config customEnv: TZ: "Europe/Berlin" watchNamespaces: @@ -23,6 +26,9 @@ postgresql: env: anonymous_reports: "off" database: "postgres" +envFrom: +- configMapRef: + name: env-config # - ingress resources are created without hosts admin: ingress: @@ -63,3 +69,11 @@ deployment: requests: cpu: "100m" memory: "64Mi" + +extraObjects: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: env-config + data: + test-env: test diff --git a/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index 3b8423d55..84e232cbc 100644 --- a/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -1,3 +1,4 @@ +demo: true admin: annotations: konghq.com/protocol: https diff --git a/charts/kong/kong/templates/NOTES.txt b/charts/kong/kong/templates/NOTES.txt index 2d7e4ea0d..ea035aafc 100644 --- a/charts/kong/kong/templates/NOTES.txt +++ b/charts/kong/kong/templates/NOTES.txt @@ -26,3 +26,17 @@ Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/gettin {{- end -}} {{- include "kong.deprecation-warnings" $warnings -}} + +{{- if .Values.demo -}} + +############################################################################################# +##### WARNING: DEMO VALUES USED +############################################################################################# + +The values file used has been marked as a demo configuration. +It should NOT be used in production without comprehensive review of all settings provided. + +############################################################################################# +##### WARNING: DEMO VALUES USED +############################################################################################# +{{- end -}} \ No newline at end of file diff --git a/charts/kong/kong/templates/_helpers.tpl b/charts/kong/kong/templates/_helpers.tpl index 395ed2e80..f5abde2ee 100644 --- a/charts/kong/kong/templates/_helpers.tpl +++ b/charts/kong/kong/templates/_helpers.tpl @@ -267,6 +267,7 @@ Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc. */}} {{- define "kong.listen" -}} {{- $unifiedListen := list -}} + {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}} {{/* Some services do not support these blocks at all, so these checks are a two-stage "is it safe to evaluate this?" and then "should we evaluate @@ -276,9 +277,12 @@ Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc. {{- if .http.enabled -}} {{- $listenConfig := dict -}} {{- $listenConfig := merge $listenConfig .http -}} - {{- $_ := set $listenConfig "address" (default "0.0.0.0" .address) -}} - {{- $httpListen := (include "kong.singleListen" $listenConfig) -}} - {{- $unifiedListen = append $unifiedListen $httpListen -}} + {{- $addresses := (default $defaultAddrs .addresses) -}} + {{- range $addresses -}} + {{- $_ := set $listenConfig "address" . -}} + {{- $httpListen := (include "kong.singleListen" $listenConfig) -}} + {{- $unifiedListen = append $unifiedListen $httpListen -}} + {{- end -}} {{- end -}} {{- end -}} @@ -295,9 +299,12 @@ Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc. {{- $listenConfig := merge $listenConfig .tls -}} {{- $parameters := append .tls.parameters "ssl" -}} {{- $_ := set $listenConfig "parameters" $parameters -}} - {{- $_ := set $listenConfig "address" (default "0.0.0.0" .address) -}} - {{- $tlsListen := (include "kong.singleListen" $listenConfig) -}} - {{- $unifiedListen = append $unifiedListen $tlsListen -}} + {{- $addresses := (default $defaultAddrs .addresses) -}} + {{- range $addresses -}} + {{- $_ := set $listenConfig "address" . -}} + {{- $tlsListen := (include "kong.singleListen" $listenConfig) -}} + {{- $unifiedListen = append $unifiedListen $tlsListen -}} + {{- end -}} {{- end -}} {{- end -}} @@ -332,19 +339,22 @@ Create KONG_STREAM_LISTEN string */}} {{- define "kong.streamListen" -}} {{- $unifiedListen := list -}} - {{- $address := (default "0.0.0.0" .address) -}} + {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}} {{- range .stream -}} {{- $listenConfig := dict -}} {{- $listenConfig := merge $listenConfig . -}} - {{- $_ := set $listenConfig "address" $address -}} - {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons. - Our configuration is dual-purpose, for both the Service and listen string, so we - forcibly inject this parameter if that's the Service protocol. The default handles - configs that predate the addition of the protocol field, where we only supported TCP. */}} - {{- if (eq (default "TCP" .protocol) "UDP") -}} - {{- $_ := set $listenConfig "parameters" (append (default (list) .parameters) "udp") -}} + {{- $addresses := (default $defaultAddrs .addresses) -}} + {{- range $addresses -}} + {{- $_ := set $listenConfig "address" . -}} + {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons. + Our configuration is dual-purpose, for both the Service and listen string, so we + forcibly inject this parameter if that's the Service protocol. The default handles + configs that predate the addition of the protocol field, where we only supported TCP. */}} + {{- if (eq (default "TCP" $listenConfig.protocol) "UDP") -}} + {{- $_ := set $listenConfig "parameters" (append (default (list) $listenConfig.parameters) "udp") -}} + {{- end -}} + {{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}} {{- end -}} - {{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}} {{- end -}} {{- $listenString := ($unifiedListen | join ", ") -}} @@ -827,6 +837,7 @@ The name of the Service which will be used by the controller to update the Ingre {{ toYaml .Values.containerSecurityContext | nindent 4 }} env: {{- include "kong.env" . | nindent 2 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 2 }} {{/* TODO the prefix override is to work around https://github.com/Kong/charts/issues/295 Note that we use args instead of command here to /not/ override the standard image entrypoint. */}} args: [ "/bin/bash", "-c", "export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop"] @@ -891,6 +902,7 @@ The name of the Service which will be used by the controller to update the Ingre apiVersion: v1 fieldPath: metadata.namespace {{- include "kong.ingressController.env" . | indent 2 }} +{{ include "kong.envFrom" .Values.ingressController.envFrom | indent 2 }} image: {{ include "kong.getRepoTag" .Values.ingressController.image }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger @@ -967,13 +979,11 @@ the template that it itself is using form the above sections. {{- end -}} {{- with .Values.admin -}} - {{- $address := "0.0.0.0" -}} - {{- if (not .enabled) -}} - {{- $address = "127.0.0.1" -}} - {{- end -}} {{- $listenConfig := dict -}} {{- $listenConfig := merge $listenConfig . -}} - {{- $_ := set $listenConfig "address" (default $address .address) -}} + {{- if (and (not (hasKey . "addresses")) (not .enabled)) -}} + {{- $_ := set $listenConfig "addresses" (list "127.0.0.1" "[::1]") -}} + {{- end -}} {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} {{- if or .tls.client.secretName .tls.client.caBundle -}} @@ -1222,6 +1232,7 @@ Environment variables are sorted alphabetically imagePullPolicy: {{ .Values.waitImage.pullPolicy }} env: {{- include "kong.no_daemon_env" . | nindent 2 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 2 }} command: [ "bash", "/wait_postgres/wait.sh" ] volumeMounts: - name: {{ template "kong.fullname" . }}-bash-wait-for-postgres @@ -1738,3 +1749,11 @@ extensions/v1beta1 {{- end -}} {{- (toYaml $proxyReadiness) -}} {{- end -}} + +{{- define "kong.envFrom" -}} + {{- if (gt (len .) 0) -}} +envFrom: +{{- toYaml . | nindent 2 -}} + {{- else -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/templates/deployment.yaml b/charts/kong/kong/templates/deployment.yaml index 28f9b0680..70da44590 100644 --- a/charts/kong/kong/templates/deployment.yaml +++ b/charts/kong/kong/templates/deployment.yaml @@ -101,6 +101,7 @@ spec: - "$KONG_PREFIX/pids" env: {{- include "kong.env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} {{- if .Values.deployment.initContainers }} diff --git a/charts/kong/kong/templates/migrations-post-upgrade.yaml b/charts/kong/kong/templates/migrations-post-upgrade.yaml index 3fe759ba2..73225392c 100644 --- a/charts/kong/kong/templates/migrations-post-upgrade.yaml +++ b/charts/kong/kong/templates/migrations-post-upgrade.yaml @@ -68,6 +68,7 @@ spec: {{ toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} args: [ "kong", "migrations", "finish" ] volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} diff --git a/charts/kong/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/kong/templates/migrations-pre-upgrade.yaml index 2f57eae8d..9efb8baea 100644 --- a/charts/kong/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/kong/templates/migrations-pre-upgrade.yaml @@ -70,6 +70,7 @@ spec: {{ toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} args: [ "kong", "migrations", "up" ] volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} diff --git a/charts/kong/kong/templates/migrations.yaml b/charts/kong/kong/templates/migrations.yaml index 8faf5e913..e1a85fb90 100644 --- a/charts/kong/kong/templates/migrations.yaml +++ b/charts/kong/kong/templates/migrations.yaml @@ -78,6 +78,7 @@ spec: {{ toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} args: [ "kong", "migrations", "bootstrap" ] volumeMounts: {{- include "kong.volumeMounts" . | nindent 8 }} diff --git a/charts/kong/kong/values.yaml b/charts/kong/kong/values.yaml index 340fa1135..1d0f8c0d5 100644 --- a/charts/kong/kong/values.yaml +++ b/charts/kong/kong/values.yaml @@ -120,6 +120,10 @@ env: # name: api_key # client_name: testClient +# Load all ConfigMap or Secret keys as environment variables: +# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables +envFrom: [] + # This section can be used to configure some extra labels that will be added to each Kubernetes object generated. extraLabels: {} @@ -565,6 +569,10 @@ ingressController: # customEnv: # TZ: "Europe/Berlin" + # Load all ConfigMap or Secret keys as environment variables: + # https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables + envFrom: [] + admissionWebhook: enabled: true failurePolicy: Ignore diff --git a/charts/linkerd/linkerd-control-plane/Chart.yaml b/charts/linkerd/linkerd-control-plane/Chart.yaml index 9e94968be..4d7047f0e 100644 --- a/charts/linkerd/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 -appVersion: stable-2.14.8 +appVersion: stable-2.14.9 dependencies: - name: partials repository: file://./charts/partials @@ -25,4 +25,4 @@ name: linkerd-control-plane sources: - https://github.com/linkerd/linkerd2/ type: application -version: 1.16.9 +version: 1.16.10 diff --git a/charts/linkerd/linkerd-control-plane/README.md b/charts/linkerd/linkerd-control-plane/README.md index 8658a5417..d46fc2aef 100644 --- a/charts/linkerd/linkerd-control-plane/README.md +++ b/charts/linkerd/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 1.16.9](https://img.shields.io/badge/Version-1.16.9-informational?style=flat-square) +![Version: 1.16.10](https://img.shields.io/badge/Version-1.16.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/charts/linkerd/linkerd-control-plane/values.yaml b/charts/linkerd/linkerd-control-plane/values.yaml index 8f0279f2a..cc6869fe9 100644 --- a/charts/linkerd/linkerd-control-plane/values.yaml +++ b/charts/linkerd/linkerd-control-plane/values.yaml @@ -22,7 +22,7 @@ controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version -linkerdVersion: stable-2.14.8 +linkerdVersion: stable-2.14.9 # -- default kubernetes deployment strategy deploymentStrategy: rollingUpdate: diff --git a/charts/nats/nats/Chart.yaml b/charts/nats/nats/Chart.yaml index 31ace7003..51be34d73 100644 --- a/charts/nats/nats/Chart.yaml +++ b/charts/nats/nats/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: nats apiVersion: v2 -appVersion: 2.10.7 +appVersion: 2.10.9 description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications Technology. home: http://github.com/nats-io/k8s @@ -18,4 +18,4 @@ maintainers: name: The NATS Authors url: https://github.com/nats-io name: nats -version: 1.1.6 +version: 1.1.7 diff --git a/charts/nats/nats/values.yaml b/charts/nats/nats/values.yaml index 6acf13ce3..38f8d239a 100644 --- a/charts/nats/nats/values.yaml +++ b/charts/nats/nats/values.yaml @@ -312,7 +312,7 @@ config: container: image: repository: nats - tag: 2.10.7-alpine + tag: 2.10.9-alpine pullPolicy: registry: @@ -353,7 +353,7 @@ reloader: enabled: true image: repository: natsio/nats-server-config-reloader - tag: 0.14.0 + tag: 0.14.1 pullPolicy: registry: diff --git a/charts/new-relic/nri-bundle/Chart.lock b/charts/new-relic/nri-bundle/Chart.lock index b5450d38b..960b2b3e2 100644 --- a/charts/new-relic/nri-bundle/Chart.lock +++ b/charts/new-relic/nri-bundle/Chart.lock @@ -1,25 +1,25 @@ dependencies: - name: newrelic-infrastructure repository: https://newrelic.github.io/nri-kubernetes - version: 3.29.0 + version: 3.29.1 - name: nri-prometheus repository: https://newrelic.github.io/nri-prometheus version: 2.1.17 - name: newrelic-prometheus-agent repository: https://newrelic.github.io/newrelic-prometheus-configurator - version: 1.8.2 + version: 1.9.1 - name: nri-metadata-injection repository: https://newrelic.github.io/k8s-metadata-injection - version: 4.15.2 + version: 4.16.1 - name: newrelic-k8s-metrics-adapter repository: https://newrelic.github.io/newrelic-k8s-metrics-adapter - version: 1.8.1 + version: 1.8.2 - name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts version: 5.12.1 - name: nri-kube-events repository: https://newrelic.github.io/nri-kube-events - version: 3.7.2 + version: 3.7.3 - name: newrelic-logging repository: https://newrelic.github.io/helm-charts version: 1.19.0 @@ -31,6 +31,6 @@ dependencies: version: 0.1.4 - name: newrelic-infra-operator repository: https://newrelic.github.io/newrelic-infra-operator - version: 2.8.1 -digest: sha256:5058130538bb4a1b59fade32a9ef10431cfd33d84b96655a759b3617cdcf5605 -generated: "2024-01-09T02:11:05.964634023Z" + version: 2.8.2 +digest: sha256:1ddcf0402fed4aac1b4269379376b8a8d7d4c0a87c17fd8491b1a8d87e811629 +generated: "2024-01-22T23:54:08.952326043Z" diff --git a/charts/new-relic/nri-bundle/Chart.yaml b/charts/new-relic/nri-bundle/Chart.yaml index 6b0c9d15d..d635ef579 100644 --- a/charts/new-relic/nri-bundle/Chart.yaml +++ b/charts/new-relic/nri-bundle/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - condition: infrastructure.enabled,newrelic-infrastructure.enabled name: newrelic-infrastructure repository: file://./charts/newrelic-infrastructure - version: 3.29.0 + version: 3.29.1 - condition: prometheus.enabled,nri-prometheus.enabled name: nri-prometheus repository: file://./charts/nri-prometheus @@ -15,15 +15,15 @@ dependencies: - condition: newrelic-prometheus-agent.enabled name: newrelic-prometheus-agent repository: file://./charts/newrelic-prometheus-agent - version: 1.8.2 + version: 1.9.1 - condition: webhook.enabled,nri-metadata-injection.enabled name: nri-metadata-injection repository: file://./charts/nri-metadata-injection - version: 4.15.2 + version: 4.16.1 - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled name: newrelic-k8s-metrics-adapter repository: file://./charts/newrelic-k8s-metrics-adapter - version: 1.8.1 + version: 1.8.2 - condition: ksm.enabled,kube-state-metrics.enabled name: kube-state-metrics repository: file://./charts/kube-state-metrics @@ -31,7 +31,7 @@ dependencies: - condition: kubeEvents.enabled,nri-kube-events.enabled name: nri-kube-events repository: file://./charts/nri-kube-events - version: 3.7.2 + version: 3.7.3 - condition: logging.enabled,newrelic-logging.enabled name: newrelic-logging repository: file://./charts/newrelic-logging @@ -48,7 +48,7 @@ dependencies: - condition: newrelic-infra-operator.enabled name: newrelic-infra-operator repository: file://./charts/newrelic-infra-operator - version: 2.8.1 + version: 2.8.2 description: Groups together the individual charts for the New Relic Kubernetes solution for a more comfortable deployment. home: https://github.com/newrelic/helm-charts @@ -75,4 +75,4 @@ sources: - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator -version: 5.0.58 +version: 5.0.60 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml index f6e9791b0..c71d2f263 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.16.1 +appVersion: 0.16.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -32,4 +32,4 @@ name: newrelic-infra-operator sources: - https://github.com/newrelic/newrelic-infra-operator - https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator -version: 2.8.1 +version: 2.8.2 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml index 8d3168039..1ea9210ae 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.24.0 +appVersion: 3.24.1 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -35,4 +35,4 @@ sources: - https://github.com/newrelic/nri-kubernetes/ - https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure - https://github.com/newrelic/infrastructure-agent/ -version: 3.29.0 +version: 3.29.1 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml index 2812972c9..a557b5bb9 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.10.1 +appVersion: 0.10.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -20,4 +20,4 @@ name: newrelic-k8s-metrics-adapter sources: - https://github.com/newrelic/newrelic-k8s-metrics-adapter - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter -version: 1.8.1 +version: 1.8.2 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml index 834d7e510..5303ba6b5 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml @@ -1,5 +1,5 @@ annotations: - configuratorVersion: 1.11.3 + configuratorVersion: 1.12.1 apiVersion: v2 appVersion: v2.37.8 dependencies: @@ -31,4 +31,4 @@ maintainers: url: https://github.com/xqi-nr name: newrelic-prometheus-agent type: application -version: 1.8.2 +version: 1.9.1 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml index 18e0aa62a..07a955dbc 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.7.2 +appVersion: 2.7.3 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -35,4 +35,4 @@ sources: - https://github.com/newrelic/nri-kube-events/ - https://github.com/newrelic/nri-kube-events/tree/main/charts/nri-kube-events - https://github.com/newrelic/infrastructure-agent/ -version: 3.7.2 +version: 3.7.3 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md index 6c45fc85d..74d7322a8 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md @@ -1,6 +1,6 @@ # nri-kube-events -![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) ![AppVersion: 2.7.2](https://img.shields.io/badge/AppVersion-2.7.2-informational?style=flat-square) +![Version: 3.7.3](https://img.shields.io/badge/Version-3.7.3-informational?style=flat-square) ![AppVersion: 2.7.3](https://img.shields.io/badge/AppVersion-2.7.3-informational?style=flat-square) A Helm chart to deploy the New Relic Kube Events router diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml index f6b4c7863..b3921c488 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml @@ -27,7 +27,7 @@ images: agent: registry: repository: newrelic/k8s-events-forwarder - tag: 1.48.1 + tag: 1.48.3 pullPolicy: IfNotPresent # -- The secrets that are needed to pull images from a custom registry. pullSecrets: [] diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml index f7dd2a642..ba7395cd9 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.2 +appVersion: 1.24.1 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -22,4 +22,4 @@ name: nri-metadata-injection sources: - https://github.com/newrelic/k8s-metadata-injection - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection -version: 4.15.2 +version: 4.16.1 diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index cae70a288..fe0f09054 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: console repository: https://charts.redpanda.com - version: 0.7.15 + version: 0.7.16 - name: connectors repository: https://charts.redpanda.com version: 0.1.9 -digest: sha256:d9d9bb5d4dec4343bd82050f4ef32270fa99a453ab8567728e63f0862128fe54 -generated: "2024-01-12T13:44:28.692012451Z" +digest: sha256:977004c9b9eb8cb886229bf385619e90b137562b67ebefde04b9791ebbff88fb +generated: "2024-01-23T12:05:10.35618748Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 17f487251..2a859128a 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.7.7 +version: 5.7.10 diff --git a/charts/redpanda/redpanda/README.md b/charts/redpanda/redpanda/README.md index f6c939e30..257aee0af 100644 --- a/charts/redpanda/redpanda/README.md +++ b/charts/redpanda/redpanda/README.md @@ -3,7 +3,7 @@ description: Find the default values and descriptions of settings in the Redpanda Helm chart. --- -![Version: 5.7.4](https://img.shields.io/badge/Version-5.7.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.1](https://img.shields.io/badge/AppVersion-v23.3.1-informational?style=flat-square) +![Version: 5.7.8](https://img.shields.io/badge/Version-5.7.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.1](https://img.shields.io/badge/AppVersion-v23.3.1-informational?style=flat-square) This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. @@ -40,7 +40,7 @@ Audit logging for a redpanda cluster, must have enabled sasl and have one kafka **Default:** ``` -{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576} +{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null} ``` ### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize) @@ -97,6 +97,12 @@ Defines the maximum amount of memory used (in bytes) by the audit buffer in each **Default:** `1048576` +### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor) + +Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the internal_topic_replication_factor cluster config value. Default is null + +**Default:** `nil` + ### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). @@ -345,7 +351,7 @@ The Redpanda version. See DockerHub for: [All stable versions](https://hub.docke ### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) -Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). **Default:** `[]` @@ -960,7 +966,7 @@ Persistence settings. For details, see the [storage documentation](https://docs. **Default:** ``` -{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"credentialsSecretRef":{},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} ``` ### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) diff --git a/charts/redpanda/redpanda/charts/console/Chart.yaml b/charts/redpanda/redpanda/charts/console/Chart.yaml index c88d0a0fd..1d4cd0a37 100644 --- a/charts/redpanda/redpanda/charts/console/Chart.yaml +++ b/charts/redpanda/redpanda/charts/console/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/console:v2.3.8 + image: docker.redpanda.com/redpandadata/console:v2.3.9 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Documentation @@ -9,7 +9,7 @@ annotations: - name: "Helm (>= 3.6.0)" url: https://helm.sh/docs/intro/install/ apiVersion: v2 -appVersion: v2.3.8 +appVersion: v2.3.9 description: Helm chart to deploy Redpanda Console. icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg maintainers: @@ -19,4 +19,4 @@ name: console sources: - https://github.com/redpanda-data/helm-charts type: application -version: 0.7.15 +version: 0.7.16 diff --git a/charts/redpanda/redpanda/charts/console/README.md b/charts/redpanda/redpanda/charts/console/README.md index f5b7b34b8..2d00c5371 100644 --- a/charts/redpanda/redpanda/charts/console/README.md +++ b/charts/redpanda/redpanda/charts/console/README.md @@ -3,14 +3,17 @@ description: Find the default values and descriptions of settings in the Redpanda Console Helm chart. --- -![Version: 0.7.6](https://img.shields.io/badge/Version-0.7.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.5](https://img.shields.io/badge/AppVersion-v2.3.5-informational?style=flat-square) +![Version: 0.7.15](https://img.shields.io/badge/Version-0.7.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.8](https://img.shields.io/badge/AppVersion-v2.3.8-informational?style=flat-square) -This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). Each of the settings is listed and described on this page, along with any default values. +This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). +Each of the settings is listed and described on this page, along with any default values. -For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). +The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together. +For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). +For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console). ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) ## Source Code @@ -44,6 +47,10 @@ Annotations to add to the deployment. **Default:** `80` +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) + +**Default:** `{}` + ### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=configmap.create) **Default:** `true` @@ -312,6 +319,10 @@ The name of the service account to use. If not set and `serviceAccount.create` i **Default:** `""` +### [strategy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=strategy) + +**Default:** `{}` + ### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) **Default:** `[]` @@ -319,3 +330,4 @@ The name of the service account to use. If not set and `serviceAccount.create` i ### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=topologySpreadConstraints) **Default:** `{}` + diff --git a/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml index ca3a817d0..cee5a1386 100644 --- a/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml +++ b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml @@ -285,6 +285,7 @@ limitations under the License. "extraEnv" $extraEnv "secret" $secretConfig "enterprise" $enterprise + "image" $values.console.image )}} {{ if not (empty $command) }} diff --git a/charts/redpanda/redpanda/values.yaml b/charts/redpanda/redpanda/values.yaml index 7ac8d1429..df9925078 100644 --- a/charts/redpanda/redpanda/values.yaml +++ b/charts/redpanda/redpanda/values.yaml @@ -75,7 +75,7 @@ image: # "external-dns.alpha.kubernetes.io/endpoints-type": HostIP # -- Pull secrets may be used to provide credentials to image repositories -# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). imagePullSecrets: [] # -- DEPRECATED Enterprise license key (optional). @@ -470,40 +470,49 @@ storage: # -- Global flag that enables Tiered Storage if a license key is provided. # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_enabled). cloud_storage_enabled: false - # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). + # -- Cluster level default remote write configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). cloud_storage_enable_remote_write: true - # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). + # -- Cluster level default remote read configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). cloud_storage_enable_remote_read: true - - # -- Required for AWS and GCS. + # -- AWS or GCP region for where the bucket used for Tiered Storage is located (required for AWS and GCS). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). cloud_storage_region: "" - # -- Required for AWS and GCS. + # -- AWS or GCP bucket name used for Tiered Storage (required for AWS and GCS). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). cloud_storage_bucket: "" - # -- Required for AWS and GCS authentication with access keys. + # -- AWS or GCP access key (required for AWS and GCS authentication with access keys). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). cloud_storage_access_key: "" - # -- Required for AWS and GCS authentication with access keys. + # -- AWS or GCP secret key (required for AWS and GCS authentication with access keys). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). cloud_storage_secret_key: "" - # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). + # -- AWS or GCP API endpoint. + # - For AWS, this can be left blank as it is generated automatically using the bucket and region (e.g. ".s3..amazonaws.com") + # - For GCS, use "storage.googleapis.com" + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). cloud_storage_api_endpoint: "" - # -- Required for ABS. + # -- Name of the Azure container to use with Tiered Storage (required for ABS/ADLS). + # Note that the container must belong to the account specified by `cloud_storage_azure_storage_account`. # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_container). cloud_storage_azure_container: null - # -- Required for ABS. + # -- Name of the Azure storage account to use with Tiered Storage (required for ABS/ADLS). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_storage_account). cloud_storage_azure_storage_account: null - # -- Required for ABS. + # -- Shared key to be used for Azure Shared Key authentication with the Azure storage account specified by `cloud_storage_azure_storage_account`. + # Note that the key should be base64 encoded. # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_shared_key). cloud_storage_azure_shared_key: null - # -- Required for ABS hierarchical namespace - # Available starting from 23.2.8 + # -- Azure ADLS endpoint and port (required for ABS hierarchical namespaces). + # Available starting from 23.2.8. # cloud_storage_azure_adls_endpoint: "" # cloud_storage_azure_adls_port: "" - # Available starting from 22.3.X - # -- Required for AWS and GCS authentication with IAM roles. + # -- Source of credentials used to connect to cloud services (required for AWS and GCS authentication with IAM roles). + # - config_file + # - aws_instance_metadata + # - sts + # - gcp_instance_metadata # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). cloud_storage_credentials_source: config_file diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index c14efa197..e423989a5 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.0.4 +appVersion: 2.0.41 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.0.2 +version: 2.0.5 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index 5dd1e4d52..8844cd461 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.0.2 +### Upgrade to 2.0.5 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.2/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.5/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index 5dd1e4d52..8844cd461 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.0.2 +### Upgrade to 2.0.5 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.2/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.5/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml index 05525696a..fabaeef7e 100644 --- a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml +++ b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 creationTimestamp: null name: trafficreplays.speedscale.com spec: @@ -116,6 +116,10 @@ spec: description: Inject enables or disables sidecar injection during the replay. Defaults to false. type: boolean + patch: + description: Patch is .yaml file patch for the Workload + format: byte + type: string tls: properties: in: @@ -242,6 +246,10 @@ spec: description: Inject enables or disables sidecar injection during the replay. Defaults to false. type: boolean + patch: + description: Patch is .yaml file patch for the Workload + format: byte + type: string tls: properties: in: @@ -405,5 +413,5 @@ status: acceptedNames: kind: "" plural: "" - conditions: null - storedVersions: null + conditions: [] + storedVersions: [] diff --git a/charts/speedscale/speedscale-operator/templates/hooks.yaml b/charts/speedscale/speedscale-operator/templates/hooks.yaml index f25f4899d..3e8231f19 100644 --- a/charts/speedscale/speedscale-operator/templates/hooks.yaml +++ b/charts/speedscale/speedscale-operator/templates/hooks.yaml @@ -47,6 +47,9 @@ spec: speedctl init --overwrite --no-rcfile-update \ --api-key $SPEEDSCALE_API_KEY \ --app-url $SPEEDSCALE_APP_URL + + # in case we're in istio + curl -X POST http://127.0.0.1:15000/quitquitquit || true command: - sh - -c diff --git a/charts/speedscale/speedscale-operator/templates/tls.yaml b/charts/speedscale/speedscale-operator/templates/tls.yaml index 21db082cd..aecc76beb 100644 --- a/charts/speedscale/speedscale-operator/templates/tls.yaml +++ b/charts/speedscale/speedscale-operator/templates/tls.yaml @@ -69,6 +69,9 @@ spec: keytool -importcert -noprompt -cacerts -storepass changeit -alias speedscale -file /etc/ssl/speedscale/tls.crt kubectl -n ${POD_NAMESPACE} delete secret speedscale-jks || true kubectl -n ${POD_NAMESPACE} create secret generic speedscale-jks --from-file=cacerts.jks=${JAVA_HOME}/lib/security/cacerts + + # in case we're in istio + curl -X POST http://127.0.0.1:15000/quitquitquit || true command: - sh - -c diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 8c08b8dbc..04635ba60 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.0.4 + tag: v2.0.41 pullPolicy: Always # Log level for Speedscale components. diff --git a/charts/stackstate/stackstate-k8s-agent/Chart.yaml b/charts/stackstate/stackstate-k8s-agent/Chart.yaml index 7919ca68a..a59a80a60 100644 --- a/charts/stackstate/stackstate-k8s-agent/Chart.yaml +++ b/charts/stackstate/stackstate-k8s-agent/Chart.yaml @@ -21,4 +21,4 @@ maintainers: - email: ops@stackstate.com name: Stackstate name: stackstate-k8s-agent -version: 1.0.66 +version: 1.0.67 diff --git a/charts/stackstate/stackstate-k8s-agent/README.md b/charts/stackstate/stackstate-k8s-agent/README.md index 35d62b47b..f27cd87ab 100644 --- a/charts/stackstate/stackstate-k8s-agent/README.md +++ b/charts/stackstate/stackstate-k8s-agent/README.md @@ -2,7 +2,7 @@ Helm chart for the StackState Agent. -Current chart version is `1.0.66` +Current chart version is `1.0.67` **Homepage:** @@ -61,7 +61,7 @@ stackstate/stackstate-k8s-agent | checksAgent.enabled | bool | `true` | Enable / disable runnning cluster checks in a separately deployed pod | | checksAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | checksAgent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| checksAgent.image.tag | string | `"edf7fca5"` | Default container image tag. | +| checksAgent.image.tag | string | `"ac39a29d"` | Default container image tag. | | checksAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | checksAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | checksAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -121,7 +121,7 @@ stackstate/stackstate-k8s-agent | clusterAgent.enabled | bool | `true` | Enable / disable the cluster agent. | | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | clusterAgent.image.repository | string | `"stackstate/stackstate-k8s-cluster-agent"` | Base container image repository. | -| clusterAgent.image.tag | string | `"edf7fca5"` | Default container image tag. | +| clusterAgent.image.tag | string | `"ac39a29d"` | Default container image tag. | | clusterAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | clusterAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | clusterAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -179,7 +179,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.agent.env | object | `{}` | Additional environment variables for the agent container | | nodeAgent.containers.agent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | nodeAgent.containers.agent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| nodeAgent.containers.agent.image.tag | string | `"edf7fca5"` | Default container image tag. | +| nodeAgent.containers.agent.image.tag | string | `"ac39a29d"` | Default container image tag. | | nodeAgent.containers.agent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | nodeAgent.containers.agent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | nodeAgent.containers.agent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | diff --git a/charts/stackstate/stackstate-k8s-agent/values.yaml b/charts/stackstate/stackstate-k8s-agent/values.yaml index b2aaaf905..6ea724d5c 100644 --- a/charts/stackstate/stackstate-k8s-agent/values.yaml +++ b/charts/stackstate/stackstate-k8s-agent/values.yaml @@ -99,7 +99,7 @@ nodeAgent: # nodeAgent.containers.agent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # nodeAgent.containers.agent.image.tag -- Default container image tag. - tag: "edf7fca5" + tag: "ac39a29d" # nodeAgent.containers.agent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent processAgent: @@ -334,7 +334,7 @@ clusterAgent: # clusterAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-cluster-agent # clusterAgent.image.tag -- Default container image tag. - tag: "edf7fca5" + tag: "ac39a29d" # clusterAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent @@ -486,7 +486,7 @@ checksAgent: # checksAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # checksAgent.image.tag -- Default container image tag. - tag: "edf7fca5" + tag: "ac39a29d" # checksAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent diff --git a/charts/trilio/k8s-triliovault-operator/Chart.yaml b/charts/trilio/k8s-triliovault-operator/Chart.yaml index 29c4e55b8..d1283aa41 100644 --- a/charts/trilio/k8s-triliovault-operator/Chart.yaml +++ b/charts/trilio/k8s-triliovault-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: k8s-triliovault-operator apiVersion: v2 -appVersion: 4.0.0 +appVersion: 4.0.1 dependencies: - condition: observability.enabled name: observability @@ -21,4 +21,4 @@ maintainers: name: k8s-triliovault-operator sources: - https://github.com/trilioData/k8s-triliovault-operator -version: 4.0.0 +version: 4.0.1 diff --git a/charts/trilio/k8s-triliovault-operator/values.yaml b/charts/trilio/k8s-triliovault-operator/values.yaml index 63e353cc9..7fd49ceab 100644 --- a/charts/trilio/k8s-triliovault-operator/values.yaml +++ b/charts/trilio/k8s-triliovault-operator/values.yaml @@ -4,7 +4,7 @@ operator-webhook-init: repository: operator-webhook-init k8s-triliovault-operator: repository: k8s-triliovault-operator -tag: "4.0.0" +tag: "4.0.1" # create image pull secrets and specify the name here. imagePullSecret: "" priorityClassName: "" @@ -33,6 +33,7 @@ affinity: operator: In values: - amd64 + - ppc64le # Node selection constraints for scheduling Pods of this application. # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} @@ -182,8 +183,8 @@ podLabels: linkerd.io/inject: disabled relatedImages: tags: - tvk: "4.0.0" - event: "4.0.0" + tvk: "4.0.1" + event: "4.0.1" control-plane: image: "control-plane" metamover: @@ -224,12 +225,12 @@ relatedImages: image: "control-plane" dex: image: "dex" - tag: "2.30.6" + tag: "2.30.7" minio: image: "control-plane" nats: image: "nats" - tag: "2.8.4" + tag: "2.8.5" service-manager: image: "event-stack" syncer: diff --git a/charts/weka/csi-wekafsplugin/CHANGELOG.md b/charts/weka/csi-wekafsplugin/CHANGELOG.md index 40eb8732d..99002c8d8 100644 --- a/charts/weka/csi-wekafsplugin/CHANGELOG.md +++ b/charts/weka/csi-wekafsplugin/CHANGELOG.md @@ -1,12 +1,4 @@ - - -## What's Changed - -### Bug Fixes -* fix(CSI-170): error not reported when moving directory to trash by @sergeyberezansky in in https://github.com/weka/csi-wekafs/pull/184 - -### Miscellaneous -* chore(deps): update helm/chart-testing-action action to v2.6.1 by @renovate in https://github.com/weka/csi-wekafs/pull/184 -* chore(deps): update helm/chart-releaser-action action to v1.6.0 by @renovate in https://github.com/weka/csi-wekafs/pull/183 - - + + + + diff --git a/charts/weka/csi-wekafsplugin/Chart.yaml b/charts/weka/csi-wekafsplugin/Chart.yaml index 00dcef3c3..98c2c9981 100644 --- a/charts/weka/csi-wekafsplugin/Chart.yaml +++ b/charts/weka/csi-wekafsplugin/Chart.yaml @@ -8,10 +8,9 @@ annotations: url: https://weka.github.io/csi-wekafs/csi-public.gpg catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WekaFS CSI Driver - catalog.cattle.io/kube-version: '>=1.18.0' catalog.cattle.io/release-name: csi-wekafsplugin apiVersion: v2 -appVersion: v2.3.2 +appVersion: v2.3.4 description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for WekaFS - the world fastest filesystem home: https://github.com/weka/csi-wekafs @@ -20,13 +19,12 @@ keywords: - storage - filesystem - HPC -kubeVersion: '>=1.18.0' maintainers: - email: csi@weka.io name: WekaIO, Inc. url: https://weka.io name: csi-wekafsplugin sources: -- https://github.com/weka/csi-wekafs/tree/v2.3.2 +- https://github.com/weka/csi-wekafs/tree/v2.3.4 type: application -version: 2.3.2 +version: 2.3.4 diff --git a/charts/weka/csi-wekafsplugin/README.md b/charts/weka/csi-wekafsplugin/README.md index 7695ba86a..e73ee2ec3 100644 --- a/charts/weka/csi-wekafsplugin/README.md +++ b/charts/weka/csi-wekafsplugin/README.md @@ -3,7 +3,7 @@ Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/csi-wekafs)](https://artifacthub.io/packages/search?repo=csi-wekafs) -![Version: 2.3.2](https://img.shields.io/badge/Version-2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.2](https://img.shields.io/badge/AppVersion-v2.3.2-informational?style=flat-square) +![Version: 2.3.4](https://img.shields.io/badge/Version-2.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.4](https://img.shields.io/badge/AppVersion-v2.3.4-informational?style=flat-square) ## Homepage https://github.com/weka/csi-wekafs @@ -46,25 +46,21 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs ## Additional Documentation - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin) -## Requirements - -Kubernetes: `>=1.18.0` - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned | | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) | -| csiDriverVersion | string | `"2.3.2"` | CSI driver version | -| images.livenessprobesidecar | string | `"registry.k8s.io/sig-storage/livenessprobe:v2.11.0"` | CSI liveness probe sidecar image URL | -| images.attachersidecar | string | `"registry.k8s.io/sig-storage/csi-attacher:v4.4.1"` | CSI attacher sidecar image URL | -| images.provisionersidecar | string | `"registry.k8s.io/sig-storage/csi-provisioner:v3.6.1"` | CSI provisioner sidecar image URL | -| images.registrarsidecar | string | `"registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0"` | CSI registrar sidercar | -| images.resizersidecar | string | `"registry.k8s.io/sig-storage/csi-resizer:v1.9.1"` | CSI resizer sidecar image URL | -| images.snapshottersidecar | string | `"registry.k8s.io/sig-storage/csi-snapshotter:v6.3.1"` | CSI snapshotter sidecar image URL | +| csiDriverVersion | string | `"2.3.4"` | CSI driver version | +| images.livenessprobesidecar | string | `"registry.k8s.io/sig-storage/livenessprobe:v2.12.0"` | CSI liveness probe sidecar image URL | +| images.attachersidecar | string | `"registry.k8s.io/sig-storage/csi-attacher:v4.5.0"` | CSI attacher sidecar image URL | +| images.provisionersidecar | string | `"registry.k8s.io/sig-storage/csi-provisioner:v4.0.0"` | CSI provisioner sidecar image URL | +| images.registrarsidecar | string | `"registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0"` | CSI registrar sidercar | +| images.resizersidecar | string | `"registry.k8s.io/sig-storage/csi-resizer:v1.9.3"` | CSI resizer sidecar image URL | +| images.snapshottersidecar | string | `"registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3"` | CSI snapshotter sidecar image URL | | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL | -| images.csidriverTag | string | `"2.3.2"` | CSI driver tag | +| images.csidriverTag | string | `"2.3.4"` | CSI driver tag | | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components | | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) | | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) | @@ -102,4 +98,4 @@ Kubernetes: `>=1.18.0` | pluginConfig.mutuallyExclusiveMountOptions[0] | string | `"readcache,writecache,coherent,forcedirect"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/weka/csi-wekafsplugin/values.yaml b/charts/weka/csi-wekafsplugin/values.yaml index 174ce8d38..d5181b592 100644 --- a/charts/weka/csi-wekafsplugin/values.yaml +++ b/charts/weka/csi-wekafsplugin/values.yaml @@ -5,20 +5,20 @@ dynamicProvisionPath: "csi-volumes" # -- Name of the driver (and provisioner) csiDriverName: "csi.weka.io" # -- CSI driver version -csiDriverVersion: &csiDriverVersion 2.3.2 +csiDriverVersion: &csiDriverVersion 2.3.4 images: # -- CSI liveness probe sidecar image URL - livenessprobesidecar: registry.k8s.io/sig-storage/livenessprobe:v2.11.0 + livenessprobesidecar: registry.k8s.io/sig-storage/livenessprobe:v2.12.0 # -- CSI attacher sidecar image URL - attachersidecar: registry.k8s.io/sig-storage/csi-attacher:v4.4.1 + attachersidecar: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 # -- CSI provisioner sidecar image URL - provisionersidecar: registry.k8s.io/sig-storage/csi-provisioner:v3.6.1 + provisionersidecar: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 # -- CSI registrar sidercar - registrarsidecar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0 + registrarsidecar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 # -- CSI resizer sidecar image URL - resizersidecar: registry.k8s.io/sig-storage/csi-resizer:v1.9.1 + resizersidecar: registry.k8s.io/sig-storage/csi-resizer:v1.9.3 # -- CSI snapshotter sidecar image URL - snapshottersidecar: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.1 + snapshottersidecar: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 # -- CSI driver main image URL csidriver: quay.io/weka.io/csi-wekafs # -- CSI driver tag diff --git a/charts/yugabyte/yugabyte/.helmignore b/charts/yugabyte/yugabyte/.helmignore deleted file mode 100644 index 3598c3003..000000000 --- a/charts/yugabyte/yugabyte/.helmignore +++ /dev/null @@ -1 +0,0 @@ -tests \ No newline at end of file diff --git a/charts/yugabyte/yugabyte/Chart.yaml b/charts/yugabyte/yugabyte/Chart.yaml index 0e310c77f..2533172a4 100644 --- a/charts/yugabyte/yugabyte/Chart.yaml +++ b/charts/yugabyte/yugabyte/Chart.yaml @@ -3,20 +3,18 @@ annotations: catalog.cattle.io/display-name: YugabyteDB catalog.cattle.io/kube-version: '>=1.18-0' catalog.cattle.io/release-name: yugabyte - charts.openshift.io/name: yugabyte -apiVersion: v2 -appVersion: 2.18.5.1-b1 +apiVersion: v1 +appVersion: 2.14.15.0-b57 description: YugabyteDB is the high-performance distributed SQL database for building global, internet-scale apps. home: https://www.yugabyte.com icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 -kubeVersion: '>=1.18-0' maintainers: -- email: sanketh@yugabyte.com - name: Sanketh Indarapu -- email: gjalla@yugabyte.com - name: Govardhan Reddy Jalla +- email: ram@yugabyte.com + name: Ram Sri +- email: arnav@yugabyte.com + name: Arnav Agarwal name: yugabyte sources: - https://github.com/yugabyte/yugabyte-db -version: 2.18.5 +version: 2.14.15 diff --git a/charts/yugabyte/yugabyte/app-readme.md b/charts/yugabyte/yugabyte/app-readme.md index b8f79ad28..6cdeb3fb3 100644 --- a/charts/yugabyte/yugabyte/app-readme.md +++ b/charts/yugabyte/yugabyte/app-readme.md @@ -1 +1 @@ -This chart bootstraps an RF3 YugabyteDB version 2.18.5.1-b1 cluster using the Helm Package Manager. +This chart bootstraps an RF3 Yugabyte DB version 2.14.15.0-b57 cluster using the Helm Package Manager. diff --git a/charts/yugabyte/yugabyte/generate_kubeconfig.py b/charts/yugabyte/yugabyte/generate_kubeconfig.py index f4c2d14ab..b974c0f2d 100644 --- a/charts/yugabyte/yugabyte/generate_kubeconfig.py +++ b/charts/yugabyte/yugabyte/generate_kubeconfig.py @@ -11,209 +11,84 @@ from sys import exit import json import base64 import tempfile -import time -import os.path -def run_command(command_args, namespace=None, as_json=True, log_command=True): - command = ["kubectl"] +def run_command(command_args, namespace=None, as_json=True): + command = ['kubectl'] if namespace: - command.extend(["--namespace", namespace]) + command.extend(['--namespace', namespace]) command.extend(command_args) if as_json: - command.extend(["-o", "json"]) - if log_command: - print("Running command: {}".format(" ".join(command))) - output = check_output(command) - if as_json: - return json.loads(output) + command.extend(['-o', 'json']) + return json.loads(check_output(command)) else: - return output.decode("utf8") + return check_output(command).decode('utf8') -def create_sa_token_secret(directory, sa_name, namespace): - """Creates a service account token secret for sa_name in - namespace. Returns the name of the secret created. - - Ref: - https://k8s.io/docs/concepts/configuration/secret/#service-account-token-secrets - - """ - token_secret = { - "apiVersion": "v1", - "data": { - "do-not-delete-used-for-yugabyte-anywhere": "MQ==", - }, - "kind": "Secret", - "metadata": { - "annotations": { - "kubernetes.io/service-account.name": sa_name, - }, - "name": sa_name, - }, - "type": "kubernetes.io/service-account-token", - } - token_secret_file_name = os.path.join(directory, "token_secret.yaml") - with open(token_secret_file_name, "w") as token_secret_file: - json.dump(token_secret, token_secret_file) - run_command(["apply", "-f", token_secret_file_name], namespace) - return sa_name - - -def get_secret_data(secret, namespace): - """Returns the secret in JSON format if it has ca.crt and token in - it, else returns None. It retries 3 times with 1 second timeout - for the secret to be populated with this data. - - """ - secret_data = None - num_retries = 5 - timeout = 2 - while True: - secret_json = run_command(["get", "secret", secret], namespace) - if "ca.crt" in secret_json["data"] and "token" in secret_json["data"]: - secret_data = secret_json - break - - num_retries -= 1 - if num_retries == 0: - break - print( - "Secret '{}' is not populated. Sleep {}s, ({} retries left)".format( - secret, timeout, num_retries - ) - ) - time.sleep(timeout) - return secret_data - - -def get_secrets_for_sa(sa_name, namespace): - """Returns a list of all service account token secrets associated - with the given sa_name in the namespace. - - """ - secrets = run_command( - [ - "get", - "secret", - "--field-selector", - "type=kubernetes.io/service-account-token", - "-o", - 'jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name == "' - + sa_name - + '")].metadata.name}"', - ], - as_json=False, - ) - return secrets.strip('"').split() - - -parser = argparse.ArgumentParser(description="Generate KubeConfig with Token") -parser.add_argument("-s", "--service_account", help="Service Account name", required=True) -parser.add_argument("-n", "--namespace", help="Kubernetes namespace", default="kube-system") -parser.add_argument("-c", "--context", help="kubectl context") -parser.add_argument("-o", "--output_file", help="output file path") +parser = argparse.ArgumentParser(description='Generate KubeConfig with Token') +parser.add_argument('-s', '--service_account', help='Service Account name', required=True) +parser.add_argument('-n', '--namespace', help='Kubernetes namespace', default='kube-system') +parser.add_argument('-c', '--context', help='kubectl context') args = vars(parser.parse_args()) # if the context is not provided we use the current-context -context = args["context"] +context = args['context'] if context is None: - context = run_command(["config", "current-context"], args["namespace"], as_json=False) + context = run_command(['config', 'current-context'], + args['namespace'], as_json=False) -cluster_attrs = run_command( - ["config", "get-contexts", context.strip(), "--no-headers"], args["namespace"], as_json=False -) +cluster_attrs = run_command(['config', 'get-contexts', context.strip(), + '--no-headers'], args['namespace'], as_json=False) cluster_name = cluster_attrs.strip().split()[2] -endpoint = run_command( - [ - "config", - "view", - "-o", - 'jsonpath="{.clusters[?(@.name =="' + cluster_name + '")].cluster.server}"', - ], - args["namespace"], - as_json=False, -) -service_account_info = run_command(["get", "sa", args["service_account"]], args["namespace"]) - -tmpdir = tempfile.TemporaryDirectory() - -# Get the token and ca.crt from service account secret. -sa_secrets = list() - -# Get secrets specified in the service account, there can be multiple -# of them, and not all are service account token secrets. -if "secrets" in service_account_info: - sa_secrets = [secret["name"] for secret in service_account_info["secrets"]] - -# Find the existing additional service account token secrets -sa_secrets.extend(get_secrets_for_sa(args["service_account"], args["namespace"])) +endpoint = run_command(['config', 'view', '-o', + 'jsonpath="{.clusters[?(@.name =="' + + cluster_name + '")].cluster.server}"'], + args['namespace'], as_json=False) +service_account_info = run_command(['get', 'sa', args['service_account']], + args['namespace']) +# some ServiceAccounts have multiple secrets, and not all them have a +# ca.crt and a token. +sa_secrets = [secret['name'] for secret in service_account_info['secrets']] secret_data = None for secret in sa_secrets: - secret_data = get_secret_data(secret, args["namespace"]) - if secret_data is not None: - break - -# Kubernetes 1.22+ doesn't create the service account token secret by -# default, we have to create one. + secret_json = run_command(['get', 'secret', secret], args['namespace']) + if 'ca.crt' not in secret_json['data'] and 'token' not in secret_json['data']: + continue + secret_data = secret_json if secret_data is None: - print("No usable secret found for '{}', creating one.".format(args["service_account"])) - token_secret = create_sa_token_secret(tmpdir.name, args["service_account"], args["namespace"]) - secret_data = get_secret_data(token_secret, args["namespace"]) - if secret_data is None: - exit( - "Failed to generate kubeconfig: No usable credentials found for '{}'.".format( - args["service_account"] - ) - ) + exit("No usable secret found for '{}'.".format(args['service_account'])) +context_name = '{}-{}'.format(args['service_account'], cluster_name) +kube_config = '/tmp/{}.conf'.format(args['service_account']) -context_name = "{}-{}".format(args["service_account"], cluster_name) -kube_config = args["output_file"] -if not kube_config: - kube_config = "/tmp/{}.conf".format(args["service_account"]) +with tempfile.NamedTemporaryFile() as ca_crt_file: + ca_crt = base64.b64decode(secret_data['data']['ca.crt']) + ca_crt_file.write(ca_crt) + ca_crt_file.flush() + # create kubeconfig entry + set_cluster_cmd = ['config', 'set-cluster', cluster_name, + '--kubeconfig={}'.format(kube_config), + '--server={}'.format(endpoint.strip('"')), + '--embed-certs=true', + '--certificate-authority={}'.format(ca_crt_file.name)] + run_command(set_cluster_cmd, as_json=False) +user_token = base64.b64decode(secret_data['data']['token']).decode('utf-8') +set_credentials_cmd = ['config', 'set-credentials', context_name, + '--token={}'.format(user_token), + '--kubeconfig={}'.format(kube_config)] +run_command(set_credentials_cmd, as_json=False) -ca_crt_file_name = os.path.join(tmpdir.name, "ca.crt") -ca_crt_file = open(ca_crt_file_name, "wb") -ca_crt_file.write(base64.b64decode(secret_data["data"]["ca.crt"])) -ca_crt_file.close() - -# create kubeconfig entry -set_cluster_cmd = [ - "config", - "set-cluster", - cluster_name, - "--kubeconfig={}".format(kube_config), - "--server={}".format(endpoint.strip('"')), - "--embed-certs=true", - "--certificate-authority={}".format(ca_crt_file_name), -] -run_command(set_cluster_cmd, as_json=False) - -user_token = base64.b64decode(secret_data["data"]["token"]).decode("utf-8") -set_credentials_cmd = [ - "config", - "set-credentials", - context_name, - "--token={}".format(user_token), - "--kubeconfig={}".format(kube_config), -] -run_command(set_credentials_cmd, as_json=False, log_command=False) - -set_context_cmd = [ - "config", - "set-context", - context_name, - "--cluster={}".format(cluster_name), - "--user={}".format(context_name), - "--kubeconfig={}".format(kube_config), -] +set_context_cmd = ['config', 'set-context', context_name, + '--cluster={}'.format(cluster_name), + '--user={}'.format(context_name), + '--kubeconfig={}'.format(kube_config)] run_command(set_context_cmd, as_json=False) -use_context_cmd = ["config", "use-context", context_name, "--kubeconfig={}".format(kube_config)] +use_context_cmd = ['config', 'use-context', context_name, + '--kubeconfig={}'.format(kube_config)] run_command(use_context_cmd, as_json=False) print("Generated the kubeconfig file: {}".format(kube_config)) diff --git a/charts/yugabyte/yugabyte/openshift.values.yaml b/charts/yugabyte/yugabyte/openshift.values.yaml deleted file mode 100644 index d2784b23e..000000000 --- a/charts/yugabyte/yugabyte/openshift.values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# OCP compatible values for yugabyte - -Image: - repository: "quay.io/yugabyte/yugabyte-ubi" diff --git a/charts/yugabyte/yugabyte/questions.yaml b/charts/yugabyte/yugabyte/questions.yaml index 6befa49e1..c88fd43c0 100644 --- a/charts/yugabyte/yugabyte/questions.yaml +++ b/charts/yugabyte/yugabyte/questions.yaml @@ -16,7 +16,7 @@ questions: label: YugabyteDB image repository description: "YugabyteDB image repository" - variable: Image.tag - default: "2.5.1.0-b153" + default: "2.14.1.0-b36" required: true type: string label: YugabyteDB image tag diff --git a/charts/yugabyte/yugabyte/templates/_helpers.tpl b/charts/yugabyte/yugabyte/templates/_helpers.tpl index 6d8e08857..27697d799 100644 --- a/charts/yugabyte/yugabyte/templates/_helpers.tpl +++ b/charts/yugabyte/yugabyte/templates/_helpers.tpl @@ -26,7 +26,7 @@ Generate common labels. {{- define "yugabyte.labels" }} heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} release: {{ .Release.Name | quote }} -chart: {{ .Chart.Name | quote }} +chart: {{ .Values.oldNamingStyle | ternary .Chart.Name (include "yugabyte.chart" .) | quote }} component: {{ .Values.Component | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} @@ -56,89 +56,6 @@ release: {{ .root.Release.Name | quote }} {{- end }} {{- end }} -{{/* -Create secrets in DBNamespace from other namespaces by iterating over envSecrets. -*/}} -{{- define "yugabyte.envsecrets" -}} -{{- range $v := .secretenv }} -{{- if $v.valueFrom.secretKeyRef.namespace }} -{{- $secretObj := (lookup -"v1" -"Secret" -$v.valueFrom.secretKeyRef.namespace -$v.valueFrom.secretKeyRef.name) -| default dict }} -{{- $secretData := (get $secretObj "data") | default dict }} -{{- $secretValue := (get $secretData $v.valueFrom.secretKeyRef.key) | default "" }} -{{- if (and (not $secretValue) (not $v.valueFrom.secretKeyRef.optional)) }} -{{- required (printf "Secret or key missing for %s/%s in namespace: %s" -$v.valueFrom.secretKeyRef.name -$v.valueFrom.secretKeyRef.key -$v.valueFrom.secretKeyRef.namespace) -nil }} -{{- end }} -{{- if $secretValue }} -apiVersion: v1 -kind: Secret -metadata: - {{- $secretfullname := printf "%s-%s-%s-%s" - $.root.Release.Name - $v.valueFrom.secretKeyRef.namespace - $v.valueFrom.secretKeyRef.name - $v.valueFrom.secretKeyRef.key - }} - name: {{ printf "%s-%s-%s-%s-%s-%s" - $.root.Release.Name - ($v.valueFrom.secretKeyRef.namespace | substr 0 5) - ($v.valueFrom.secretKeyRef.name | substr 0 5) - ( $v.valueFrom.secretKeyRef.key | substr 0 5) - (sha256sum $secretfullname | substr 0 4) - ($.suffix) - | lower | replace "." "" | replace "_" "" - }} - namespace: "{{ $.root.Release.Namespace }}" - labels: - {{- include "yugabyte.labels" $.root | indent 4 }} -type: Opaque # should it be an Opaque secret? -data: - {{ $v.valueFrom.secretKeyRef.key }}: {{ $secretValue | quote }} -{{- end }} -{{- end }} ---- -{{- end }} -{{- end }} - -{{/* -Add env secrets to DB statefulset. -*/}} -{{- define "yugabyte.addenvsecrets" -}} -{{- range $v := .secretenv }} -- name: {{ $v.name }} - valueFrom: - secretKeyRef: - {{- if $v.valueFrom.secretKeyRef.namespace }} - {{- $secretfullname := printf "%s-%s-%s-%s" - $.root.Release.Name - $v.valueFrom.secretKeyRef.namespace - $v.valueFrom.secretKeyRef.name - $v.valueFrom.secretKeyRef.key - }} - name: {{ printf "%s-%s-%s-%s-%s-%s" - $.root.Release.Name - ($v.valueFrom.secretKeyRef.namespace | substr 0 5) - ($v.valueFrom.secretKeyRef.name | substr 0 5) - ($v.valueFrom.secretKeyRef.key | substr 0 5) - (sha256sum $secretfullname | substr 0 4) - ($.suffix) - | lower | replace "." "" | replace "_" "" - }} - {{- else }} - name: {{ $v.valueFrom.secretKeyRef.name }} - {{- end }} - key: {{ $v.valueFrom.secretKeyRef.key }} - optional: {{ $v.valueFrom.secretKeyRef.optional | default "false" }} -{{- end }} -{{- end }} {{/* Create Volume name. */}} @@ -167,21 +84,18 @@ Generate a preflight check script invocation. */}} {{- define "yugabyte.preflight_check" -}} {{- if not .Values.preflight.skipAll -}} -{{- $port := .Preflight.Port -}} -{{- range $addr := split "," .Preflight.Addr -}} if [ -f /home/yugabyte/tools/k8s_preflight.py ]; then PYTHONUNBUFFERED="true" /home/yugabyte/tools/k8s_preflight.py \ dnscheck \ - --addr="{{ $addr }}" \ -{{- if not $.Values.preflight.skipBind }} - --port="{{ $port }}" + --addr="{{ .Preflight.Addr }}" \ +{{- if not .Values.preflight.skipBind }} + --port="{{ .Preflight.Port }}" {{- else }} --skip_bind {{- end }} fi && \ -{{ end }} -{{- end }} -{{- end }} +{{- end -}} +{{- end -}} {{/* Get YugaByte fs data directories. @@ -216,20 +130,12 @@ echo "disk check at: $(date)" \ Generate server FQDN. */}} {{- define "yugabyte.server_fqdn" -}} - {{- if .Values.multicluster.createServicePerPod -}} + {{- if (and .Values.istioCompatibility.enabled .Values.multicluster.createServicePerPod) -}} {{- printf "$(HOSTNAME).$(NAMESPACE).svc.%s" .Values.domainName -}} - {{- else if (and .Values.oldNamingStyle .Values.multicluster.createServiceExports) -}} - {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }} - {{- printf "$(HOSTNAME).%s.%s.$(NAMESPACE).svc.clusterset.local" $membershipName .Service.name -}} {{- else if .Values.oldNamingStyle -}} {{- printf "$(HOSTNAME).%s.$(NAMESPACE).svc.%s" .Service.name .Values.domainName -}} {{- else -}} - {{- if .Values.multicluster.createServiceExports -}} - {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }} - {{- printf "$(HOSTNAME).%s.%s-%s.$(NAMESPACE).svc.clusterset.local" $membershipName (include "yugabyte.fullname" .) .Service.name -}} - {{- else -}} - {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}} - {{- end -}} + {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}} {{- end -}} {{- end -}} @@ -242,25 +148,10 @@ Generate server broadcast address. {{/* Generate server RPC bind address. - -In case of multi-cluster services (MCS), we set it to $(POD_IP) to -ensure YCQL uses a resolvable address. -See https://github.com/yugabyte/yugabyte-db/issues/16155 - -We use a workaround for above in case of Istio by setting it to -$(POD_IP) and localhost. Master doesn't support that combination, so -we stick to 0.0.0.0, which works for master. */}} {{- define "yugabyte.rpc_bind_address" -}} - {{- $port := index .Service.ports "tcp-rpc-port" -}} {{- if .Values.istioCompatibility.enabled -}} - {{- if (eq .Service.name "yb-masters") -}} - 0.0.0.0:{{ $port }} - {{- else -}} - $(POD_IP):{{ $port }},127.0.0.1:{{ $port }} - {{- end -}} - {{- else if (or .Values.multicluster.createServiceExports .Values.multicluster.createServicePerPod) -}} - $(POD_IP):{{ $port }} + 0.0.0.0:{{ index .Service.ports "tcp-rpc-port" -}} {{- else -}} {{- include "yugabyte.server_fqdn" . -}} {{- end -}} @@ -277,7 +168,7 @@ Generate server web interface. Generate server CQL proxy bind address. */}} {{- define "yugabyte.cql_proxy_bind_address" -}} - {{- if or .Values.istioCompatibility.enabled .Values.multicluster.createServiceExports .Values.multicluster.createServicePerPod -}} + {{- if .Values.istioCompatibility.enabled -}} 0.0.0.0:{{ index .Service.ports "tcp-yql-port" -}} {{- else -}} {{- include "yugabyte.server_fqdn" . -}} @@ -322,10 +213,10 @@ Compute the maximum number of unavailable pods based on the number of master rep Set consistent issuer name. */}} {{- define "yugabyte.tls_cm_issuer" -}} - {{- if .Values.tls.certManager.bootstrapSelfsigned -}} - {{ .Values.oldNamingStyle | ternary "yugabyte-selfsigned" (printf "%s-selfsigned" (include "yugabyte.fullname" .)) }} + {{- if .Values.tls.certManager.useClusterIssuer -}} + {{ .Values.tls.certManager.clusterIssuer }} {{- else -}} - {{ .Values.tls.certManager.useClusterIssuer | ternary .Values.tls.certManager.clusterIssuer .Values.tls.certManager.issuer}} + {{ .Values.oldNamingStyle | ternary "yugabyte-selfsigned" (printf "%s-selfsigned" (include "yugabyte.fullname" .)) }} {{- end -}} {{- end -}} @@ -365,51 +256,3 @@ Set consistent issuer name. {{- end -}} {{- end -}} {{- end -}} - -{{/* - Default nodeAffinity for multi-az deployments -*/}} -{{- define "yugabyte.multiAZNodeAffinity" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: failure-domain.beta.kubernetes.io/zone - operator: In - values: - - {{ .Values.AZ }} - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: In - values: - - {{ .Values.AZ }} -{{- end -}} - -{{/* - Default podAntiAffinity for master and tserver - - This requires "appLabelArgs" to be passed in - defined in service.yaml - we have a .root and a .label in appLabelArgs -*/}} -{{- define "yugabyte.podAntiAffinity" -}} -preferredDuringSchedulingIgnoredDuringExecution: -- weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - {{- if .root.Values.oldNamingStyle }} - - key: app - operator: In - values: - - "{{ .label }}" - {{- else }} - - key: app.kubernetes.io/name - operator: In - values: - - "{{ .label }}" - - key: release - operator: In - values: - - {{ .root.Release.Name | quote }} - {{- end }} - topologyKey: kubernetes.io/hostname -{{- end -}} diff --git a/charts/yugabyte/yugabyte/templates/certificates.yaml b/charts/yugabyte/yugabyte/templates/certificates.yaml index 07fc2e5f5..f8dd4acb5 100644 --- a/charts/yugabyte/yugabyte/templates/certificates.yaml +++ b/charts/yugabyte/yugabyte/templates/certificates.yaml @@ -1,7 +1,7 @@ {{- $root := . -}} --- {{- if $root.Values.tls.certManager.enabled }} -{{- if $root.Values.tls.certManager.bootstrapSelfsigned }} +{{- if not $root.Values.tls.certManager.useClusterIssuer }} --- apiVersion: cert-manager.io/v1 kind: Issuer @@ -37,38 +37,13 @@ spec: ca: secretName: {{ $root.Values.oldNamingStyle | ternary "yugabyte-ca" (printf "%s-ca" (include "yugabyte.fullname" $root)) }} --- -{{- else }} -{{/* when bootstrapSelfsigned = false, ie. when using an external CA. -Create a Secret with just the rootCA.cert value and mount into master/tserver pods. -This will be used as a fall back in case the Secret generated by cert-manager does not -have a root ca.crt. This can happen for certain certificate issuers like LetsEncrypt. -*/}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ printf "%s-root-ca" (include "yugabyte.fullname" $root) }} - namespace: "{{ $root.Release.Namespace }}" - labels: - {{- include "yugabyte.labels" $root | indent 4 }} -type: Opaque -data: - ca.crt: {{ $root.Values.tls.rootCA.cert }} ---- {{- end }} -{{/* -The below Certificate resource will trigger cert-manager to issue crt/key into Secrets. -These secrets are mounted into master/tserver pods. -*/}} {{- range .Values.Services }} {{- $service := . -}} {{- $appLabelArgs := dict "label" .label "root" $root -}} {{- $serviceValues := (dict "Service" $service "Values" $root.Values "Chart" $root.Chart "Release" $root.Release) -}} -{{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} - -{{- if (gt (int $replicas) 0) }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -90,29 +65,28 @@ spec: secretName: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" $service.label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) $service.label) }} duration: {{ $root.Values.tls.certManager.certificates.duration | quote }} renewBefore: {{ $root.Values.tls.certManager.certificates.renewBefore | quote }} + commonName: yugabyte-{{ .name }} isCA: false privateKey: algorithm: {{ $root.Values.tls.certManager.certificates.algorithm | quote }} encoding: PKCS8 size: {{ $root.Values.tls.certManager.certificates.keySize }} - rotationPolicy: Always usages: - server auth - client auth # At least one of a DNS Name, URI, or IP address is required. dnsNames: + {{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} {{- range $index := until ( int ( $replicas ) ) }} {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} - {{$node}} {{- end }} - - {{ printf "%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} uris: [] ipAddresses: [] --- {{- end }} -{{- end }} --- apiVersion: cert-manager.io/v1 @@ -140,7 +114,6 @@ spec: algorithm: {{ $root.Values.tls.certManager.certificates.algorithm | quote }} encoding: PKCS8 size: {{ $root.Values.tls.certManager.certificates.keySize }} - rotationPolicy: Always usages: - client auth dnsNames: [] diff --git a/charts/yugabyte/yugabyte/templates/debug_config_map.yaml b/charts/yugabyte/yugabyte/templates/debug_config_map.yaml deleted file mode 100644 index a15c4fc9a..000000000 --- a/charts/yugabyte/yugabyte/templates/debug_config_map.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "yugabyte.fullname" . }}-master-hooks - namespace: "{{ .Release.Namespace }}" -data: -{{- range $index := until ( int ( .Values.replicas.master ) ) }} - yb-master-{{.}}-pre_debug_hook.sh: "echo 'hello-from-pre' " - yb-master-{{.}}-post_debug_hook.sh: "echo 'hello-from-post' " -{{- end }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "yugabyte.fullname" . }}-tserver-hooks - namespace: "{{ .Release.Namespace }}" -data: -{{- range $index := until ( int ( .Values.replicas.tserver) ) }} - yb-tserver-{{.}}-pre_debug_hook.sh: "echo 'hello-from-pre' " - yb-tserver-{{.}}-post_debug_hook.sh: "echo 'hello-from-post' " -{{- end }} ---- diff --git a/charts/yugabyte/yugabyte/templates/multicluster/common-tserver-service.yaml b/charts/yugabyte/yugabyte/templates/multicluster-common-tserver-service.yaml similarity index 100% rename from charts/yugabyte/yugabyte/templates/multicluster/common-tserver-service.yaml rename to charts/yugabyte/yugabyte/templates/multicluster-common-tserver-service.yaml diff --git a/charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml b/charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml similarity index 82% rename from charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml rename to charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml index 15e09dce8..a26b39018 100644 --- a/charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml +++ b/charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml @@ -11,19 +11,11 @@ metadata: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 4 }} {{- include "yugabyte.labels" $ | indent 4 }} - service-type: "non-endpoint" spec: ports: {{- range $label, $port := $server.ports }} - {{- if (eq $label "grpc-ybc-port") }} - {{- if $.Values.ybc.enabled }} - name: {{ $label | quote }} port: {{ $port }} - {{- end }} - {{- else }} - - name: {{ $label | quote }} - port: {{ $port }} - {{- end }} {{- end}} selector: statefulset.kubernetes.io/pod-name: {{ $podName | quote }} diff --git a/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml b/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml deleted file mode 100644 index eeafcb1bb..000000000 --- a/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- /* - Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#registering_a_service_for_export - https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#exporting-services -*/}} -{{- if .Values.multicluster.createServiceExports }} -apiVersion: {{ .Values.multicluster.mcsApiVersion }} -kind: ServiceExport -metadata: - name: {{ .Values.oldNamingStyle | ternary "yb-masters" (printf "%s-%s" (include "yugabyte.fullname" .) "yb-masters") | quote }} - namespace: "{{ .Release.Namespace }}" - labels: - {{- include "yugabyte.labels" . | indent 4 }} ---- -apiVersion: {{ .Values.multicluster.mcsApiVersion }} -kind: ServiceExport -metadata: - name: {{ .Values.oldNamingStyle | ternary "yb-tservers" (printf "%s-%s" (include "yugabyte.fullname" .) "yb-tservers") | quote }} - namespace: "{{ .Release.Namespace }}" - labels: - {{- include "yugabyte.labels" . | indent 4 }} -{{ end -}} diff --git a/charts/yugabyte/yugabyte/templates/secrets.yaml b/charts/yugabyte/yugabyte/templates/secrets.yaml deleted file mode 100644 index 0bd903457..000000000 --- a/charts/yugabyte/yugabyte/templates/secrets.yaml +++ /dev/null @@ -1,7 +0,0 @@ -{{- $root := . -}} ---- # Create secrets from other namespaces for masters. -{{- $data := dict "secretenv" $.Values.master.secretEnv "root" . "suffix" "master"}} -{{- include "yugabyte.envsecrets" $data }} ---- # Create secrets from other namespaces for tservers. -{{- $data := dict "secretenv" $.Values.tserver.secretEnv "root" . "suffix" "tserver" }} -{{- include "yugabyte.envsecrets" $data }} \ No newline at end of file diff --git a/charts/yugabyte/yugabyte/templates/service.yaml b/charts/yugabyte/yugabyte/templates/service.yaml index 6a900715b..f44ece98d 100644 --- a/charts/yugabyte/yugabyte/templates/service.yaml +++ b/charts/yugabyte/yugabyte/templates/service.yaml @@ -24,7 +24,7 @@ data: {{- end }} --- {{- end }} ---- + {{- range .Values.Services }} {{- $service := . -}} {{- $appLabelArgs := dict "label" .label "root" $root -}} @@ -46,29 +46,12 @@ data: {{- range $index := until ( int ( $replicas ) ) }} {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} - -{{- if $root.Values.multicluster.createServiceExports -}} - {{- $nodeOldStyle = printf "%s-%d.%s.%s.%s.svc.clusterset.local" $service.label $index $root.Values.multicluster.kubernetesClusterId $service.name $root.Release.Namespace }} - {{- $nodeNewStyle = printf "%s-%s-%d.%s.%s-%s.%s.svc.clusterset.local" (include "yugabyte.fullname" $root) $service.label $index $root.Values.multicluster.kubernetesClusterId (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} -{{- end -}} - -{{- if $root.Values.multicluster.createServicePerPod -}} - {{- $nodeOldStyle = printf "%s-%d.%s.svc.%s" $service.label $index $root.Release.Namespace $root.Values.domainName }} - {{- $nodeNewStyle = printf "%s-%s-%d.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index $root.Release.Namespace $root.Values.domainName }} -{{- end -}} - {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} {{- if $root.Values.tls.rootCA.key }} -{{- $dns1 := printf "*.%s-%s.%s" (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} +{{- $dns1 := printf "*.*.%s" $root.Release.Namespace }} {{- $dns2 := printf "%s.svc.%s" $dns1 $root.Values.domainName }} -{{- if $root.Values.multicluster.createServiceExports -}} - {{- $dns1 = printf "*.%s.%s-%s.%s.svc.clusterset.local" $root.Values.multicluster.kubernetesClusterId (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} -{{- end -}} -{{- if $root.Values.multicluster.createServicePerPod -}} - {{- $dns1 = printf "*.%s.svc.%s" $root.Release.Namespace $root.Values.domainName }} -{{- end -}} {{- $rootCA := buildCustomCert $root.Values.tls.rootCA.cert $root.Values.tls.rootCA.key -}} -{{- $server := genSignedCert $node ( default nil ) (list $node $dns1 $dns2 ) 3650 $rootCA }} +{{- $server := genSignedCert $node ( default nil ) (list $dns1 $dns2 ) 3650 $rootCA }} node.{{$node}}.crt: {{ $server.Cert | b64enc }} node.{{$node}}.key: {{ $server.Key | b64enc }} {{- else }} @@ -92,20 +75,13 @@ spec: clusterIP: None ports: {{- range $label, $port := .ports }} - {{- if (eq $label "grpc-ybc-port") }} - {{- if $root.Values.ybc.enabled }} - name: {{ $label | quote }} port: {{ $port }} - {{- end }} - {{- else }} - - name: {{ $label | quote }} - port: {{ $port }} - {{- end }} {{- end}} selector: {{- include "yugabyte.appselector" ($appLabelArgs) | indent 4 }} -{{- if $root.Values.enableLoadBalancer }} +{{ if $root.Values.enableLoadBalancer }} {{- range $endpoint := $root.Values.serviceEndpoints }} {{- if eq $service.label $endpoint.app }} --- @@ -118,12 +94,11 @@ metadata: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 4 }} {{- include "yugabyte.labels" $root | indent 4 }} - service-type: "endpoint" spec: - {{- if eq $root.Release.Service "Tiller" }} + {{ if eq $root.Release.Service "Tiller" }} clusterIP: - {{- else }} - {{- if $endpoint.clusterIP }} + {{ else }} + {{ if $endpoint.clusterIP }} clusterIP: {{ $endpoint.clusterIP }} {{- end }} {{- end }} @@ -141,7 +116,7 @@ spec: {{- end }} {{- end}} {{- end}} -{{- end}} +{{ end }} --- apiVersion: apps/v1 @@ -222,9 +197,6 @@ spec: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 8 }} {{- include "yugabyte.labels" $root | indent 8 }} - {{- if $root.Values.istioCompatibility.enabled }} - sidecar.istio.io/inject: "true" - {{- end }} {{- if eq .name "yb-masters" }} {{- with $root.Values.master.podLabels }}{{ toYaml . | nindent 8 }}{{ end }} {{- else }} @@ -242,95 +214,62 @@ spec: nodeSelector: {{ toYaml $root.Values.nodeSelector | indent 8 }} {{- end }} + terminationGracePeriodSeconds: 300 {{- if eq .name "yb-masters" }} # yb-masters - {{- with $root.Values.master.serviceAccount }} - serviceAccountName: {{ . }} - {{- end }} {{- if $root.Values.master.tolerations }} tolerations: {{- with $root.Values.master.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- else }} # yb-tservers - {{- with $root.Values.tserver.serviceAccount }} - serviceAccountName: {{ . }} - {{- end }} {{- if $root.Values.tserver.tolerations }} tolerations: {{- with $root.Values.tserver.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- end }} - terminationGracePeriodSeconds: 300 affinity: - # Set the anti-affinity selector scope to YB masters and tservers. - {{- $nodeAffinityData := dict}} - {{- if eq .name "yb-masters" -}} - {{- $nodeAffinityData = get $root.Values.master.affinity "nodeAffinity" | default (dict) -}} - {{- else -}} - {{- $nodeAffinityData = get $root.Values.tserver.affinity "nodeAffinity" | default (dict) -}} - {{- end -}} + # Set the anti-affinity selector scope to YB masters. {{ if $root.Values.AZ }} - {{- $userSelectorTerms := dig "requiredDuringSchedulingIgnoredDuringExecution" "nodeSelectorTerms" "" $nodeAffinityData | default (list) -}} - {{- $baseAffinity := include "yugabyte.multiAZNodeAffinity" $root | fromYaml -}} - {{- $requiredSchedule := (list) -}} - {{- if $userSelectorTerms -}} - {{- range $userSelectorTerms -}} - {{- $userTerm := . -}} - {{- range $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}} - {{- $matchExpr := concat .matchExpressions $userTerm.matchExpressions | dict "matchExpressions" -}} - {{- $requiredSchedule = mustMerge $matchExpr $userTerm | append $requiredSchedule -}} - {{- end -}} - {{- end -}} - {{- else -}} - {{- $requiredSchedule = $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}} - {{- end -}} - - {{- with $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution -}} - {{- $_ := set . "nodeSelectorTerms" $requiredSchedule -}} - {{- end -}} - {{- $nodeAffinityData = mustMerge $baseAffinity $nodeAffinityData -}} - {{- end -}} - - {{- $podAntiAffinityData := dict -}} - {{- $basePodAntiAffinity := include "yugabyte.podAntiAffinity" ($appLabelArgs) | fromYaml -}} - {{- if eq .name "yb-masters" -}} - {{- with $root.Values.master.affinity -}} - {{- $userPodAntiAffinity := get . "podAntiAffinity" | default (dict) -}} - {{- if $userPodAntiAffinity -}} - {{- $preferredList := dig "preferredDuringSchedulingIgnoredDuringExecution" "" $userPodAntiAffinity | default (list) | concat $basePodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution}} - {{- $_ := set $basePodAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" $preferredList -}} - {{- end -}} - {{- $podAntiAffinityData = mustMerge $basePodAntiAffinity $userPodAntiAffinity -}} - {{- end -}} - {{- else -}} - {{- with $root.Values.tserver.affinity -}} - {{- $userPodAntiAffinity := get . "podAntiAffinity" | default (dict) -}} - {{- if $userPodAntiAffinity -}} - {{- $preferredList := dig "preferredDuringSchedulingIgnoredDuringExecution" "" $userPodAntiAffinity | default (list) | concat $basePodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution}} - {{- $_ := set $basePodAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" $preferredList -}} - {{- end -}} - {{- $podAntiAffinityData = mustMerge $basePodAntiAffinity $userPodAntiAffinity -}} - {{- end -}} - {{- end -}} - - {{- if eq .name "yb-masters" -}} - {{- if $nodeAffinityData -}} - {{- $_ := set $root.Values.master.affinity "nodeAffinity" $nodeAffinityData -}} - {{- end -}} - {{- $_ := set $root.Values.master.affinity "podAntiAffinity" $podAntiAffinityData -}} - {{ toYaml $root.Values.master.affinity | nindent 8 }} - {{- else -}} - {{- if $nodeAffinityData -}} - {{- $_ := set $root.Values.tserver.affinity "nodeAffinity" $nodeAffinityData -}} - {{- end -}} - {{- $_ := set $root.Values.tserver.affinity "podAntiAffinity" $podAntiAffinityData -}} - {{ toYaml $root.Values.tserver.affinity | nindent 8 }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: failure-domain.beta.kubernetes.io/zone + operator: In + values: + - {{ $root.Values.AZ }} + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - {{ $root.Values.AZ }} {{ end }} - {{- with $root.Values.dnsConfig }} - dnsConfig: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $root.Values.dnsPolicy }} - dnsPolicy: {{ . | quote }} - {{- end }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + {{- if $root.Values.oldNamingStyle }} + - key: app + operator: In + values: + - "{{ .label }}" + {{- else }} + - key: app.kubernetes.io/name + operator: In + values: + - "{{ .label }}" + - key: release + operator: In + values: + - {{ $root.Release.Name | quote }} + {{- end }} + topologyKey: kubernetes.io/hostname + {{- if eq .name "yb-masters" }} + {{- with $root.Values.master.affinity }}{{ toYaml . | nindent 8 }}{{ end }} + {{- else }} + {{- with $root.Values.tserver.affinity }}{{ toYaml . | nindent 8 }}{{ end }} + {{- end }} containers: - name: "{{ .label }}" image: "{{ $root.Values.Image.repository }}:{{ $root.Values.Image.tag }}" @@ -382,20 +321,18 @@ spec: - name: YBDEVOPS_CORECOPY_DIR value: "/mnt/disk0/cores" {{- if eq .name "yb-masters" }} - {{- with $root.Values.master.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} - {{- $data := dict "secretenv" $root.Values.master.secretEnv "root" $root "suffix" "master"}} - {{- include "yugabyte.addenvsecrets" $data | nindent 8 }} + {{- with $root.Values.master.extraEnv }}{{ toYaml . | nindent 8 }}{{ end }} + {{- with $root.Values.master.secretEnv }}{{ toYaml . | nindent 8 }}{{ end }} {{- else }} - {{- with $root.Values.tserver.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} - {{- $data := dict "secretenv" $root.Values.tserver.secretEnv "root" $root "suffix" "tserver" }} - {{- include "yugabyte.addenvsecrets" $data | nindent 8 }} + {{- with $root.Values.tserver.extraEnv }}{{ toYaml . | nindent 8 }}{{ end }} + {{- with $root.Values.tserver.secretEnv }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- if and $root.Values.tls.enabled $root.Values.tls.clientToServer (ne .name "yb-masters") }} - name: SSL_CERTFILE value: /root/.yugabytedb/root.crt {{- end }} resources: - {{- if eq .name "yb-masters" }} + {{ if eq .name "yb-masters" }} {{ toYaml $root.Values.resource.master | indent 10 }} {{ else }} {{ toYaml $root.Values.resource.tserver | indent 10 }} @@ -426,13 +363,10 @@ spec: {{- $rpcPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $rpcDict) -}} {{- if $rpcPreflight -}}{{ $rpcPreflight | nindent 12 }}{{ end -}} {{- $broadcastAddr := include "yugabyte.server_broadcast_address" $serviceValues -}} - {{/* skip bind check for servicePerPod multi-cluster, we cannot/don't bind to service IP */}} - {{- if not $root.Values.multicluster.createServicePerPod }} - {{- $broadcastPort := index $service.ports "tcp-rpc-port" -}} - {{- $broadcastDict := dict "Addr" $broadcastAddr "Port" $broadcastPort -}} - {{- $broadcastPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $broadcastDict) -}} - {{- if $broadcastPreflight -}}{{ $broadcastPreflight | nindent 12 }}{{ end -}} - {{- end }} + {{- $broadcastPort := index $service.ports "tcp-rpc-port" -}} + {{- $broadcastDict := dict "Addr" $broadcastAddr "Port" $broadcastPort -}} + {{- $broadcastPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $broadcastDict) -}} + {{- if $broadcastPreflight -}}{{ $broadcastPreflight | nindent 12 }}{{ end -}} {{- $webserverAddr := include "yugabyte.webserver_interface" $serviceValues -}} {{- $webserverPort := index $service.ports "http-ui" -}} {{- $webserverDict := dict "Addr" $webserverAddr "Port" $webserverPort -}} @@ -443,25 +377,6 @@ spec: else k8s_parent="" fi && \ - {{- if and $root.Values.tls.enabled $root.Values.tls.certManager.enabled }} - echo "Creating ephemeral /opt/certs/yugabyte/ as symlink to persisted /mnt/disk0/certs/" && \ - mkdir -p /mnt/disk0/certs && \ - mkdir -p /opt/certs && \ - ln -s /mnt/disk0/certs /opt/certs/yugabyte && \ - if [[ ! -f /opt/certs/yugabyte/ca.crt ]]; then - echo "Fresh install of /opt/certs/yugabyte/ca.crt" - cp /home/yugabyte/cert-manager/ca.crt /opt/certs/yugabyte/ca.crt; - fi && \ - cmp -s /home/yugabyte/cert-manager/ca.crt /opt/certs/yugabyte/ca.crt;sameRootCA=$? && \ - if [[ $sameRootCA -eq 0 ]]; then - echo "Refreshing tls certs at /opt/certs/yugabyte/"; - cp /home/yugabyte/cert-manager/tls.crt /opt/certs/yugabyte/node.{{$rpcAddr}}.crt; - cp /home/yugabyte/cert-manager/tls.key /opt/certs/yugabyte/node.{{$rpcAddr}}.key; - chmod 600 /opt/certs/yugabyte/* - else - echo "WARNING: Not refreshing certificates as the root ca.crt has changed" - fi && \ - {{- end }} {{- if eq .name "yb-masters" }} exec ${k8s_parent} /home/yugabyte/bin/yb-master \ {{- if not $root.Values.storage.ephemeral }} @@ -565,18 +480,10 @@ spec: {{- end }} ports: {{- range $label, $port := .ports }} - {{- if not (eq $label "grpc-ybc-port") }} - containerPort: {{ $port }} name: {{ $label | quote }} - {{- end }} {{- end}} volumeMounts: - {{- if (eq .name "yb-tservers") }} - - name: tserver-tmp - mountPath: /tmp - {{- end }} - - name: debug-hooks-volume - mountPath: /opt/debug_hooks_config {{ if not $root.Values.storage.ephemeral }} {{- range $index := until (int ($storageInfo.count)) }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} @@ -585,7 +492,7 @@ spec: {{- end }} {{- if $root.Values.tls.enabled }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - mountPath: {{ $root.Values.tls.certManager.enabled | ternary "/home/yugabyte/cert-manager" "/opt/certs/yugabyte" }} + mountPath: /opt/certs/yugabyte readOnly: true - name: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} mountPath: /root/.yugabytedb/ @@ -626,78 +533,7 @@ spec: subPath: cores {{- end }} - {{- if and (eq .name "yb-tservers") ($root.Values.ybc.enabled) }} - - name: yb-controller - image: "{{ $root.Values.Image.repository }}:{{ $root.Values.Image.tag }}" - imagePullPolicy: {{ $root.Values.Image.pullPolicy }} - lifecycle: - postStart: - exec: - command: - - "bash" - - "-c" - - > - mkdir -p /mnt/disk0/yw-data/controller/tmp; - mkdir -p /mnt/disk0/yw-data/controller/conf; - mkdir -p /mnt/disk0/ybc-data/controller/logs; - mkdir -p /tmp/yugabyte/controller; - ln -sf /mnt/disk0/ybc-data/controller/logs /tmp/yugabyte/controller; - ln -sf /mnt/disk0/yw-data/controller/bin /tmp/yugabyte/controller; - rm -f /tmp/yugabyte/controller/yb-controller.pid; - {{- if and $root.Values.tls.enabled $root.Values.tls.certManager.enabled }} - mkdir -p /opt/certs; - ln -sf /mnt/disk0/certs /opt/certs/yugabyte; - {{- end }} - command: - - "/sbin/tini" - - "--" - args: - - "/bin/bash" - - "-c" - - > - while true; do - sleep 60; - /home/yugabyte/tools/k8s_ybc_parent.py status || /home/yugabyte/tools/k8s_ybc_parent.py start; - done - {{- with index $service.ports "grpc-ybc-port" }} - ports: - - containerPort: {{ . }} - name: "grpc-ybc-port" - {{- end }} - volumeMounts: - - name: tserver-tmp - mountPath: /tmp - {{- if not $root.Values.storage.ephemeral }} - {{- range $index := until (int ($storageInfo.count)) }} - - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} - mountPath: /mnt/disk{{ $index }} - {{- end }} - {{- end }} - {{- if $root.Values.tls.enabled }} - - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - mountPath: {{ $root.Values.tls.certManager.enabled | ternary "/home/yugabyte/cert-manager" "/opt/certs/yugabyte" }} - readOnly: true - {{- end }} - {{- if ($root.Values.tserver.extraVolumeMounts) -}} - {{- include "yugabyte.isExtraVolumesMappingExists" $root.Values.tserver -}} - {{- $root.Values.tserver.extraVolumeMounts | toYaml | nindent 10 -}} - {{- end -}} - {{- end}} - volumes: - {{- if (eq .name "yb-masters") }} - - name: debug-hooks-volume - configMap: - name: {{ include "yugabyte.fullname" $root }}-master-hooks - defaultMode: 0755 - {{- else if (eq .name "yb-tservers") }} - - name: debug-hooks-volume - configMap: - name: {{ include "yugabyte.fullname" $root }}-tserver-hooks - defaultMode: 0755 - - name: tserver-tmp - emptyDir: {} - {{- end }} {{ if not $root.Values.storage.ephemeral }} {{- range $index := until (int ($storageInfo.count)) }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} @@ -706,24 +542,25 @@ spec: {{- end }} {{- end }} {{- if $root.Values.tls.enabled }} - {{- if $root.Values.tls.certManager.enabled }} - {{- /* certManager enabled */}} - - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - projected: - sources: - {{- if not $root.Values.tls.certManager.bootstrapSelfsigned }} - - secret: - name: {{ printf "%s-root-ca" (include "yugabyte.fullname" $root) }} - {{- end }} - - secret: - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - {{- else }} - {{/* certManager disabled */}} - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} secret: secretName: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + {{- if $root.Values.tls.certManager.enabled }} + items: + {{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} + {{- range $index := until ( int ( $replicas ) ) }} + {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} + {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} + {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} + - key: tls.crt + path: node.{{$node}}.crt + - key: tls.key + path: node.{{$node}}.key + {{- end }} + - key: ca.crt + path: ca.crt + {{- end }} defaultMode: 256 - {{- end }} - name: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} secret: secretName: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} diff --git a/charts/yugabyte/yugabyte/values.yaml b/charts/yugabyte/yugabyte/values.yaml index 85fe60a54..bed2222da 100644 --- a/charts/yugabyte/yugabyte/values.yaml +++ b/charts/yugabyte/yugabyte/values.yaml @@ -2,15 +2,10 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. Component: "yugabytedb" - -fullnameOverride: "" -nameOverride: "" - Image: repository: "yugabytedb/yugabyte" - tag: 2.18.5.1-b1 + tag: 2.14.15.0-b57 pullPolicy: IfNotPresent - pullSecretName: "" storage: ephemeral: false # will not allocate PVs when true @@ -26,38 +21,27 @@ storage: resource: master: requests: - cpu: "2" + cpu: 2 memory: 2Gi limits: - cpu: "2" + cpu: 2 memory: 2Gi tserver: requests: - cpu: "2" + cpu: 2 memory: 4Gi limits: - cpu: "2" + cpu: 2 memory: 4Gi replicas: master: 3 tserver: 3 - ## Used to set replication factor when isMultiAz is set to true - totalMasters: 3 partition: master: 0 tserver: 0 -# Used in Multi-AZ setup -masterAddresses: "" - -isMultiAz: false -AZ: "" - -# Disable the YSQL -disableYsql: false - tls: # Set to true to enable the TLS. enabled: false @@ -68,33 +52,25 @@ tls: # Set enabled to true to use cert-manager instead of providing your own rootCA certManager: enabled: false - # Will create own ca certificate and issuer when set to true - bootstrapSelfsigned: true - # Use ClusterIssuer when set to true, otherwise use Issuer + # Will create own ca certificate and issuer when set to false useClusterIssuer: false - # Name of ClusterIssuer to use when useClusterIssuer is true + # ignored when useClusterIssuer is false clusterIssuer: cluster-ca - # Name of Issuer to use when useClusterIssuer is false - issuer: yugabyte-ca certificates: # The lifetime before cert-manager will issue a new certificate. # The re-issued certificates will not be automatically reloaded by the service. # It is necessary to provide some external means of restarting the pods. duration: 2160h # 90d renewBefore: 360h # 15d - algorithm: RSA # ECDSA or RSA - # Can be 2048, 4096 or 8192 for RSA + algorithm: ECDSA # ECDSA or RSA + # Can be 2046, 4096 or 8192 for RSA # Or 256, 384 or 521 for ECDSA - keySize: 2048 + keySize: 521 - ## When certManager.enabled=false, rootCA.cert and rootCA.key are used to generate TLS certs. - ## When certManager.enabled=true and boostrapSelfsigned=true, rootCA is ignored. - ## When certManager.enabled=true and bootstrapSelfsigned=false, only rootCA.cert is used - ## to verify TLS certs generated and signed by the external provider. + # Will be ignored when certManager.enabled=true rootCA: cert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFXTVJRd0VnWURWUVFERXd0WmRXZGgKWW5sMFpTQkVRakFlRncweE9UQXlNRGd3TURRd01qSmFGdzB5T1RBeU1EVXdNRFF3TWpKYU1CWXhGREFTQmdOVgpCQU1UQzFsMVoyRmllWFJsSUVSQ01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnVOMWF1aWc4b2pVMHM0OXF3QXhrT2FCaHkwcTlyaVg2akVyZWJyTHJOWDJOeHdWQmNVcWJkUlhVc3VZNS96RUQKUC9CZTNkcTFuMm9EQ2ZGVEwweGkyNFdNZExRcnJBMndCdzFtNHM1WmQzcEJ1U04yWHJkVVhkeUx6dUxlczJNbgovckJxcWRscXp6LzAyTk9TOE9SVFZCUVRTQTBSOFNMQ1RjSGxMQmRkMmdxZ1ZmemVXRlVObXhWQ2EwcHA5UENuCmpUamJJRzhJWkh5dnBkTyt3aURQM1Y1a1ZEaTkvbEtUaGUzcTFOeDg5VUNFcnRJa1pjSkYvWEs3aE90MU1sOXMKWDYzb2lVMTE1Q2svbGFGRjR6dWgrZk9VenpOVXRXeTc2RE92cm5pVGlaU0tQZDBBODNNa2l2N2VHaDVkV3owWgpsKzJ2a3dkZHJaRzVlaHhvbGhGS3pRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsCkJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFEQjVRbmlYd1ptdk52eG5VbS9sTTVFbms3VmhTUzRUZldIMHY4Q0srZWZMSVBTbwpVTkdLNXU5UzNEUWlvaU9SN1Vmc2YrRnk1QXljMmNUY1M2UXBxTCt0V1QrU1VITXNJNk9oQ05pQ1gvQjNKWERPCkd2R0RIQzBVOHo3aWJTcW5zQ2Rid05kajAyM0lwMHVqNE9DVHJ3azZjd0RBeXlwVWkwN2tkd28xYWJIWExqTnAKamVQMkwrY0hkc2dKM1N4WWpkK1kvei9IdmFrZG1RZDJTL1l2V0R3aU1SRDkrYmZXWkJVRHo3Y0QyQkxEVmU0aAp1bkFaK3NyelR2Sjd5dkVodzlHSDFyajd4Qm9VNjB5SUUrYSszK2xWSEs4WnBSV0NXMnh2eWNrYXJSKytPS2NKClFsL04wWExqNWJRUDVoUzdhOTdhQktTamNqY3E5VzNGcnhJa2tKST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdU4xYXVpZzhvalUwczQ5cXdBeGtPYUJoeTBxOXJpWDZqRXJlYnJMck5YMk54d1ZCCmNVcWJkUlhVc3VZNS96RURQL0JlM2RxMW4yb0RDZkZUTDB4aTI0V01kTFFyckEyd0J3MW00czVaZDNwQnVTTjIKWHJkVVhkeUx6dUxlczJNbi9yQnFxZGxxenovMDJOT1M4T1JUVkJRVFNBMFI4U0xDVGNIbExCZGQyZ3FnVmZ6ZQpXRlVObXhWQ2EwcHA5UENualRqYklHOElaSHl2cGRPK3dpRFAzVjVrVkRpOS9sS1RoZTNxMU54ODlVQ0VydElrClpjSkYvWEs3aE90MU1sOXNYNjNvaVUxMTVDay9sYUZGNHp1aCtmT1V6ek5VdFd5NzZET3ZybmlUaVpTS1BkMEEKODNNa2l2N2VHaDVkV3owWmwrMnZrd2RkclpHNWVoeG9saEZLelFJREFRQUJBb0lCQUJsdW1tU3gxR1djWER1Mwpwei8wZEhWWkV4c2NsU3U0SGRmZkZPcTF3cFlCUjlmeGFTZGsxQzR2YXF1UjhMaWl6WWVtVWViRGgraitkSnlSCmpwZ2JNaDV4S1BtRkw5empwU3ZUTkN4UHB3OUF5bm5sM3dyNHZhcU1CTS9aZGpuSGttRC9kQzBadEEvL0JIZ3YKNHk4d3VpWCsvUWdVaER0Z1JNcmR1ZUZ1OVlKaFo5UE9jYXkzSkkzMFhEYjdJSS9vNFNhYnhTcFI3bTg5WjY0NwpUb3hsOEhTSzl0SUQxbkl1bHVpTmx1dHI1RzdDdE93WTBSc2N5dmZ2elg4a1d2akpLZVJVbmhMSCtXVFZOaExICjdZc0tMNmlLa1NkckMzeWVPWnV4R0pEbVdrZVgxTzNPRUVGYkc4TjVEaGNqL0lXbDh1dGt3LzYwTEthNHBCS2cKTXhtNEx3RUNnWUVBNnlPRkhNY2pncHYxLzlHZC8yb3c2YmZKcTFjM1dqQkV2cnM2ZXNyMzgrU3UvdVFneXJNcAo5V01oZElpb2dYZjVlNjV5ZlIzYVBXcjJJdWMxZ0RUNlYycDZFR2h0NysyQkF1YkIzczloZisycVNRY1lkS3pmCnJOTDdKalE4ZEVGZWdYd041cHhKOTRTTVFZNEI4Qm9hOHNJWTd3TzU4dHpVMjZoclVnanFXQ1VDZ1lFQXlVUUIKNzViWlh6MGJ5cEc5NjNwYVp0bGlJY0cvUk1XMnVPOE9rVFNYSGdDSjBob25uRm5IMGZOc1pGTHdFWEtnTTRORworU3ZNbWtUekE5eVVSMHpIMFJ4UW44L1YzVWZLT2k5RktFeWx6NzNiRkV6ZW1QSEppQm12NWQ4ZTlOenZmU0E0CkdpRTYrYnFyV3VVWWRoRWlYTnY1SFNPZ3I4bUx1TzJDbGlmNTg0a0NnWUFlZzlDTmlJWmlOODAzOHNNWFYzZWIKalI5ZDNnYXY3SjJ2UnVyeTdvNDVGNDlpUXNiQ3AzZWxnY1RnczY5eWhkaFpwYXp6OGNEVndhREpyTW16cHF4cQpWY1liaFFIblppSWM5MGRubS9BaVF2eWJWNUZqNnQ5b05VVWtreGpaV1haalJXOGtZMW55QmtDUmJWVnhER0k4CjZOV0ZoeTFGaUVVVGNJcms3WVZFQlFLQmdRREpHTVIrYWRFamtlRlUwNjVadkZUYmN0VFVPY3dzb1Foalc2akkKZVMyTThxakNYeE80NnhQMnVTeFNTWFJKV3FpckQ3NDRkUVRvRjRCaEdXS21veGI3M3pqSGxWaHcwcXhDMnJ4VQorZENxODE0VXVJR3BlOTBMdWU3QTFlRU9kRHB1WVdUczVzc1FmdTE3MG5CUWQrcEhzaHNFZkhhdmJjZkhyTGpQCjQzMmhVUUtCZ1FDZ3hMZG5Pd2JMaHZLVkhhdTdPVXQxbGpUT240SnB5bHpnb3hFRXpzaDhDK0ZKUUQ1bkFxZXEKZUpWSkNCd2VkallBSDR6MUV3cHJjWnJIN3IyUTBqT2ZFallwU1dkZGxXaWh4OTNYODZ0aG83UzJuUlYrN1hNcQpPVW9ZcVZ1WGlGMWdMM1NGeHZqMHhxV3l0d0NPTW5DZGFCb0M0Tkw3enJtL0lZOEUwSkw2MkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" - ## When tls.certManager.enabled=false ## nodeCert and clientCert will be used only when rootCA.key is empty. ## Will be ignored and genSignedCert will be used to generate ## node and client certs if rootCA.key is provided. @@ -109,38 +85,33 @@ tls: gflags: master: default_memory_limit_to_ram_ratio: 0.85 - tserver: {} +# tserver: # use_cassandra_authentication: false PodManagementPolicy: Parallel enableLoadBalancer: true -ybc: - enabled: false +isMultiAz: false domainName: "cluster.local" serviceEndpoints: - name: "yb-master-ui" type: LoadBalancer - annotations: {} - clusterIP: "" ## Sets the Service's externalTrafficPolicy - externalTrafficPolicy: "" + # externalTrafficPolicy: "" app: "yb-master" - loadBalancerIP: "" + # loadBalancerIP: "" ports: http-ui: "7000" - name: "yb-tserver-service" type: LoadBalancer - annotations: {} - clusterIP: "" ## Sets the Service's externalTrafficPolicy - externalTrafficPolicy: "" + # externalTrafficPolicy: "" app: "yb-tserver" - loadBalancerIP: "" + # loadBalancerIP: "" ports: tcp-yql-port: "9042" tcp-yedis-port: "6379" @@ -167,11 +138,8 @@ Services: http-ycql-met: "12000" http-yedis-met: "11000" http-ysql-met: "13000" - grpc-ybc-port: "18018" - -## Should be set to true only if Istio is being used. This also adds -## the Istio sidecar injection labels to the pods. +## Should be set to true only if Istio is being used. ## TODO: remove this once ## https://github.com/yugabyte/yugabyte-db/issues/5641 is fixed. ## @@ -188,22 +156,6 @@ multicluster: ## failover. Useful when using new naming style. createCommonTserverService: false - ## Enable it to deploy YugabyteDB in a multi-cluster services enabled - ## Kubernetes cluster (KEP-1645). This will create ServiceExport. - ## GKE Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#registering_a_service_for_export - ## You can use this gist for the reference to deploy the YugabyteDB in a multi-cluster scenario. - ## Gist - https://gist.github.com/baba230896/78cc9bb6f4ba0b3d0e611cd49ed201bf - createServiceExports: false - - ## Mandatory variable when createServiceExports is set to true. - ## Use: In case of GKE, you need to pass GKE Hub Membership Name. - ## GKE Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#enabling - kubernetesClusterId: "" - - ## mcsApiVersion is used for the MCS resources created by the - ## chart. Set to net.gke.io/v1 when using GKE MCS. - mcsApiVersion: "multicluster.x-k8s.io/v1alpha1" - serviceMonitor: ## If true, two ServiceMonitor CRs are created. One for yb-master ## and one for yb-tserver @@ -279,37 +231,9 @@ affinity: {} statefulSetAnnotations: {} -networkAnnotation: {} - -commonLabels: {} - -## @param dnsPolicy DNS Policy for pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsPolicy: ClusterFirst -dnsPolicy: "" -## @param dnsConfig DNS Configuration pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsConfig: -## options: -## - name: ndots -## value: "4" -dnsConfig: {} - - master: ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core ## This might override the default affinity from service.yaml - # To successfully merge, we need to follow rules for merging nodeSelectorTerms that kubernentes - # has. Each new node selector term is ORed together, and each match expression or match field in - # a single selector is ANDed together. - # This means, if a pod needs to be scheduled on a label 'custom_label_1' with a value - # 'custom_value_1', we need to add this 'subterm' to each of our pre-defined node affinity - # terms. - # - # Pod anti affinity is a simpler merge. Each term is applied separately, and the weight is tracked. - # The pod that achieves the highest weight is selected. ## Example. # affinity: # podAntiAffinity: @@ -321,8 +245,6 @@ master: # values: # - "yb-master" # topologyKey: kubernetes.io/hostname - # - # For further examples, see examples/yugabyte/affinity_overrides.yaml affinity: {} ## Extra environment variables passed to the Master pods. @@ -379,23 +301,10 @@ master: # mountPath: /home/yugabyte/nfs-backup extraVolumeMounts: [] - ## Set service account for master DB pods. The service account - ## should exist in the namespace where the master DB pods are brought up. - serviceAccount: "" - tserver: ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core ## This might override the default affinity from service.yaml - # To successfully merge, we need to follow rules for merging nodeSelectorTerms that kubernentes - # has. Each new node selector term is ORed together, and each match expression or match field in - # a single selector is ANDed together. - # This means, if a pod needs to be scheduled on a label 'custom_label_1' with a value - # 'custom_value_1', we need to add this 'subterm' to each of our pre-defined node affinity - # terms. - # - # Pod anti affinity is a simpler merge. Each term is applied separately, and the weight is tracked. - # The pod that achieves the highest weight is selected. ## Example. # affinity: # podAntiAffinity: @@ -407,7 +316,6 @@ tserver: # values: # - "yb-tserver" # topologyKey: kubernetes.io/hostname - # For further examples, see examples/yugabyte/affinity_overrides.yaml affinity: {} ## Extra environment variables passed to the TServer pods. @@ -420,16 +328,13 @@ tserver: # fieldPath: status.hostIP extraEnv: [] - ## secretEnv variables are used to expose secrets data as env variables in the tserver pods. - ## If namespace field is not specified we assume that user already - ## created the secret in the same namespace as DB pods. - ## Example + # secretEnv variables are used to expose secrets data as env variables in the tserver pods. + # TODO Add namespace also to support copying secrets from other namespace. # secretEnv: # - name: MYSQL_LDAP_PASSWORD # valueFrom: # secretKeyRef: # name: secretName - # namespace: my-other-namespace-with-ldap-secret # key: password secretEnv: [] @@ -472,10 +377,6 @@ tserver: # path: /home/yugabyte/nfs-backup extraVolumeMounts: [] - ## Set service account for tserver DB pods. The service account - ## should exist in the namespace where the tserver DB pods are brought up. - serviceAccount: "" - helm2Legacy: false ip_version_support: "v4_only" # v4_only, v6_only are the only supported values at the moment diff --git a/charts/yugabyte/yugaware/Chart.yaml b/charts/yugabyte/yugaware/Chart.yaml index c3dc85517..62bdc3625 100644 --- a/charts/yugabyte/yugaware/Chart.yaml +++ b/charts/yugabyte/yugaware/Chart.yaml @@ -3,20 +3,15 @@ annotations: catalog.cattle.io/display-name: YugabyteDB Anywhere catalog.cattle.io/kube-version: '>=1.18-0' catalog.cattle.io/release-name: yugaware - charts.openshift.io/name: yugaware -apiVersion: v2 -appVersion: 2.18.5.1-b1 -description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring - for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB cluster - with multiple pods provided by Kubernetes or OpenShift and logically grouped together - to form one logical distributed database. +apiVersion: v1 +appVersion: 2.14.15.0-b57 +description: YugaWare is YugaByte Database's Orchestration and Management console. home: https://www.yugabyte.com icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 -kubeVersion: '>=1.18-0' maintainers: -- email: sanketh@yugabyte.com - name: Sanketh Indarapu -- email: gjalla@yugabyte.com - name: Govardhan Reddy Jalla +- email: ram@yugabyte.com + name: Ram Sri +- email: arnav@yugabyte.com + name: Arnav Agarwal name: yugaware -version: 2.18.5 +version: 2.14.15 diff --git a/charts/yugabyte/yugaware/README.md b/charts/yugabyte/yugaware/README.md index 0d190c0be..fa27ce3e0 100644 --- a/charts/yugabyte/yugaware/README.md +++ b/charts/yugabyte/yugaware/README.md @@ -1,7 +1,5 @@ YugabyteDB Anywhere gives you the simplicity and support to deliver a private database-as-a-service (DBaaS) at scale. Use YugabyteDB Anywhere to deploy YugabyteDB across any cloud anywhere in the world with a few clicks, simplify day 2 operations through automation, and get the services needed to realize business outcomes with the database. -YugabyteDB Anywhere can be deployed using this Helm chart. Detailed documentation is available at: -- [Install YugabyteDB Anywhere software - Kubernetes](https://docs.yugabyte.com/preview/yugabyte-platform/install-yugabyte-platform/install-software/kubernetes/) -- [Install YugabyteDB Anywhere software - OpenShift (Helm based)](https://docs.yugabyte.com/preview/yugabyte-platform/install-yugabyte-platform/install-software/openshift/#helm-based-installation) +YugabyteDB Anywhere can be deployed using this helm chart. Detailed documentation is available at [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/yugabyte)](https://artifacthub.io/packages/search?repo=yugabyte) diff --git a/charts/yugabyte/yugaware/openshift.values.yaml b/charts/yugabyte/yugaware/openshift.values.yaml deleted file mode 100644 index f156a5535..000000000 --- a/charts/yugabyte/yugaware/openshift.values.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# OCP compatible values for yugaware - -image: - - repository: quay.io/yugabyte/yugaware-ubi - - postgres: - registry: registry.redhat.io - tag: 1-88.1661531722 - name: rhscl/postgresql-13-rhel7 - - prometheus: - registry: registry.redhat.io - tag: v4.11.0 - name: openshift4/ose-prometheus - - nginx: - registry: registry.access.redhat.com - tag: 1-60.1665590917 - name: ubi8/nginx-120 - -rbac: - create: false - -ocpCompatibility: - enabled: true - -securityContext: - enabled: false diff --git a/charts/yugabyte/yugaware/questions.yaml b/charts/yugabyte/yugaware/questions.yaml index 904b9cf75..11378b60c 100644 --- a/charts/yugabyte/yugaware/questions.yaml +++ b/charts/yugabyte/yugaware/questions.yaml @@ -15,7 +15,7 @@ questions: label: Yugabyte Platform image repository description: "Yugabyte Platform image repository" - variable: image.tag - default: "2.5.1.0-b153" + default: "2.14.1.0-b36" required: false type: string label: Yugabyte Platform image tag @@ -227,50 +227,6 @@ questions: type: string label: Retention Time description: "Retention Time" - - variable: questions.defaultNginx - default: true - description: "Default Nginx configurations" - label: Default nginx configurations - type: boolean - show_subquestion_if: false - group: "Nginx" - subquestions: - - variable: image.nginx.registry - default: "" - required: false - type: string - label: Nginx image registry - description: "Nginx image registry" - - variable: image.nginx.tag - default: "1.17.4-amd64" - required: false - type: string - label: Nginx image tag - description: "Nginx image tag" - - variable: image.nginx.name - default: "nginxinc/nginx-unprivileged" - required: false - type: string - label: Nginx image name - description: "Nginx image name" - - variable: nginx.resources.requests.cpu - default: "0.25" - required: false - type: string - label: CPU request for Nginx - description: "CPU request for Nginx" - - variable: nginx.resources.requests.memory - default: "300Mi" - required: false - type: string - label: Memory request for Nginx - description: "Memory request for Nginx" - - variable: nginx.workerConnections - default: 1024 - required: false - type: int - label: Nginx worker connections - description: "Nginx worker connections" - variable: securityContext.enabled default: false description: "Enable Security Context" diff --git a/charts/yugabyte/yugaware/templates/_default_values.tpl b/charts/yugabyte/yugaware/templates/_default_values.tpl deleted file mode 100644 index 95ccbdb47..000000000 --- a/charts/yugabyte/yugaware/templates/_default_values.tpl +++ /dev/null @@ -1,18 +0,0 @@ -{{/* - The usage of helm upgrade [RELEASE] [CHART] --reuse-values --set [variable]:[value] throws an - error in the event that new entries are inserted to the values chart. - - This is because reuse-values flag uses the values from the last release. If --set (/--set-file/ - --set-string/--values/-f) is applied with the reuse-values flag, the values from the last - release are overridden for those variables alone, and newer changes to the chart are - unacknowledged. - - https://medium.com/@kcatstack/understand-helm-upgrade-flags-reset-values-reuse-values-6e58ac8f127e - - To prevent errors while applying upgrade with --reuse-values and --set flags after introducing - new variables, default values can be specified in this file. -*/}} - -{{- define "get_nginx_proxyReadTimeoutSec" -}} - {{ .Values.nginx.proxyReadTimeoutSec | default 600 }} -{{- end -}} diff --git a/charts/yugabyte/yugaware/templates/_helpers.tpl b/charts/yugabyte/yugaware/templates/_helpers.tpl index a38257a7a..329dba6ce 100644 --- a/charts/yugabyte/yugaware/templates/_helpers.tpl +++ b/charts/yugabyte/yugaware/templates/_helpers.tpl @@ -69,18 +69,6 @@ In both cases, image.tag can be used to customize the tag of the yugaware image. {{- printf "%s:%s" $specific_registry $specific_tag -}} {{- end -}} -{{/* -Validate Nginx SSL protocols -*/}} -{{- define "validate_nginx_ssl_protocols" -}} - {{- $sslProtocolsRegex := `^((TLSv(1|1\.[1-3]))(?: ){0,1}){1,4}$` -}} - {{- if not (regexMatch $sslProtocolsRegex .Values.tls.sslProtocols) -}} - {{- fail (cat "Please specify valid tls.sslProtocols, must match regex:" $sslProtocolsRegex) -}} - {{- else -}} - {{- .Values.tls.sslProtocols -}} - {{- end -}} -{{- end -}} - {{/* Get or generate PG password Source - https://github.com/helm/charts/issues/5167#issuecomment-843962731 @@ -181,57 +169,6 @@ server.pem: {{ $serverPemContent }} {{- end -}} {{- end -}} -{{/* -Check export of nss_wrapper environment variables required -*/}} -{{- define "checkNssWrapperExportRequired" -}} - {{- if .Values.securityContext.enabled -}} - {{- if and (ne (int .Values.securityContext.runAsUser) 0) (ne (int .Values.securityContext.runAsUser) 10001) -}} - {{- printf "true" -}} - {{- end -}} - {{- else -}} - {{- printf "false" -}} - {{- end -}} -{{- end -}} - - -{{/* - Verify the extraVolumes and extraVolumeMounts mappings. - Every extraVolumes should have extraVolumeMounts -*/}} -{{- define "yugaware.isExtraVolumesMappingExists" -}} - {{- $lenExtraVolumes := len .extraVolumes -}} - {{- $lenExtraVolumeMounts := len .extraVolumeMounts -}} - - {{- if and (eq $lenExtraVolumeMounts 0) (gt $lenExtraVolumes 0) -}} - {{- fail "You have not provided the extraVolumeMounts for extraVolumes." -}} - {{- else if and (eq $lenExtraVolumes 0) (gt $lenExtraVolumeMounts 0) -}} - {{- fail "You have not provided the extraVolumes for extraVolumeMounts." -}} - {{- else if and (gt $lenExtraVolumes 0) (gt $lenExtraVolumeMounts 0) -}} - {{- $volumeMountsList := list -}} - {{- range .extraVolumeMounts -}} - {{- $volumeMountsList = append $volumeMountsList .name -}} - {{- end -}} - - {{- $volumesList := list -}} - {{- range .extraVolumes -}} - {{- $volumesList = append $volumesList .name -}} - {{- end -}} - - {{- range $volumesList -}} - {{- if not (has . $volumeMountsList) -}} - {{- fail (printf "You have not provided the extraVolumeMounts for extraVolume %s" .) -}} - {{- end -}} - {{- end -}} - - {{- range $volumeMountsList -}} - {{- if not (has . $volumesList) -}} - {{- fail (printf "You have not provided the extraVolumes for extraVolumeMounts %s" .) -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} - {{/* Make list of custom http headers */}} @@ -246,4 +183,4 @@ Make list of custom http headers {{- end -}} {{- end -}} ] -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/yugabyte/yugaware/templates/certificates.yaml b/charts/yugabyte/yugaware/templates/certificates.yaml deleted file mode 100644 index ff4b7021a..000000000 --- a/charts/yugabyte/yugaware/templates/certificates.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright (c) YugaByte, Inc. - -{{- $root := . }} -{{- $tls := $root.Values.tls }} -{{- if and $tls.enabled $tls.certManager.enabled }} -{{- if $tls.certManager.genSelfsigned }} -{{- if $tls.certManager.useClusterIssuer }} ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: {{ $root.Release.Name }}-yugaware-cluster-issuer -spec: - selfSigned: {} -{{- else }} # useClusterIssuer=false ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ $root.Release.Name }}-yugaware-issuer - namespace: {{ $root.Release.Namespace }} -spec: - selfSigned: {} ---- -{{- end }} # useClusterIssuer ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $root.Release.Name }}-yugaware-ui-root-ca - namespace: {{ $root.Release.Namespace }} -spec: - isCA: true - commonName: Yugaware self signed CA - secretName: {{ .Release.Name }}-yugaware-root-ca - secretTemplate: - labels: - app: "{{ template "yugaware.name" . }}" - chart: "{{ template "yugaware.chart" . }}" - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - duration: {{ $tls.certManager.configuration.duration | quote }} - renewBefore: {{ $tls.certManager.configuration.renewBefore | quote }} - privateKey: - algorithm: {{ $tls.certManager.configuration.algorithm | quote }} - encoding: PKCS8 - size: {{ $tls.certManager.configuration.keySize }} - rotationPolicy: Always - issuerRef: - {{- if $tls.certManager.useClusterIssuer }} - name: {{ $root.Release.Name }}-yugaware-cluster-issuer - kind: ClusterIssuer - {{- else }} - name: {{ $root.Release.Name }}-yugaware-issuer - kind: Issuer - {{- end }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ $root.Release.Name }}-yugaware-ca-issuer - namespace: {{ $root.Release.Namespace }} -spec: - ca: - secretName: {{ .Release.Name }}-yugaware-root-ca ---- -{{- end }} # genSelfsigned ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $root.Release.Name }}-yugaware-ui-tls - namespace: {{ $root.Release.Namespace }} -spec: - isCA: false - commonName: {{ $tls.hostname }} - secretName: {{ .Release.Name }}-yugaware-tls-cert - secretTemplate: - labels: - app: "{{ template "yugaware.name" . }}" - chart: "{{ template "yugaware.chart" . }}" - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} - duration: {{ $tls.certManager.configuration.duration | quote }} - renewBefore: {{ $tls.certManager.configuration.renewBefore | quote }} - privateKey: - algorithm: {{ $tls.certManager.configuration.algorithm | quote }} - encoding: PKCS8 - size: {{ $tls.certManager.configuration.keySize }} - rotationPolicy: Always - issuerRef: - name: {{ $tls.certManager.genSelfsigned | ternary (printf "%s%s" $root.Release.Name "-yugaware-ca-issuer") ($tls.certManager.useClusterIssuer | ternary $tls.certManager.clusterIssuer $tls.certManager.issuer) }} - {{- if $tls.certManager.useClusterIssuer }} - kind: ClusterIssuer - {{- else }} - kind: Issuer - {{- end }} ---- -{{- end }} diff --git a/charts/yugabyte/yugaware/templates/configs.yaml b/charts/yugabyte/yugaware/templates/configs.yaml index ac295599e..932effddd 100644 --- a/charts/yugabyte/yugaware/templates/configs.yaml +++ b/charts/yugabyte/yugaware/templates/configs.yaml @@ -31,34 +31,30 @@ data: log.override.path = "/opt/yugabyte/yugaware/data/logs" db { - default.dbname=${POSTGRES_DB} {{ if .Values.postgres.external.host }} default.host="{{ .Values.postgres.external.host }}" default.port={{ .Values.postgres.external.port }} + default.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ else if eq .Values.ip_version_support "v6_only" }} - default.host="[::1]" + default.host="::1" + default.url="jdbc:postgresql://[::1]:"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ else }} default.host="127.0.0.1" + default.url="jdbc:postgresql://127.0.0.1:"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ end }} - default.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.default.dbname}${db.default.params} default.params="{{ .Values.jdbcParams }}" + default.driver=org.postgresql.Driver default.username=${POSTGRES_USER} default.password=${POSTGRES_PASSWORD} - {{ if .Values.yugaware.cloud.enabled }} - perf_advisor.driver="org.hsqldb.jdbc.JDBCDriver" - perf_advisor.url="jdbc:hsqldb:mem:perf-advisor" - perf_advisor.createDatabaseIfMissing=false - perf_advisor.username="sa" - perf_advisor.password="sa" - perf_advisor.migration.auto=false - perf_advisor.migration.disabled=true - {{ else }} - perf_advisor.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.perf_advisor.dbname}${db.default.params} - perf_advisor.createDatabaseUrl="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.default.dbname}${db.default.params} - {{ end }} + default.logStatements=true + default.migration.initOnMigrate=true + default.migration.auto=true + } + ebean { + default = ["com.yugabyte.yw.models.*"] } - {{- if and (not .Values.useNginxProxy) (.Values.tls.enabled) }} + {{- if .Values.tls.enabled }} https.port = 9443 play.server.https.keyStore { path = /opt/certs/server.pem @@ -144,24 +140,7 @@ data: {{- range $key, $value := .Values.additionalAppConf.nonStringConf }} {{ $key }} = {{ $value }} {{- end }} -{{- if and .Values.tls.enabled (not .Values.tls.certManager.enabled) }} -{{- if .Values.useNginxProxy }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-yugaware-tls-cert - labels: - app: "{{ template "yugaware.name" . }}" - chart: "{{ template "yugaware.chart" . }}" - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -type: Opaque -data: -{{- include "getOrCreateServerCert" (dict "Namespace" .Release.Namespace "Root" . "Name" (printf "%s%s" .Release.Name "-yugaware-tls-cert")) | nindent 2 }} -{{- end }} - -{{ if not .Values.useNginxProxy }} +{{- if .Values.tls.enabled }} --- apiVersion: v1 kind: Secret @@ -175,70 +154,11 @@ metadata: type: Opaque data: {{- include "getOrCreateServerPem" (dict "Namespace" .Release.Namespace "Root" . "Name" (printf "%s%s" .Release.Name "-yugaware-tls-pem")) | nindent 2 }} -{{ end }} {{- end }} -{{- if .Values.useNginxProxy }} --- apiVersion: v1 kind: ConfigMap -metadata: - name: {{ .Release.Name }}-yugaware-nginx-config - labels: - app: {{ template "yugaware.name" . }} - chart: {{ template "yugaware.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} -data: - default.conf: | -{{- if .Values.tls.enabled }} - # Ref: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ - server { - listen {{ eq .Values.ip_version_support "v6_only" | ternary "[::]:8080" "8080" }}; - server_name {{ .Values.tls.hostname }}; - return 301 https://$host$request_uri; - } -{{- end }} - - server { -{{- if .Values.tls.enabled }} - listen 8443 ssl; - ssl_certificate /opt/certs/server.crt; - ssl_certificate_key /opt/certs/server.key; -{{- if .Values.tls.sslProtocols }} - ssl_protocols {{ include "validate_nginx_ssl_protocols" . }}; -{{- end }} - server_name {{ .Values.tls.hostname }}; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -{{- else }} - listen {{ eq .Values.ip_version_support "v6_only" | ternary "[::]:8080" "8080" }}; - server_name {{ .Values.tls.hostname }}; -{{- end }} - proxy_http_version 1.1; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - - location / { - proxy_pass http://{{ eq .Values.ip_version_support "v6_only" | ternary "[::1]" "127.0.0.1" }}:9000; - } -{{- if .Values.nginx.db_node_proxy_enabled }} - location ~ "^/universes/.+/proxy/(?!(169.254.|127.))(.+):(7000|9000|9300|12000|13000)/(metrics|prometheus-metrics)$" { - proxy_pass "http://$2:$3/$4$is_args$args"; - } -{{- end }} - - location ~ /settings/ha/internal/upload$ { - proxy_pass http://{{ eq .Values.ip_version_support "v6_only" | ternary "[::1]" "127.0.0.1" }}:9000; - client_max_body_size {{ .Values.nginx.upload_size }}; - } - } -{{ end }} ---- -{{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} -apiVersion: v1 -kind: ConfigMap metadata: name: {{ .Release.Name }}-yugaware-pg-upgrade labels: @@ -262,75 +182,7 @@ data: docker-upgrade pg_upgrade | tee -a /pg_upgrade_logs/pg_upgrade_11_to_14.log; echo "host all all all scram-sha-256" >> "${PGDATANEW}/pg_hba.conf"; fi -{{- end }} -{{- if .Values.securityContext.enabled }} ---- -apiVersion: "v1" -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-yugaware-pg-prerun - labels: - app: {{ template "yugaware.name" . }} - chart: {{ template "yugaware.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} -data: - pg-prerun.sh: | - #!/bin/bash - set -x -o errexit - mkdir -p $PGDATA && chown -R $PG_UID:$PG_GID $PGDATA; -{{- end }} -{{- if .Values.useNginxProxy }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-yugaware-nginx-main-config - labels: - app: {{ template "yugaware.name" . }} - chart: {{ template "yugaware.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} -data: - nginx.conf: | - worker_processes 1; - - error_log /var/log/nginx/error.log warn; - pid /tmp/nginx.pid; - - events { - worker_connections {{ .Values.nginx.workerConnections }}; - } - - http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - proxy_read_timeout {{ template "get_nginx_proxyReadTimeoutSec" . }}; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; - } -{{- end }} {{- if .Values.prometheus.remoteWrite.tls.enabled }} --- apiVersion: v1 @@ -400,11 +252,7 @@ data: - 'container_cpu_usage_seconds_total{pod=~"(.*)yb-(.*)"}' - 'container_memory_working_set_bytes{pod=~"(.*)yb-(.*)"}' # kube-state-metrics - # Supports >= OCP v4.4 - # OCP v4.4 has upgraded the KSM from 1.8.0 to 1.9.5. - # https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html#ocp-4-4-cluster-monitoring-version-updates - # - 'kube_pod_container_resource_requests_cpu_cores{pod=~"(.*)yb-(.*)"}' - - 'kube_pod_container_resource_requests{pod=~"(.*)yb-(.*)", unit="core"}' + - 'kube_pod_container_resource_requests_cpu_cores{pod=~"(.*)yb-(.*)"}' static_configs: - targets: @@ -424,12 +272,6 @@ data: regex: "(.*)" target_label: "container_name" replacement: "$1" - # rename new name of the CPU metric to the old name and label - # ref: https://github.com/kubernetes/kube-state-metrics/blob/master/CHANGELOG.md#v200-alpha--2020-09-16 - - source_labels: ["__name__", "unit"] - regex: "kube_pod_container_resource_requests;core" - target_label: "__name__" - replacement: "kube_pod_container_resource_requests_cpu_cores" {{- else }} @@ -480,8 +322,8 @@ data: - targets: ['kube-state-metrics.kube-system.svc.{{.Values.domainName}}:8080'] metric_relabel_configs: # Only keep the metrics which we care about - - source_labels: ["__name__", "unit"] - regex: "kube_pod_container_resource_requests;core" + - source_labels: ["__name__"] + regex: "kube_pod_container_resource_requests_cpu_cores" action: keep # Save the name of the metric so we can group_by since we cannot by __name__ directly... - source_labels: ["__name__"] @@ -500,16 +342,6 @@ data: - source_labels: ["pod_name"] regex: "(.*)yb-(.*)" action: keep - # rename new name of the CPU metric to the old name and label - # ref: https://github.com/kubernetes/kube-state-metrics/blob/master/CHANGELOG.md#v200-alpha--2020-09-16 - - source_labels: ["__name__", "unit"] - regex: "kube_pod_container_resource_requests;core" - target_label: "__name__" - replacement: "kube_pod_container_resource_requests_cpu_cores" - # Keep metrics for CPU, discard duplicate metrics - - source_labels: ["__name__"] - regex: "kube_pod_container_resource_requests_cpu_cores" - action: keep - job_name: 'kubernetes-cadvisor' @@ -563,12 +395,6 @@ data: '{{ eq .Values.ip_version_support "v6_only" | ternary "[::1]" "127.0.0.1" }}:9000' ] - - job_name: 'node-agent' - metrics_path: "/metrics" - file_sd_configs: - - files: - - '/opt/yugabyte/prometheus/targets/node-agent.*.json' - - job_name: "node" file_sd_configs: - files: @@ -654,8 +480,6 @@ data: replacement: "$1" - job_name: "yugabyte" - tls_config: - insecure_skip_verify: true metrics_path: "/prometheus-metrics" file_sd_configs: - files: diff --git a/charts/yugabyte/yugaware/templates/global-config.yaml b/charts/yugabyte/yugaware/templates/global-config.yaml index 4d7f54f45..925e1bbb7 100644 --- a/charts/yugabyte/yugaware/templates/global-config.yaml +++ b/charts/yugabyte/yugaware/templates/global-config.yaml @@ -16,8 +16,8 @@ data: postgres_user: {{ .Values.postgres.external.user | b64enc | quote }} postgres_password: {{ .Values.postgres.external.pass | b64enc | quote }} {{- else }} - postgres_db: {{ .Values.postgres.dbname | b64enc | quote }} - postgres_user: {{ .Values.postgres.user | b64enc | quote }} + postgres_db: {{ "yugaware" | b64enc | quote }} + postgres_user: {{ "postgres" | b64enc | quote }} postgres_password: {{ include "getOrGeneratePasswordConfigMapToSecret" (dict "Namespace" .Release.Namespace "Name" (printf "%s%s" .Release.Name "-yugaware-global-config") "Key" "postgres_password") | quote }} {{- end }} app_secret: {{ randAlphaNum 64 | b64enc | b64enc | quote }} diff --git a/charts/yugabyte/yugaware/templates/rbac.yaml b/charts/yugabyte/yugaware/templates/rbac.yaml index d05dfaeec..907f9e1ce 100644 --- a/charts/yugabyte/yugaware/templates/rbac.yaml +++ b/charts/yugabyte/yugaware/templates/rbac.yaml @@ -1,4 +1,3 @@ -{{ if not .Values.yugaware.serviceAccount }} apiVersion: v1 kind: ServiceAccount metadata: @@ -11,7 +10,6 @@ metadata: annotations: {{ toYaml .Values.yugaware.serviceAccountAnnotations | indent 4 }} {{- end }} -{{ end }} {{- if .Values.rbac.create }} {{- if .Values.ocpCompatibility.enabled }} --- @@ -23,7 +21,7 @@ metadata: app: yugaware subjects: - kind: ServiceAccount - name: {{ .Values.yugaware.serviceAccount | default .Release.Name }} + name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole @@ -31,31 +29,15 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{- else }} --- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }} + labels: + k8s-app: yugaware + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile rules: -- apiGroups: ["policy"] - resources: - - poddisruptionbudgets - verbs: ["get", "create", "delete", "patch"] -- apiGroups: [""] - resources: - - services - verbs: ["get", "delete", "create", "patch", "list", "watch"] -- apiGroups: ["apps"] - resources: - - statefulsets - verbs: ["get", "delete", "create", "patch", "scale"] -- apiGroups: [""] - resources: - - secrets - verbs: ["create", "list", "get", "delete", "update", "patch"] -- apiGroups: ["cert-manager.io"] - resources: - - certificates - verbs: ["create", "delete", "get", "patch"] - apiGroups: [""] resources: - nodes @@ -64,8 +46,7 @@ rules: - endpoints - pods - pods/exec - - configmaps # added configmaps resource - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # added all verbs for configmaps + verbs: ["get", "list", "watch", "create"] - apiGroups: - extensions resources: @@ -78,13 +59,13 @@ rules: - namespaces - secrets - pods/portforward - - events # added events resource - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # added all verbs for events + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["", "extensions"] resources: - deployments - services verbs: ["create", "get", "list", "watch", "update", "delete"] + --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -96,7 +77,7 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile subjects: - kind: ServiceAccount - name: {{ .Values.yugaware.serviceAccount | default .Release.Name }} + name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/charts/yugabyte/yugaware/templates/service.yaml b/charts/yugabyte/yugaware/templates/service.yaml index 8620cee08..49fd54051 100644 --- a/charts/yugabyte/yugaware/templates/service.yaml +++ b/charts/yugabyte/yugaware/templates/service.yaml @@ -24,24 +24,14 @@ spec: {{- end }} {{- end }} ports: -{{- if and (.Values.tls.enabled) (.Values.useNginxProxy) }} - - name: ui-tls - port: 443 - targetPort: 8443 -{{- else if .Values.tls.enabled }} +{{- if .Values.tls.enabled }} - name: ui-tls port: 443 targetPort: 9443 {{- end }} -{{- if .Values.useNginxProxy }} - - name: ui - port: 80 - targetPort: 8080 -{{- else }} - name: ui port: 80 targetPort: 9000 -{{- end }} - name: metrics port: 9090 selector: @@ -50,10 +40,6 @@ spec: {{- if and (eq .Values.yugaware.service.type "LoadBalancer") (.Values.yugaware.service.ip) }} loadBalancerIP: "{{ .Values.yugaware.service.ip }}" {{- end }} - {{- if .Values.yugaware.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- toYaml .Values.yugaware.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} {{- end }} {{- if .Values.yugaware.serviceMonitor.enabled }} --- diff --git a/charts/yugabyte/yugaware/templates/statefulset.yaml b/charts/yugabyte/yugaware/templates/statefulset.yaml index 2b2deec66..c6a216c1d 100644 --- a/charts/yugabyte/yugaware/templates/statefulset.yaml +++ b/charts/yugabyte/yugaware/templates/statefulset.yaml @@ -25,11 +25,8 @@ spec: {{- end }} labels: app: {{ .Release.Name }}-yugaware -{{- if .Values.yugaware.pod.labels }} -{{ toYaml .Values.yugaware.pod.labels | indent 8 }} -{{- end }} spec: - serviceAccountName: {{ .Values.yugaware.serviceAccount | default .Release.Name }} + serviceAccountName: {{ .Release.Name }} imagePullSecrets: - name: {{ .Values.image.pullSecret }} {{- if .Values.securityContext.enabled }} @@ -39,30 +36,6 @@ spec: fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} {{- end }} {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8}} - {{- end }} - {{- if .Values.tolerations }} - tolerations: - {{- with .Values.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} - {{- end }} - {{- if .Values.zoneAffinity }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: failure-domain.beta.kubernetes.io/zone - operator: In - values: -{{ toYaml .Values.zoneAffinity | indent 18 }} - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: In - values: -{{ toYaml .Values.zoneAffinity | indent 18 }} - {{- end }} volumes: - name: yugaware-storage persistentVolumeClaim: @@ -84,20 +57,6 @@ spec: - key: universe_boot_script path: universe-boot-script.sh {{- end }} - {{- if .Values.useNginxProxy }} - - name: nginx-config - configMap: - name: {{ .Release.Name }}-yugaware-nginx-config - items: - - key: default.conf - path: default.conf - - name: nginx-main-config - configMap: - name: {{ .Release.Name }}-yugaware-nginx-main-config - items: - - key: nginx.conf - path: nginx.conf - {{- end }} - name: prometheus-config configMap: name: {{ .Release.Name }}-yugaware-prometheus-config @@ -112,19 +71,7 @@ spec: - key: init-permissions.sh path: init-permissions.sh {{- end }} - {{- if and (.Values.tls.enabled) (.Values.useNginxProxy) }} - - name: {{ .Release.Name }}-yugaware-tls-cert - secret: - secretName: {{ .Release.Name }}-yugaware-tls-cert - {{- if .Values.tls.certManager.enabled }} - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key - {{- end }} - {{- end }} - {{- if and (not .Values.useNginxProxy) (.Values.tls.enabled) }} + {{- if .Values.tls.enabled }} - name: {{ .Release.Name }}-yugaware-tls-pem secret: secretName: {{ .Release.Name }}-yugaware-tls-pem @@ -137,36 +84,15 @@ spec: secret: secretName: {{ .Release.Name }}-yugaware-prometheus-remote-write-tls {{- end }} - {{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} - name: pg-upgrade-11-to-14 configMap: name: {{ .Release.Name }}-yugaware-pg-upgrade items: - key: pg-upgrade-11-to-14.sh path: pg-upgrade-11-to-14.sh - {{- end }} - - name: pg-init - configMap: - name: {{ .Release.Name }}-yugaware-pg-prerun - items: - - key: pg-prerun.sh - path: pg-prerun.sh - {{- if .Values.postgres.extraVolumes -}} - {{- include "yugaware.isExtraVolumesMappingExists" .Values.postgres -}} - {{- .Values.postgres.extraVolumes | toYaml | nindent 8 -}} - {{ end }} - {{- with .Values.dnsConfig }} - dnsConfig: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.dnsPolicy }} - dnsPolicy: {{ . | quote }} - {{- end }} initContainers: - image: {{ include "full_yugaware_image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.initContainers.prometheusConfiguration.resources }} - resources: {{- toYaml .Values.initContainers.prometheusConfiguration.resources | nindent 12 }} - {{ end -}} name: prometheus-configuration {{- if .Values.securityContext.enabled }} command: @@ -194,13 +120,9 @@ spec: - name: init-container-script mountPath: /init-container {{- end }} - {{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} - image: {{ include "full_image" (dict "containerName" "postgres-upgrade" "root" .) }} imagePullPolicy: {{ .Values.image.pullPolicy }} name: postgres-upgrade - {{- if .Values.initContainers.postgresUpgrade.resources }} - resources: {{- toYaml .Values.initContainers.postgresUpgrade.resources | nindent 12 }} - {{ end -}} command: - 'bash' - '-c' @@ -230,46 +152,12 @@ spec: - name: yugaware-storage mountPath: /pg_upgrade_logs subPath: postgres_data_14 - {{- end }} - {{- if .Values.securityContext.enabled }} - - image: {{ include "full_image" (dict "containerName" "postgres" "root" .) }} - name: postgres-init - {{- if .Values.initContainers.postgresInit.resources }} - resources: {{- toYaml .Values.initContainers.postgresInit.resources | nindent 12 }} - {{ end -}} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/bin/bash", "/pg_prerun/pg-prerun.sh"] - env: - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - - name: PG_UID - value: {{ .Values.securityContext.runAsUser | quote }} - - name: PG_GID - value: {{ .Values.securityContext.runAsGroup | quote }} - volumeMounts: - - name: yugaware-storage - mountPath: /var/lib/postgresql/data - subPath: postgres_data_14 - - name: pg-init - mountPath: /pg_prerun - {{- end }} containers: {{ if not .Values.postgres.external.host }} - name: postgres image: {{ include "full_image" (dict "containerName" "postgres" "root" .) }} imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} - - "run-postgresql" - {{- end }} - - "-c" - - "huge_pages=off" - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ required "runAsUser cannot be empty" .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} - runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} - {{- end }} + args: ["-c", "huge_pages=off"] env: - name: POSTGRES_USER valueFrom: @@ -286,37 +174,8 @@ spec: secretKeyRef: name: {{ .Release.Name }}-yugaware-global-config key: postgres_db - {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} - # Hardcoded the POSTGRESQL_USER because it's mandatory env var in RH PG image - # It doesn't have access to create the DB, so YBA fails to create the perf_advisor DB. - # Need to use admin user of RH PG image (postgres) - # Changing the user name won't be possible moving forward for OpenShift certified chart - - name: POSTGRESQL_USER - value: pg-yba - # valueFrom: - # secretKeyRef: - # name: {{ .Release.Name }}-yugaware-global-config - # key: postgres_user - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-yugaware-global-config - key: postgres_password - - name: POSTGRESQL_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-yugaware-global-config - key: postgres_password - - name: POSTGRESQL_DATABASE - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-yugaware-global-config - key: postgres_db - {{- else }} - # The RH Postgres image doesn't allow this directory to be changed. - name: PGDATA value: /var/lib/postgresql/data/pgdata - {{- end }} ports: - containerPort: 5432 name: postgres @@ -328,17 +187,8 @@ spec: volumeMounts: - name: yugaware-storage - {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} - mountPath: /var/lib/pgsql/data - subPath: postgres_data_13 - {{- else }} mountPath: /var/lib/postgresql/data subPath: postgres_data_14 - {{- end }} - {{- if .Values.postgres.extraVolumeMounts -}} - {{- include "yugaware.isExtraVolumesMappingExists" .Values.postgres -}} - {{- .Values.postgres.extraVolumeMounts | toYaml | nindent 12 -}} - {{- end -}} {{ end }} - name: prometheus image: {{ include "full_image" (dict "containerName" "prometheus" "root" .) }} @@ -364,9 +214,6 @@ spec: subPath: prometheus.yml - name: yugaware-storage mountPath: /prometheus/ - - mountPath: /opt/yugabyte/yugaware/data/keys/ - name: yugaware-storage - subPath: data/keys {{- if .Values.prometheus.scrapeNodes }} - name: yugaware-storage mountPath: /opt/yugabyte/prometheus/targets @@ -388,9 +235,6 @@ spec: - --web.enable-admin-api - --web.enable-lifecycle - --storage.tsdb.retention.time={{ .Values.prometheus.retentionTime }} - - --query.max-concurrency={{ .Values.prometheus.queryConcurrency }} - - --query.max-samples={{ .Values.prometheus.queryMaxSamples }} - - --query.timeout={{ .Values.prometheus.queryTimeout }} ports: - containerPort: 9090 - name: yugaware @@ -407,18 +251,12 @@ spec: resources: {{ toYaml .Values.yugaware.resources | indent 12 }} {{- end }} - args: ["bin/yugaware","-Dconfig.file=/data/application.docker.conf"] + + command: [ "/sbin/tini", "--"] + args: + - "bin/yugaware" + - "-Dconfig.file=/data/application.docker.conf" env: - # Conditionally set these env variables, if runAsUser is not 0(root) - # or 10001(yugabyte). - {{- if eq (include "checkNssWrapperExportRequired" .) "true" }} - - name: NSS_WRAPPER_GROUP - value: "/tmp/group.template" - - name: NSS_WRAPPER_PASSWD - value: "/tmp/passwd.template" - - name: LD_PRELOAD - value: "/usr/lib64/libnss_wrapper.so" - {{- end }} - name: POSTGRES_USER valueFrom: secretKeyRef: @@ -439,7 +277,6 @@ spec: secretKeyRef: name: {{ .Release.Name }}-yugaware-global-config key: app_secret - {{- with .Values.yugaware.extraEnv }}{{ toYaml . | nindent 12 }}{{ end }} ports: - containerPort: 9000 name: yugaware @@ -456,9 +293,6 @@ spec: - name: yugaware-storage mountPath: /opt/yugabyte/releases/ subPath: releases - - name: yugaware-storage - mountPath: /opt/yugabyte/ybc/releases/ - subPath: ybc_releases # old path for backward compatibility - name: yugaware-storage mountPath: /opt/releases/ @@ -472,36 +306,11 @@ spec: - name: yugaware-storage mountPath: /prometheus_configs subPath: prometheus.yml - {{- if and (not .Values.useNginxProxy) (.Values.tls.enabled) }} + {{- if .Values.tls.enabled }} - name: {{ .Release.Name }}-yugaware-tls-pem mountPath: /opt/certs/ readOnly: true {{- end }} - {{- if .Values.useNginxProxy }} - - name: nginx - image: {{ include "full_image" (dict "containerName" "nginx" "root" .) }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: ["nginx", "-g", "daemon off;"] - ports: - - containerPort: 8080 - - {{- if .Values.nginx.resources }} - resources: -{{ toYaml .Values.nginx.resources | indent 12 }} - {{- end }} - - volumeMounts: - - mountPath: /etc/nginx/conf.d/ - name: nginx-config - - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - name: nginx-main-config - {{- if .Values.tls.enabled }} - - name: {{ .Release.Name }}-yugaware-tls-cert - mountPath: /opt/certs/ - readOnly: true - {{- end }} - {{- end }} {{ if .Values.sidecars }} {{ toYaml .Values.sidecars | indent 8 }} {{ end }} diff --git a/charts/yugabyte/yugaware/templates/tests/test.yaml b/charts/yugabyte/yugaware/templates/tests/test.yaml deleted file mode 100644 index 89d02035c..000000000 --- a/charts/yugabyte/yugaware/templates/tests/test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: {{ .Release.Name }}-yugaware-test - labels: - app: {{ .Release.Name }}-yugaware-test - chart: {{ template "yugaware.chart" . }} - release: {{ .Release.Name }} - annotations: - "helm.sh/hook": test -spec: - imagePullSecrets: - - name: {{ .Values.image.pullSecret }} - containers: - - name: yugaware-test - image: {{ include "full_yugaware_image" . }} - command: - - '/bin/bash' - - '-ec' - - > - sleep 60s; - {{- if .Values.tls.enabled }} - - > - curl --head -k https://{{ .Release.Name }}-yugaware-ui - {{- else }} - - > - curl --head http://{{ .Release.Name }}-yugaware-ui - {{- end }} - # Hard coded resources to the test pod. - resources: - limits: - cpu: "1" - memory: "512Mi" - requests: - cpu: "0.5" - memory: "256Mi" - restartPolicy: Never diff --git a/charts/yugabyte/yugaware/tests/test_resources.yaml b/charts/yugabyte/yugaware/tests/test_resources.yaml deleted file mode 100644 index cc793a585..000000000 --- a/charts/yugabyte/yugaware/tests/test_resources.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: Resources verification -templates: -- statefulset.yaml -- configs.yaml -tests: -- it: YBA container - template: statefulset.yaml - asserts: - - isNotEmpty: - path: spec.template.spec.containers[?(@.name == "yugaware")].resources.requests - -- it: Postgres container - template: statefulset.yaml - asserts: - - isNotEmpty: - path: spec.template.spec.containers[?(@.name == "postgres")].resources.requests - -- it: Prometheus container - template: statefulset.yaml - asserts: - - isNotEmpty: - path: spec.template.spec.containers[?(@.name == "prometheus")].resources.requests - -- it: Postgres-init initContainer - template: statefulset.yaml - asserts: - - isNotEmpty: - path: spec.template.spec.initContainers[?(@.name == "postgres-init")].resources.requests - -- it: Prometheus-configuration initContainer - template: statefulset.yaml - asserts: - - isNotEmpty: - path: spec.template.spec.initContainers[?(@.name == "prometheus-configuration")].resources.requests - -- it: Postgres-upgrade initContainer - template: statefulset.yaml - asserts: - - isNotEmpty: - path: spec.template.spec.initContainers[?(@.name == "postgres-upgrade")].resources.requests diff --git a/charts/yugabyte/yugaware/values.yaml b/charts/yugabyte/yugaware/values.yaml index 7141c8a86..0889621e9 100644 --- a/charts/yugabyte/yugaware/values.yaml +++ b/charts/yugabyte/yugaware/values.yaml @@ -2,26 +2,20 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -fullnameOverride: "" -nameOverride: "" - -# Cloud team will retain nginx for sometime -# until they start creating a separate pool -useNginxProxy: false - image: commonRegistry: "" # Setting commonRegistry to say, quay.io overrides the registry settings for all images # including the yugaware image repository: quay.io/yugabyte/yugaware - tag: 2.18.5.1-b1 + tag: 2.14.15.0-b57 pullPolicy: IfNotPresent pullSecret: yugabyte-k8s-pull-secret ## Docker config JSON File name ## If set, this file content will be used to automatically create secret named as above - pullSecretFile: "" - + # pullSecretFile: + + postgres: registry: "" tag: '14.9' @@ -37,50 +31,36 @@ image: tag: v2.47.1 name: prom/prometheus - nginx: - registry: "" - tag: 1.25.1 - name: nginxinc/nginx-unprivileged - yugaware: replicas: 1 storage: 100Gi storageClass: "" storageAnnotations: {} multiTenant: false - ## Name of existing ServiceAccount. When provided, the chart won't create a ServiceAccount. - ## It will attach the required RBAC roles to it. - ## Helpful in Yugabyte Platform GKE App. - serviceAccount: '' + serviceAccount: yugaware serviceMonitor: enabled: false annotations: {} serviceAccountAnnotations: {} service: annotations: {} - clusterIP: "" enabled: true ip: "" type: "LoadBalancer" - ## whitelist source CIDRs - #loadBalancerSourceRanges: - #- 0.0.0.0/0 - #- 192.168.100.0/24 pod: annotations: {} - labels: {} health: username: "" password: "" email: "" resources: requests: - cpu: "2" + cpu: 2 memory: 4Gi enableProxyMetricsAuth: true ## List of additional alowed CORS origins in case of complex rev-proxy additionAllowedCorsOrigins: [] - proxyEndpointTimeoutMs: 3 minute + proxyEndpointTimeoutMs: 1 minute ## Enables features specific for cloud deployments cloud: enabled: false @@ -91,10 +71,6 @@ yugaware: # Note that the default of 0 doesn't really make sense since a StatefulSet isn't allowed to schedule extra replicas. However it is maintained as the default while we do additional testing. This value will likely change in the future. maxUnavailable: 0 - universe_boot_script: "" - - extraEnv: [] - # In case client wants to enable the additional headers to the YBA's http response # Previously, it was possible via nginx, but given that we no longer have it, we can # expose the same as application config/runtime config. @@ -103,10 +79,6 @@ yugaware: ## Configure PostgreSQL part of the application postgres: - # DO NOT CHANGE if using OCP Certified helm chart - user: postgres - dbname: yugaware - service: ## Expose internal Postgres as a Service enabled: false @@ -119,12 +91,12 @@ postgres: resources: requests: - cpu: "0.5" + cpu: 0.5 memory: 1Gi # If external.host is set then we will connect to an external postgres database server instead of starting our own. external: - host: "" + host: null port: 5432 pass: "" dbname: postgres @@ -133,65 +105,22 @@ postgres: ## JDBC connection parameters including the leading `?`. jdbcParams: "" - - ## Extra volumes - ## extraVolumesMounts are mandatory for each extraVolumes. - ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volume-v1-core - ## Example: - # extraVolumes: - # - name: custom-nfs-vol - # persistentVolumeClaim: - # claimName: some-nfs-claim - extraVolumes: [] - - ## Extra volume mounts - ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volumemount-v1-core - ## Example: - # extraVolumeMounts: - # - name: custom-nfs-vol - # mountPath: /home/yugabyte/nfs-backup - extraVolumeMounts: [] - tls: enabled: false hostname: "localhost" - ## Expects base 64 encoded values for certificate and key. - certificate: "" - key: "" + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZDVENDQXZHZ0F3SUJBZ0lVTlhvN2N6T2dyUWQrU09wOWdNdE00b1Vva3hFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNQjRYRFRJeE1EUXdOakExTXpnMU4xb1hEVE14TURRdwpOREExTXpnMU4xb3dGREVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBZzhBTUlJQ0NnS0NBZ0VBMUxsSTFBLzRPOVIzSkNlN1N2MUxYVXhDSmxoTWpIWUoxV1FNVmcvai82RHkKazRTTmY0MkFLQjI0dFJFK2lEWTBNaTJrRWhJcVZ4TFdPN0hkWHVSN0tYNGxSZWFVVkRFTUtYUWNQUC9QWDZkbwpwZVZTUFpSVjVHNHNxTElXUFFkTVdIam9IQWx1aml5dGJsSVJUUWdLU3QrMmpuREFDN0dxRURMREdhNXRUWEM2CktRWkNtOERlaklOUTMzaGU2TDN0Q2hBRnhJM1pwY21sR0twbzdKVXJSUG14Mk9zTHFRcTB5dEVVK0lGZGppWHEKaHJLeFR0NUhHM3M3ZUNWaTRXdlZPelVGUitJbWRlQzBRZTBXeG5iZlZUMnJkVitQL1FaVXhWSEVtWnBPc0k2LwpmczhlK1dsMlduWXY1TTg5MWkxZER3Zi9lMDdiN20xQVRKdDRtTGRldzBtd1V4UGFGT2pDMDh6cU94NmF0cGhLClU1eHNWQmhGNVhyME9DeTQyMzN0MU5URXdWUEFDOFcwQmhHdldTRXBQTXNTKzM1b2lueEFrcFQzL01ibFpjNisKcXhSYUh6MHJhSksvVGIzelVKVWxWZFkxbGl5MVYyVjNxWEU2NWlsOUFHZ2pIaHhBNFBwSktCbzZ0WVRUT3pnTworL25mc0toMk95aE8zUWxBZ0JFUHlYUm5wL0xGSTVuQ2gzdjNiOXlabFNrSk05NkVoWEJ1bHhWUWN3L2p3N2NxCkRLSlBEeHFUQy9rWUs1V0FVZGhkWG1KQkRNMFBLcngzUGVOYjRsYnQzSTFIZW1QRDBoZktiWFd6alhiVTJQdWQKdjZmT0dXTDRLSFpaem9KZ1ljMFovRXRUMEpCR09GM09mMW42N2c5dDRlUnAzbEVSL09NM0FPY1dRbWFvOHlVQwpBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGTU00SjA4WG8wUGY1cTlOSWZiMGYyRzZqc1FoTUI4R0ExVWRJd1FZCk1CYUFGTU00SjA4WG8wUGY1cTlOSWZiMGYyRzZqc1FoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dJQkFBRmxrWVJkdzA0Zm9vT29BelUyaU5ORGV1aiszemhIeFQ5eU9iSkdwREZIRitoZQpuY1ZRWGZpMitHNjBWY0xuZERsWFhmbDZLOSs4ME55aEg4QjR1UEJNTWhoWG01MjJmYnJac1dFcnR3WE1rM2prClZ5UVA3MGk2NHE1ZGVrZzhoYzI0SXhFUlVsam9XM2lDTTdrb0VxaG15VkpGeDNxMVdobFEwdzNkWVpMQVNRclYKU0RpL2JGWjlqOXVtWVdoc0Y4QjFPSThPVjNlL0YyakU1UCtoTlJJazAzbW9zWE1Rdy9iZ3ZzV0hvSkZ5blB4UApHNGUzUjBob2NnbzI0Q2xOQ21YMWFBUms5c1pyN2h0NlVsM1F1d0dMdzZkK2I5emxrUW56TzFXQzc5ekVNU1R0ClRRRzFNT2ZlL2dTVkR3dThTSnpBOHV1Z0pYTktWWkxCZlpaNW41Tk9sOHdpOVVLa1BVUW4wOHo3VWNYVDR5ZnQKZHdrbnZnWDRvMFloUnNQNHpPWDF6eWxObzhqRDhRNlV1SkdQSksrN1JnUm8zVERPV3k4MEZpUzBxRmxrSFdMKwptT0pUWGxzaEpwdHE5b1c1eGx6N1lxTnFwZFVnRmNyTjJLQWNmaGVlNnV3SUFnOFJteTQvRlhRZjhKdXluSG5oClFhVlFnTEpEeHByZTZVNk5EdWg1Y1VsMUZTcWNCUGFPY0x0Q0ViVWg5ckQxajBIdkRnTUUvTTU2TGp1UGdGZlEKMS9xeXlDUkFjc2NCSnVMYjRxcXRUb25tZVZ3T1BBbzBsNXBjcC9JcjRTcTdwM0NML0kwT0o1SEhjcmY3d3JWSgpQVWgzdU1LbWVHVDRyeDdrWlQzQzBXenhUU0loc0lZOU12MVRtelF4MEprQm93c2NYaUYrcXkvUkl5UVgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRFV1VWpVRC9nNzFIY2sKSjd0Sy9VdGRURUltV0V5TWRnblZaQXhXRCtQL29QS1RoSTEvallBb0hiaTFFVDZJTmpReUxhUVNFaXBYRXRZNwpzZDFlNUhzcGZpVkY1cFJVTVF3cGRCdzgvODlmcDJpbDVWSTlsRlhrYml5b3NoWTlCMHhZZU9nY0NXNk9MSzF1ClVoRk5DQXBLMzdhT2NNQUxzYW9RTXNNWnJtMU5jTG9wQmtLYndONk1nMURmZUY3b3ZlMEtFQVhFamRtbHlhVVkKcW1qc2xTdEUrYkhZNnd1cENyVEswUlQ0Z1YyT0plcUdzckZPM2tjYmV6dDRKV0xoYTlVN05RVkg0aVoxNExSQgo3UmJHZHQ5VlBhdDFYNC85QmxURlVjU1ptazZ3anI5K3p4NzVhWFphZGkva3p6M1dMVjBQQi85N1R0dnViVUJNCm0zaVl0MTdEU2JCVEU5b1U2TUxUek9vN0hwcTJtRXBUbkd4VUdFWGxldlE0TExqYmZlM1UxTVRCVThBTHhiUUcKRWE5WklTazh5eEw3Zm1pS2ZFQ1NsUGY4eHVWbHpyNnJGRm9mUFN0b2tyOU52Zk5RbFNWVjFqV1dMTFZYWlhlcApjVHJtS1gwQWFDTWVIRURnK2trb0dqcTFoTk03T0E3NytkK3dxSFk3S0U3ZENVQ0FFUS9KZEdlbjhzVWptY0tICmUvZHYzSm1WS1FrejNvU0ZjRzZYRlZCekQrUER0eW9Nb2s4UEdwTUwrUmdybFlCUjJGMWVZa0VNelE4cXZIYzkKNDF2aVZ1M2NqVWQ2WThQU0Y4cHRkYk9OZHRUWSs1Mi9wODRaWXZnb2Rsbk9nbUJoelJuOFMxUFFrRVk0WGM1LwpXZnJ1RDIzaDVHbmVVUkg4NHpjQTV4WkNacWp6SlFJREFRQUJBb0lDQUFmY2lScDlOSmxSY3MyOVFpaTFUN0cwCi9jVFpBb3MyV1lxdlZkMWdYUGEzaGY5NXFKa01LNjVQMnVHbUwzOXRNV1NoVnl6cnl2REkyMjM5VnNjSS9wdzcKOHppd0dzODV1TTlYWVN2SDhHd0NqZFdEc2hSZ2hRUWFKa0JkeElDZzRtdHFuSGxjeDk4dE80T1dPTmwxOEp0dgp4UmxpaFZacFRIV295cGtLWHpPN2RNWExXMjdTSStkaGV2Mm5QeXF1eWpIVEFjT1AwbmxVQ0d2dThFMjkvWWxoCkNQZVJTQzhKSEVGYWxNSFNWaGpJd2ZBVWJvVVJwZU1ZSE15RjVTK2JncGZiajhSbVVUR09DbHRkWGJnYjhJai8KN0hROEFlQkIrYVFKTDVEVnFRN1JWN1ppQlMwR2ZyODlHdXdEMUs4em9mcktPdURkdXpjR2hwZk9MeGpGdmhTOApSQ2Y1Z3BFMzg0aWlHc2tWZC9mZDJLK3NhSmk0L09HbHo0aHhhc1hDcTN1TXB5OTZPNFRrMXZzM3BXdWZNVmJXCnR2d1Mrcjhvbk9uOXZqa3lqOU11eUpId1BpSlNGMUt0ZzhPUU5WMlVST0xXcHlYMWk4Z2xoMXdSelRTQ2diQnMKZ3ZxWkFvaU1pWFh3SlVXN3Zpb0RLZjI0TnZvcjViaVNzeUh0MHVKUVZJaW1iK1prTFJwTWdwRlkyTlcrTnd6LwoxOW9DS2ZUVVpWNkJia09IK0NoOUowLy9hTTRGNnUvMTI4V0UxalJQU05mdWQ0b0dpdGVPNXRsRDNWSXRsb1hlCjNyWVMrcTNuYXU1RStWc2FRZGFVNzhrSnpXYmUrWURmQ1JwWGd6TkloSkMyQ1k5d0RSK3hIaVFwbzdLSHV6dngKUkpuRjhIcGwzdWhIdWxEam44dEpBb0lCQVFEeGxhVVIwN1l6TGF2OVZtamZCenpZMjcwOU9tWnhpa3NtRnlhWApKTkJMQVB3SGdXOEVCUHdKOEprSDhXR1NTekp1OXZGd1JDVEVqZ1J5dWUvS05DWnNmUWF2UDg3dzhablJHaEhjCklHUUV1MFN3bmJzZXFJK1VWa0M5amZjaFE4dlowM0dQTGZ6bWpsSW9PNkNLTVM3TlV2Ynk5MksvOHRVVWRtWWgKMmJJa2N4V0J1RDJoenh3K1ZId3ArWktMQ0FPZi9sOG8vQ20xQ1dZSFNGdVYzTkl3T016Z2FKaExJODJNR08zQwpuODZTMXcweGc2MHB5dUV6L0hXZS9JMFZkRGNsWlgyNC9jalVBb01kQlkvSGY4Tkh2ZUNhZExQeXI3eGpRY2NLClAzN0RhdFRyK2RTZ2RoVkxzUDRRRzVVZEZxNUlMSHoxTXBkb2xXZ2pDSlZqcTZMekFvSUJBUURoYXNYdVRzMDIKNEkvYkRlSGRZSmw2Q1NzVUh2NmJXL3dpYlRhd2dpbDh5RUNWS2x6eFY4eENwWnoxWVhRQlY1YnVvQlArbjZCWApnVHgzTTJHc2R5UU1xdGRCWG9qdGp1czB6ekFNQVQzOWNmdWlHMGR0YXF3eWJMVlEwYThDZnFmMDVyUmZ0ekVmCmtTUDk2d01kVUEyTGdCbnU4akwzOU41UkxtK2RpZUdxeDAwYmJTa3l5UE9HNHIvcDl6KzN6TmVmeUhmbm94bTkKUnQza1RpeGhVNkd4UGhOSnZpWEUrWUpwT0dKVXMvK2dUWWpjUE1zRW9ONHIyR215cUs3S21NZExFa3Y1SHliWgprbmNsV2FMVFlhNEpjMjJUaWZJd01NTWMwaCtBMkJVckdjZFZ6MTA0UXluUFZQZDdXcEszenhqcjRPUHh1YnQ2CjZvTWk2REdRSVNlSEFvSUJBUURTK1YyVHFQRDMxczNaU3VvQXc2Qld2ZWVRbmZ5eThSUFpxdVFQb0oycXNxeG0KblpsbXlEZVhNcDloK1dHOVVhQTBtY0dWeWx6VnJqU2lRRkR4cEFOZVFQMWlkSFh6b3ZveVN2TUg2dDJONkVELwpnRy9XUVZ4S0xkMFI3UFhCL2lQN0VaV2RkWXJqaWF5ajZCYTJPR2RuOWlrbFcvZklLM2Y4QzczN2w5TGoxQUVYCkxOL2QvREh0R1BqcDYwTVgyYUxZeVZzdlBxL3BvdENRVVpkeDA4dFhRM05nRXRmVTN1cDFpNXV2bU1IZEtLTWoKOTV0MDRQRTA1aWVOOVgzOEcyYkJhTldYaFVJcUxCdDJiOUgxWmxVU3hQWnR6TGNObkgwSHJYejJMU2MxMzRrYwpueXdhQ2FWbFdhYzJSL0E3Mi8vTmxkUjJpWDBDWDEvM0lGcmVGUmtUQW9JQkFBbGt0S2pRbWRhZWx3QU8zUW1uCm05MnRBaUdOaFJpZVJheDlscGpXWTdveWNoYUZOR2hPTzFIUHF2SEN4TjNGYzZHd0JBVkpTNW81NVhZbUt2elAKM2kyMDlORmhpaDAwSm5NRjZ6K2swWnQ5STNwRzNyd2RoTjE1RURrMDg3RUw3QjNWZTFDOXhvdEZOaFcvdEZxRgpXbnNrdEcvem9kSVpYeVpNNUJQUmloamV3MFRRVUxZd0Q0M2daeFR0MjdiaUQxNDJNV0R5dUFEZU1pTHdhd01IClJDYXBxbzRaSVdQSzdmZEtoVFo0WmIrZFc0V3A5dC9UZ0U2ZGJ4SWwyMXJQOFFZYzFoT2tpNjduWHBXczNZOG4KYytRcTdqY0d1WlB1aEVMd01xWGcyMGozZ3duOVlTb1dDbWo4Wm0rNmY0Q3ZYWjkrdUtEN0YyZncyOVFaanU4dApvb01DZ2dFQkFPbVVHZ1VoT0tUVys1eEpkZlFKRUVXUncyVFF6Z2l6dSt3aVkzaDYrYXNTejRNY0srVGx6bWxVCmFHT013dFhTUzc0RXIxVmlCVXMrZnJKekFPR21IV0ExZWdtaGVlY1BvaE9ybTh5WkVueVJOSkRhWC9UUXBSUnEKaVdoWENBbjJTWFQxcFlsYVBzMjdkbXpFWnQ3UlVUSkJZZ1hHZXQ4dXFjUXZaVDJZK3N6cHFNV3UzaEpWdmIxdgpZNGRJWE12RG1aV1BPVjFwbHJEaTVoc214VW05TDVtWk1IblllNzFOYkhsaEIxK0VUNXZmWFZjOERzU1RRZWRRCitDRHJKNGQ0em85dFNCa2pwYTM5M2RDRjhCSURESUQyWkVJNCtBVW52NWhTNm82NitOLzBONlp3cXkwc2pKY0cKQ21LeS9tNUpqVzFJWDMxSmZ1UU5Ldm9YNkRFN0Zkaz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=" sslProtocols: "" # if set, override default Nginx SSL protocols setting - ## cert-manager values - ## If cert-manager is enabled: - ## If genSelfsigned: true: - ## Create a self-signed issuer/clusterIssuer - ## Generate a rootCA using the above issuer. - ## Generate a tls certificate with secret name as: {{ .Release.Name }}-yugaware-tls-cert - ## Else if genSelfsigned: false: - ## Expect a clusterIssuer/issuer to be provided by user - ## Generate a tls cert based on above issuer with secret name as: {{ .Release.Name }}-yugaware-tls-cert - certManager: - enabled: false - genSelfsigned: true - useClusterIssuer: false - clusterIssuer: cluster-ca - issuer: yugaware-ca - ## Configuration for the TLS certificate requested from Issuer/ClusterIssuer - configuration: - duration: 8760h # 90d - renewBefore: 240h # 15d - algorithm: RSA # ECDSA or RSA - # Can be 2048, 4096 or 8192 for RSA - # Or 256, 384 or 521 for ECDSA - keySize: 2048 ## yugaware pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: - enabled: true + enabled: false ## fsGroup related values are set at the pod level. fsGroup: 10001 fsGroupChangePolicy: "OnRootMismatch" - ## Expected to have runAsUser values != 0 when - ## runAsNonRoot is set to true, otherwise container creation fails. + ## The following values are set for yugaware and prometheus containers. + ## Setting runAsUser other than 10001 will fail the VM universe deployment flow. runAsUser: 10001 runAsGroup: 10001 runAsNonRoot: true @@ -206,20 +135,6 @@ helm2Legacy: false ip_version_support: "v4_only" # v4_only, v6_only are the only supported values at the moment -nginx: - workerConnections: 1024 - db_node_proxy_enabled: false - - # max size of file upload allowed by YB platform - upload_size: 10G - - resources: - requests: - cpu: "0.25" - memory: 300Mi - - proxyReadTimeoutSec: 600 - rbac: ## Set this to false if you don't have enough permissions to create ## ClusterRole and Binding, for example an OpenShift cluster. When @@ -235,59 +150,15 @@ ocpCompatibility: # Extra containers to add to the pod. sidecars: [] -## Following two controls for placement of pod - nodeSelector and AZ affinity. -## Note: Remember to also provide a yugaware.StorageClass that has a olumeBindingMode of -## WaitForFirstConsumer so that the PVC is created in the right topology visible to this pod. -## See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector -## eg. -## nodeSelector: -## topology.kubernetes.io/region: us-west1 -nodeSelector: {} - -## Affinity to a particular zone for the pod. -## See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## eg. -## nodeAffinity: -## requiredDuringSchedulingIgnoredDuringExecution: -## nodeSelectorTerms: -## - matchExpressions: -## - key: failure-domain.beta.kubernetes.io/zone -## operator: In -## values: -## - us-west1-a -## - us-west1-b -zoneAffinity: {} - -## The tolerations that the pod should have. -## See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ -tolerations: [] - -## @param dnsPolicy DNS Policy for pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsPolicy: ClusterFirst -dnsPolicy: "" -## @param dnsConfig DNS Configuration pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsConfig: -## options: -## - name: ndots -## value: "4" -dnsConfig: {} - ## Don't want prometheus to scrape nodes and evaluate alert rules in some cases (for example - cloud). prometheus: scrapeNodes: true evaluateAlertRules: true retentionTime: 15d - queryConcurrency: 20 - queryMaxSamples: 5000000 - queryTimeout: 30s resources: requests: - cpu: "2" + cpu: 2 memory: 4Gi ## Prometheus remote write config, as described here: @@ -308,10 +179,8 @@ prometheus: # Arbitrary key=value config entries for application.docker.conf additionalAppConf: - stringConf: {} - nonStringConf: {} - -jdbcParams: "" + stringConf: + nonStringConf: ## Override the APIVersion used by policy group for ## PodDisruptionBudget resources. The chart selects the correct @@ -319,25 +188,3 @@ jdbcParams: "" ## to modify this unless you are using helm template command i.e. GKE ## app's deployer image against a Kubernetes cluster >= 1.21. # pdbPolicyVersionOverride: "v1beta1" -pdbPolicyVersionOverride: "" - -initContainers: - prometheusConfiguration: - resources: - ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container - ## Use the above link to learn more about Kubernetes resources configuration. - requests: - cpu: "0.25" - memory: 500Mi - - postgresUpgrade: - resources: - requests: - cpu: "0.5" - memory: 500Mi - - postgresInit: - resources: - requests: - cpu: "0.25" - memory: 500Mi diff --git a/index.yaml b/index.yaml index b1da8aec0..7ca9dc514 100644 --- a/index.yaml +++ b/index.yaml @@ -80,6 +80,63 @@ entries: - assets/datawiza/access-broker-0.1.1.tgz version: 0.1.1 airflow: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Airflow + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: airflow + category: WorkFlow + images: | + - name: airflow-exporter + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r443 + - name: airflow-scheduler + image: docker.io/bitnami/airflow-scheduler:2.8.0-debian-11-r1 + - name: airflow-worker + image: docker.io/bitnami/airflow-worker:2.8.0-debian-11-r1 + - name: airflow + image: docker.io/bitnami/airflow:2.8.0-debian-11-r2 + - name: git + image: docker.io/bitnami/git:2.43.0-debian-11-r5 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 2.8.0 + created: "2024-01-23T16:21:04.705123648Z" + dependencies: + - condition: redis.enabled + name: redis + repository: file://./charts/redis + version: 18.x.x + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 13.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Airflow is a tool to express and execute workflows as directed + acyclic graphs (DAGs). It includes utilities to schedule tasks, monitor task + progress and handle task dependencies. + digest: 8c6fe232eaca6f266ff77f957e57e6b4f5d678743e0dc7b982d029d937bea21b + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/airflow-1.svg + keywords: + - apache + - airflow + - workflow + - dag + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: airflow + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/airflow + urls: + - assets/bitnami/airflow-16.4.0.tgz + version: 16.4.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Airflow @@ -2452,6 +2509,38 @@ entries: - assets/bitnami/airflow-13.1.7.tgz version: 13.1.7 amd-gpu: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: AMD GPU Device Plugin + catalog.cattle.io/kube-version: '>= 1.18.0-0' + catalog.cattle.io/release-name: amd-gpu + apiVersion: v2 + appVersion: 1.25.2.6 + created: "2024-01-23T16:20:38.625702081Z" + dependencies: + - condition: nfd.enabled + name: node-feature-discovery + repository: file://./charts/node-feature-discovery + version: '>= 0.8.1-0' + description: A Helm chart for deploying Kubernetes AMD GPU device plugin + digest: 2ef65f064b6f6a49017efedfd91df27c9aac53115b857fca4530984e745c4c0d + home: https://github.com/RadeonOpenCompute/k8s-device-plugin + icon: https://raw.githubusercontent.com/RadeonOpenCompute/k8s-device-plugin/master/helm/logo.png + keywords: + - kubernetes + - cluster + - hardware + - gpu + kubeVersion: '>= 1.18.0-0' + maintainers: + - name: Kenny Ho + name: amd-gpu + sources: + - https://github.com/RadeonOpenCompute/k8s-device-plugin + type: application + urls: + - assets/amd/amd-gpu-0.11.0.tgz + version: 0.11.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: AMD GPU Device Plugin @@ -2520,7 +2609,7 @@ entries: - annotations: artifacthub.io/changes: | - kind: changed - description: DRY cleanup of ServiceAccounts + description: Updated documented default value for application.instanceLabelKey. artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -2530,8 +2619,8 @@ entries: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 - appVersion: v2.9.3 - created: "2024-01-12T17:06:09.628982496Z" + appVersion: v2.9.5 + created: "2024-01-23T16:21:03.497014854Z" dependencies: - condition: redis-ha.enabled name: redis-ha @@ -2539,7 +2628,46 @@ entries: version: 4.23.0 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. - digest: 4aecfb800b9cf01db9ea10a630306baee00112406cec88b5c996a145749894ea + digest: 8095830a4888f1dca991082de6327a722eb2b7ca99ffa61c1a2faf57bd91a368 + home: https://github.com/argoproj/argo-helm + icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png + keywords: + - argoproj + - argocd + - gitops + kubeVersion: '>=1.23.0-0' + maintainers: + - name: argoproj + url: https://argoproj.github.io/ + name: argo-cd + sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd + urls: + - assets/argo/argo-cd-5.53.8.tgz + version: 5.53.8 + - annotations: + artifacthub.io/changes: | + - kind: changed + description: DRY cleanup of ServiceAccounts + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Argo CD + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: argo-cd + apiVersion: v2 + appVersion: v2.9.3 + created: "2024-01-23T16:20:39.448522584Z" + dependencies: + - condition: redis-ha.enabled + name: redis-ha + repository: file://./charts/redis-ha + version: 4.23.0 + description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery + tool for Kubernetes. + digest: d2c808e4d10e0ccc8082c09ded6d3dbd1abe1e11176fc6ab0adaff3621ab047c home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -11591,6 +11719,48 @@ entries: - assets/asserts/asserts-1.6.0.tgz version: 1.6.0 cassandra: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Cassandra + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: cassandra + category: Database + images: | + - name: cassandra-exporter + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r433 + - name: cassandra + image: docker.io/bitnami/cassandra:4.1.3-debian-11-r81 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 4.1.3 + created: "2024-01-23T16:21:04.781279609Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Cassandra is an open source distributed database management + system designed to handle large amounts of data across many servers, providing + high availability with no single point of failure. + digest: 1dde01f807a4a19c8302a6503696c6f911b0b601fa0c178bd73653c143b46a8c + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/cassandra-4.svg + keywords: + - cassandra + - database + - nosql + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: cassandra + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/cassandra + urls: + - assets/bitnami/cassandra-10.8.0.tgz + version: 10.8.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Cassandra @@ -14568,6 +14738,27 @@ entries: - assets/cloudcasa/cloudcasa-0.1.000.tgz version: 0.1.000 cockroachdb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CockroachDB + catalog.cattle.io/kube-version: '>=1.8-0' + catalog.cattle.io/release-name: cockroachdb + apiVersion: v1 + appVersion: 23.1.14 + created: "2024-01-23T16:21:07.380407438Z" + description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. + digest: fc206853e03f109591e05538174dd5fb6f2535a6fb2ed12a9e9bdae6eb43edcc + home: https://www.cockroachlabs.com + icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png + maintainers: + - email: helm-charts@cockroachlabs.com + name: cockroachlabs + name: cockroachdb + sources: + - https://github.com/cockroachdb/cockroach + urls: + - assets/cockroach-labs/cockroachdb-11.2.4.tgz + version: 11.2.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CockroachDB @@ -18617,6 +18808,40 @@ entries: - assets/dell/csi-vxflexos-2.1.0.tgz version: 2.1.0 csi-wekafsplugin: + - annotations: + artifacthub.io/category: storage + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: BA9F2D31BE9193E01FA17450BCE0A5CF67AC0C59 + url: https://weka.github.io/csi-wekafs/csi-public.gpg + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WekaFS CSI Driver + catalog.cattle.io/release-name: csi-wekafsplugin + apiVersion: v2 + appVersion: v2.3.4 + created: "2024-01-23T16:21:30.53288068Z" + description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) + plugin for WekaFS - the world fastest filesystem + digest: 1ec96b734eaa3bc86e8befdee6dbb0db6a050b21435dca20eb50724e0541650a + home: https://github.com/weka/csi-wekafs + icon: https://weka.github.io/csi-wekafs/logo.png + keywords: + - storage + - filesystem + - HPC + maintainers: + - email: csi@weka.io + name: WekaIO, Inc. + url: https://weka.io + name: csi-wekafsplugin + sources: + - https://github.com/weka/csi-wekafs/tree/v2.3.4 + type: application + urls: + - assets/weka/csi-wekafsplugin-2.3.4.tgz + version: 2.3.4 - annotations: artifacthub.io/category: storage artifacthub.io/containsSecurityUpdates: "true" @@ -19027,6 +19252,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2024-01-23T16:21:08.086401451Z" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 1.0.1 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: 1772d546eea181bb63824b080e6036af85dfa829da0f36e8d3f6140a0f9d09cc + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.52.0.tgz + version: 3.52.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -23942,6 +24204,35 @@ entries: - assets/external-secrets/external-secrets-0.5.200.tgz version: 0.5.200 f5-bigip-ctlr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes + and OpenShift + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: f5-bigip-ctlr + apiVersion: v1 + created: "2024-01-23T16:21:08.327447124Z" + description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift + (k8s-bigip-ctlr). + digest: 9e53204ff4844ac940c1ce44eb440a70f84394bcf8ab09cbd47530c74a1b61ff + home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services + icon: https://avatars.githubusercontent.com/u/8935905?s=200&v=4 + keywords: + - F5 + - BIG-IP + - Containers + - Kubernetes + - OpenShift + maintainers: + - email: f5_cis_operators@f5.com + name: F5CISSupport + name: f5-bigip-ctlr + sources: + - https://github.com/F5Networks/k8s-bigip-ctlr + - https://github.com/F5Networks/charts + urls: + - assets/f5/f5-bigip-ctlr-0.0.2801.tgz + version: 0.0.2801 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes @@ -25041,6 +25332,65 @@ entries: - assets/prophetstor/federatorai-4.5.100.tgz version: 4.5.100 fpga-operator: + - annotations: + artifacthub.io/images: | + - image: inaccel/coral:2.1 + name: coral + - image: inaccel/daemon:latest + name: daemon + - image: inaccel/driver:latest + name: driver + - image: inaccel/mkrt:latest + name: mkrt + - image: inaccel/monitor:2.1 + name: monitor + - image: inaccel/reef:latest + name: reef + - image: inaccel/vadd:latest + name: tests.vadd + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.inaccel.com + - name: Support + url: https://github.com/inaccel/helm/issues + artifacthub.io/signKey: | + fingerprint: 468AFD97D42F5E3CD2D58F0B49854F08ECA79B4E + url: https://keybase.io/inaccel/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: InAccel FPGA Operator + catalog.cattle.io/kube-version: '>= 1.18.0-0' + catalog.cattle.io/namespace: kube-system + catalog.cattle.io/release-name: fpga-operator + category: Infrastructure + apiVersion: v2 + appVersion: "2.1" + created: "2024-01-23T16:21:08.811138639Z" + dependencies: + - alias: fpga-discovery + condition: fpga-discovery.enabled + name: node-feature-discovery + repository: file://./charts/node-feature-discovery + version: 0.10.0 + description: Simplifying FPGA management in Kubernetes + digest: 1d9b12b31a2bd2d40a1eede795f63370b28c29828971ff400ac417f2b3d1bb42 + home: https://inaccel.com + icon: https://gravatar.com/avatar/86a385a9d4ca0ccdfb2ed637cf9f3308 + keywords: + - fpga + - infrastructure + kubeVersion: '>= 1.18.0-0' + maintainers: + - email: info@inaccel.com + name: InAccel + name: fpga-operator + sources: + - https://docs.inaccel.com + - https://github.com/inaccel/helm + type: application + urls: + - assets/inaccel/fpga-operator-2.8.2.tgz + version: 2.8.2 - annotations: artifacthub.io/images: | - image: inaccel/coral:2.1 @@ -26924,6 +27274,34 @@ entries: - assets/gopaddle/gopaddle-4.2.5.tgz version: 4.2.5 haproxy: + - annotations: + artifacthub.io/changes: | + - Move automountServiceAccountToken flag from pods to ServiceAccount configuration (fixes for #217) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 1.10.10 + created: "2024-01-23T16:21:08.624079154Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 6fa9108a5fee693c798d54189733f49c84870fc89cfe3123f71b50cd1951aedd + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.22.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.36.1.tgz + version: 1.36.1 - annotations: artifacthub.io/changes: | - Remove unneeded initContainers from CRD job (#215) @@ -28687,6 +29065,36 @@ entries: - assets/hpe/hpe-csi-info-metrics-1.0.1.tgz version: 1.0.1 instana-agent: + - annotations: + artifacthub.io/links: | + - name: Instana website + url: https://www.instana.com + - name: Instana Helm charts + url: https://github.com/instana/helm-charts + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Instana Agent + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: instana-agent + apiVersion: v2 + appVersion: 1.264.0 + created: "2024-01-23T16:21:08.856588585Z" + description: Instana Agent for Kubernetes + digest: d0f6a14e06c3ab0ef5b5d454431640ac2964818f1652a3362f3de53f60b23a34 + home: https://www.instana.com/ + icon: https://agents.instana.io/helm/stan-logo-2020.png + maintainers: + - email: felix.marx@ibm.com + name: FelixMarxIBM + - email: henning.treu@ibm.com + name: htreu + - email: torsten.kohn@ibm.com + name: tkohn + name: instana-agent + sources: + - https://github.com/instana/instana-agent-docker + urls: + - assets/instana/instana-agent-1.2.67.tgz + version: 1.2.67 - annotations: artifacthub.io/links: | - name: Instana website @@ -29628,6 +30036,28 @@ entries: - assets/intel/intel-device-plugins-sgx-0.26.0.tgz version: 0.26.0 jaeger-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jaeger Operator + catalog.cattle.io/release-name: jaeger-operator + apiVersion: v1 + appVersion: 1.52.0 + created: "2024-01-23T16:21:08.902988311Z" + description: jaeger-operator Helm chart for Kubernetes + digest: d190b4a4da9afd3bd7923851d6ec46865ad36d6469382e0ed84e0500924f06fa + home: https://www.jaegertracing.io/ + icon: https://www.jaegertracing.io/img/jaeger-icon-reverse-color.svg + maintainers: + - email: ctadeu@gmail.com + name: cpanato + - email: batazor111@gmail.com + name: batazor + name: jaeger-operator + sources: + - https://github.com/jaegertracing/jaeger-operator + urls: + - assets/jaeger/jaeger-operator-2.50.1.tgz + version: 2.50.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Jaeger Operator @@ -29937,6 +30367,64 @@ entries: - assets/jaeger/jaeger-operator-2.36.0.tgz version: 2.36.0 jenkins: + - annotations: + artifacthub.io/category: integration-delivery + artifacthub.io/changes: | + - Add support for [generic ephemeral storage](https://github.com/jenkinsci/kubernetes-plugin/pull/1489) in `agent.volumes` and `agents.workspaceVolume`. + artifacthub.io/images: | + - name: jenkins + image: jenkins/jenkins:2.426.2-jdk17 + - name: k8s-sidecar + image: kiwigrid/k8s-sidecar:1.24.4 + - name: inbound-agent + image: jenkins/inbound-agent:3192.v713e3b_039fb_e-5 + - name: backup + image: maorfr/kube-tasks:0.2.0 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins + - name: Jenkins + url: https://www.jenkins.io/ + - name: support + url: https://github.com/jenkinsci/helm-charts/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jenkins + catalog.cattle.io/kube-version: '>=1.14-0' + catalog.cattle.io/release-name: jenkins + apiVersion: v2 + appVersion: 2.426.2 + created: "2024-01-23T16:21:08.909660966Z" + description: Jenkins - Build great things at any scale! The leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. + digest: b806b3a5e79570c6d8c0011e570532de1124b4f384e488d32b241779dfa48e71 + home: https://jenkins.io/ + icon: https://get.jenkins.io/art/jenkins-logo/logo.svg + keywords: + - jenkins + - ci + - devops + maintainers: + - email: maor.friedman@redhat.com + name: maorfr + - email: mail@torstenwalter.de + name: torstenwalter + - email: garridomota@gmail.com + name: mogaal + - email: wmcdona89@gmail.com + name: wmcdona89 + - email: timjacomb1@gmail.com + name: timja + name: jenkins + sources: + - https://github.com/jenkinsci/jenkins + - https://github.com/jenkinsci/docker-inbound-agent + - https://github.com/maorfr/kube-tasks + - https://github.com/jenkinsci/configuration-as-code-plugin + urls: + - assets/jenkins/jenkins-4.12.0.tgz + version: 4.12.0 - annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | @@ -32210,6 +32698,34 @@ entries: - assets/jenkins/jenkins-4.2.9.tgz version: 4.2.9 k8s-triliovault-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: k8s-triliovault-operator + apiVersion: v2 + appVersion: 4.0.1 + created: "2024-01-23T16:21:30.518097128Z" + dependencies: + - condition: observability.enabled + name: observability + repository: file://./charts/observability + version: ^0.1.0 + description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. + digest: d3a3ae67b70f869517160fe704d956579e4f7d5f1cf6f09ae701d2b8d246c522 + home: https://github.com/trilioData/k8s-triliovault-operator + icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png + kubeVersion: '>=1.19.0-0' + maintainers: + - email: prafull.ladha@trilio.io + name: prafull11 + name: k8s-triliovault-operator + sources: + - https://github.com/trilioData/k8s-triliovault-operator + urls: + - assets/trilio/k8s-triliovault-operator-4.0.1.tgz + version: 4.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator @@ -33106,6 +33622,34 @@ entries: - assets/trilio/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.2 + created: "2024-01-23T16:21:10.264461132Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.1.0 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.8.0 + description: Kasten’s K10 Data Management Platform + digest: 7cd483cc880c89c258141e257c2ad1fc230f39deef15b96f66c6988eff7de5d0 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.201.tgz + version: 6.5.201 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -34075,6 +34619,58 @@ entries: - assets/kasten/k10-4.5.900.tgz version: 4.5.900 kafka: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Kafka + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: kafka + category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r136 + - name: kafka + image: docker.io/bitnami/kafka:3.6.1-debian-11-r1 + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.0-debian-11-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.6.1 + created: "2024-01-23T16:21:05.274819175Z" + dependencies: + - condition: zookeeper.enabled + name: zookeeper + repository: file://./charts/zookeeper + version: 12.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Kafka is a distributed streaming platform designed to build + real-time pipelines and can be used as a message broker or as a replacement + for a log aggregation solution for big data applications. + digest: 48aeb72d161225d8a4aa2663893b9d4b87fcee570783d7e454b645d2cf2f226a + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg + keywords: + - kafka + - zookeeper + - streaming + - producer + - consumer + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: kafka + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/kafka + urls: + - assets/bitnami/kafka-26.8.0.tgz + version: 26.8.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Kafka @@ -37732,6 +38328,31 @@ entries: - assets/elastic/kibana-7.17.3.tgz version: 7.17.3 kong: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong + apiVersion: v2 + appVersion: "3.5" + created: "2024-01-23T16:21:10.523381242Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: The Cloud-Native Ingress and API-management + digest: a47156362fdab8257669d141d00d7ba0f7342438880f29530882b8bc23d2dce8 + home: https://konghq.com/ + icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png + maintainers: + - email: team-k8s@konghq.com + name: team-k8s-bot + name: kong + sources: + - https://github.com/Kong/charts/tree/main/charts/kong + urls: + - assets/kong/kong-2.34.0.tgz + version: 2.34.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kong Gateway @@ -40240,15 +40861,46 @@ entries: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 - appVersion: stable-2.14.8 - created: "2024-01-12T17:07:17.106562491Z" + appVersion: stable-2.14.9 + created: "2024-01-23T16:21:28.466471322Z" dependencies: - name: partials repository: file://./charts/partials version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: 23c8fe3057b9b607ec3b833dbad4a5db45a64ebe73332332217cf690a6799c7c + digest: cb8be24409e1dd8ae99714349b2e19c4579c1f92e09dc0cd954a9f9ffaf5a3a9 + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.21.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-1.16.10.tgz + version: 1.16.10 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 + appVersion: stable-2.14.8 + created: "2024-01-23T16:21:10.990996149Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 7826fa7dc76462c9808c41a4f2da0198e4fb571741ee7f94251b12b28b4e31e2 home: https://linkerd.io icon: https://linkerd.io/images/logo-only-200h.png keywords: @@ -41118,6 +41770,50 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r3 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.2.2 + created: "2024-01-23T16:21:05.418223885Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: 88fc44beb09d5b91abf2cd598777f30191480fc7d5f9574f3d0b33f03368140b + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-15.2.0.tgz + version: 15.2.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -43509,6 +44205,50 @@ entries: - assets/minio/minio-operator-4.4.1700.tgz version: 4.4.1700 mysql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MySQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mysql + category: Database + images: | + - name: mysql + image: docker.io/bitnami/mysql:8.0.36-debian-11-r0 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 8.0.36 + created: "2024-01-23T16:21:05.492201426Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MySQL is a fast, reliable, scalable, and easy to use open source + relational database system. Designed to handle mission-critical, heavy-load + production applications. + digest: 9971e9f0f4fac7f863608690351872b5336f4c273d037292c3b10bc0bec24169 + home: https://bitnami.com + icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png + keywords: + - mysql + - database + - sql + - cluster + - high availability + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mysql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mysql + urls: + - assets/bitnami/mysql-9.18.0.tgz + version: 9.18.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MySQL @@ -45017,6 +45757,31 @@ entries: - assets/bitnami/mysql-9.4.1.tgz version: 9.4.1 nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.10.9 + created: "2024-01-23T16:21:28.567169315Z" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: 3fbb3ab9fe730ca538125af57cf91fd70e3ad13a0a240c8c65b534172ca3b976 + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: + - nats + - messaging + - cncf + maintainers: + - email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io + name: nats + urls: + - assets/nats/nats-1.1.7.tgz + version: 1.1.7 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NATS Server @@ -45821,6 +46586,32 @@ entries: - assets/nats/nats-0.10.0.tgz version: 0.10.0 nginx-ingress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: nginx-ingress + apiVersion: v2 + appVersion: 3.4.2 + created: "2024-01-23T16:21:08.36551787Z" + description: NGINX Ingress Controller + digest: 1446c1c47dbb2554d18d16e16de5629c797bc3d3d99b4da2fb3061b4bc9391f7 + home: https://github.com/nginxinc/kubernetes-ingress + icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/charts/nginx-ingress/chart-icon.png + keywords: + - ingress + - nginx + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: kubernetes@nginx.com + name: nginxinc + name: nginx-ingress + sources: + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress + type: application + urls: + - assets/f5/nginx-ingress-1.1.2.tgz + version: 1.1.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NGINX Ingress Controller @@ -46428,6 +47219,88 @@ entries: - assets/f5/nginx-service-mesh-0.2.100.tgz version: 0.2.100 nri-bundle: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: New Relic + catalog.cattle.io/release-name: nri-bundle + apiVersion: v2 + created: "2024-01-23T16:21:29.034600126Z" + dependencies: + - condition: infrastructure.enabled,newrelic-infrastructure.enabled + name: newrelic-infrastructure + repository: file://./charts/newrelic-infrastructure + version: 3.29.1 + - condition: prometheus.enabled,nri-prometheus.enabled + name: nri-prometheus + repository: file://./charts/nri-prometheus + version: 2.1.17 + - condition: newrelic-prometheus-agent.enabled + name: newrelic-prometheus-agent + repository: file://./charts/newrelic-prometheus-agent + version: 1.9.1 + - condition: webhook.enabled,nri-metadata-injection.enabled + name: nri-metadata-injection + repository: file://./charts/nri-metadata-injection + version: 4.16.1 + - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled + name: newrelic-k8s-metrics-adapter + repository: file://./charts/newrelic-k8s-metrics-adapter + version: 1.8.2 + - condition: ksm.enabled,kube-state-metrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + version: 5.12.1 + - condition: kubeEvents.enabled,nri-kube-events.enabled + name: nri-kube-events + repository: file://./charts/nri-kube-events + version: 3.7.3 + - condition: logging.enabled,newrelic-logging.enabled + name: newrelic-logging + repository: file://./charts/newrelic-logging + version: 1.19.0 + - condition: newrelic-pixie.enabled + name: newrelic-pixie + repository: file://./charts/newrelic-pixie + version: 2.1.2 + - alias: pixie-chart + condition: pixie-chart.enabled + name: pixie-operator-chart + repository: file://./charts/pixie-operator-chart + version: 0.1.4 + - condition: newrelic-infra-operator.enabled + name: newrelic-infra-operator + repository: file://./charts/newrelic-infra-operator + version: 2.8.2 + description: Groups together the individual charts for the New Relic Kubernetes + solution for a more comfortable deployment. + digest: 4127d3eadb150e1a2e3fc825a7706b2d1e1bcd6350ce59455c118bf3afad9740 + home: https://github.com/newrelic/helm-charts + icon: https://newrelic.com/themes/custom/erno/assets/mediakit/new_relic_logo_vertical.svg + keywords: + - infrastructure + - newrelic + - monitoring + maintainers: + - name: juanjjaramillo + url: https://github.com/juanjjaramillo + - name: csongnr + url: https://github.com/csongnr + name: nri-bundle + sources: + - https://github.com/newrelic/nri-bundle/ + - https://github.com/newrelic/nri-bundle/tree/master/charts/nri-bundle + - https://github.com/newrelic/nri-kubernetes/tree/master/charts/newrelic-infrastructure + - https://github.com/newrelic/nri-prometheus/tree/master/charts/nri-prometheus + - https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent + - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection + - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/master/charts/newrelic-k8s-metrics-adapter + - https://github.com/newrelic/nri-kube-events/tree/master/charts/nri-kube-events + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie + - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator + urls: + - assets/new-relic/nri-bundle-5.0.60.tgz + version: 5.0.60 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: New Relic @@ -51536,6 +52409,51 @@ entries: - assets/portworx/portworx-essentials-2.9.100.tgz version: 2.9.100 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r95 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r6 + - name: postgresql + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 16.1.0 + created: "2024-01-23T16:21:05.809656226Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: 8fa18a41d0592d0c670670d8c03a4c00c7b0d238c0686d139fc95de8aa563512 + home: https://bitnami.com + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/postgresql + urls: + - assets/bitnami/postgresql-13.4.1.tgz + version: 13.4.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -55256,6 +56174,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redis: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redis + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: redis + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r1 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r3 + - name: redis + image: docker.io/bitnami/redis:7.2.4-debian-11-r2 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 7.2.4 + created: "2024-01-23T16:21:06.120618244Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Redis(R) is an open source, advanced key-value store. It is often + referred to as a data structure server since keys can contain strings, hashes, + lists, sets and sorted sets. + digest: 248cf9440e7c3ac80e980158555fe788cc2d5d533afe35995d2f7c40999ec6c3 + home: https://bitnami.com + icon: https://redis.com/wp-content/uploads/2021/08/redis-logo.png + keywords: + - redis + - keyvalue + - database + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: redis + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/redis + urls: + - assets/bitnami/redis-18.8.0.tgz + version: 18.8.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Redis @@ -57708,6 +58670,50 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.3.1 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.8.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.3.1 + created: "2024-01-23T16:21:29.82215653Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 262f828be6f41f779353c994a8c4d011006dfcdf2828bf0d54b7ed63abbbca6f + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.7.10.tgz + version: 5.7.10 - annotations: artifacthub.io/images: | - name: redpanda @@ -62049,6 +63055,43 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 spark: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Spark + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: spark + category: Infrastructure + images: | + - name: spark + image: docker.io/bitnami/spark:3.5.0-debian-11-r18 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.0 + created: "2024-01-23T16:21:06.224241631Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Spark is a high-performance engine for large-scale computing + tasks, such as data processing, machine learning and real-time data streaming. + It includes APIs for Java, Python, Scala and R. + digest: 39847cdedc45534773b19f475284c875e9e59766e00f4c7ac64e5d2bb0c37a4a + home: https://bitnami.com + icon: https://www.apache.org/logos/res/spark/default.png + keywords: + - apache + - spark + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: spark + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/spark + urls: + - assets/bitnami/spark-8.3.0.tgz + version: 8.3.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Spark @@ -63462,6 +64505,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.0.41 + created: "2024-01-23T16:21:29.912086139Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 6faa2c60638e8c1c449be3bdc3bdb7460b2549400f4c8ca57823b232c0a4ca29 + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.0.5.tgz + version: 2.0.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -65692,6 +66766,34 @@ entries: - assets/speedscale/speedscale-operator-0.9.12600.tgz version: 0.9.12600 stackstate-k8s-agent: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: StackState Agent + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: stackstate-k8s-agent + apiVersion: v2 + appVersion: 2.19.1 + created: "2024-01-23T16:21:29.929649373Z" + dependencies: + - alias: httpHeaderInjectorWebhook + name: http-header-injector + repository: file://./charts/http-header-injector + version: 0.0.8 + description: Helm chart for the StackState Agent. + digest: 51e34d81109fe7354a7486c6fe91c30d1a1810a43ea5e966f6dbb640bdb337b0 + home: https://github.com/StackVista/stackstate-agent + icon: https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/stackstate-k8s-agent/logo.svg + keywords: + - monitoring + - observability + - stackstate + maintainers: + - email: ops@stackstate.com + name: Stackstate + name: stackstate-k8s-agent + urls: + - assets/stackstate/stackstate-k8s-agent-1.0.67.tgz + version: 1.0.67 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: StackState Agent @@ -67759,6 +68861,51 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 tomcat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Tomcat + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: tomcat + category: ApplicationServer + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + - name: tomcat + image: docker.io/bitnami/tomcat:10.1.18-debian-11-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 10.1.18 + created: "2024-01-23T16:21:06.255665446Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Tomcat is an open-source web server designed to host and run + Java-based web applications. It is a lightweight server with a good performance + for applications running in production environments. + digest: 503c238057f57c5ba77010d106f18dc2803d990e6da7af96091fd2a5449616fc + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/tomcat.svg + keywords: + - tomcat + - java + - http + - web + - application server + - jsp + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: tomcat + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/tomcat + urls: + - assets/bitnami/tomcat-10.13.0.tgz + version: 10.13.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Tomcat @@ -71330,6 +72477,60 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.5-debian-11-r3 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r95 + - name: wordpress + image: docker.io/bitnami/wordpress:6.4.2-debian-11-r18 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.4.2 + created: "2024-01-23T16:21:07.11281268Z" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 6.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 15.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: 1661959fa4811d2dc3e3951cfaad9492d632625c238cd96bbf06b2bc70e9f880 + home: https://bitnami.com + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress + urls: + - assets/bitnami/wordpress-19.2.1.tgz + version: 19.2.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress @@ -76629,6 +77830,30 @@ entries: urls: - assets/yugabyte/yugabyte-2.16.0.tgz version: 2.16.0 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugabyte + apiVersion: v1 + appVersion: 2.14.15.0-b57 + created: "2024-01-23T16:21:30.540485136Z" + description: YugabyteDB is the high-performance distributed SQL database for building + global, internet-scale apps. + digest: 7cf7b074ef531e404a62cbb4bf930b8f7968185611122f6a8fe3bf3f0a01f642 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + maintainers: + - email: ram@yugabyte.com + name: Ram Sri + - email: arnav@yugabyte.com + name: Arnav Agarwal + name: yugabyte + sources: + - https://github.com/yugabyte/yugabyte-db + urls: + - assets/yugabyte/yugabyte-2.14.15.tgz + version: 2.14.15 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB @@ -77299,6 +78524,27 @@ entries: urls: - assets/yugabyte/yugaware-2.16.0.tgz version: 2.16.0 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB Anywhere + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugaware + apiVersion: v1 + appVersion: 2.14.15.0-b57 + created: "2024-01-23T16:21:30.586478786Z" + description: YugaWare is YugaByte Database's Orchestration and Management console. + digest: b79f2fdd8a13ffee71ed03d01895d617932372692dc04cb54b0ca16499f65ae8 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + maintainers: + - email: ram@yugabyte.com + name: Ram Sri + - email: arnav@yugabyte.com + name: Arnav Agarwal + name: yugaware + urls: + - assets/yugabyte/yugaware-2.14.15.tgz + version: 2.14.15 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB Anywhere @@ -77564,6 +78810,43 @@ entries: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 zookeeper: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Zookeeper + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: zookeeper + category: Infrastructure + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r94 + - name: zookeeper + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.9.1 + created: "2024-01-23T16:21:07.207593778Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache ZooKeeper provides a reliable, centralized register of configuration + data and services for distributed applications. + digest: b72067c31e8c97962a33199f1a0c76ade6b396dccf2e9afb36d714f7513fe78e + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/zookeeper.svg + keywords: + - zookeeper + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: zookeeper + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper + urls: + - assets/bitnami/zookeeper-12.6.0.tgz + version: 12.6.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Zookeeper